Security & HITRUST
Outcome maintains a rigorous security plan involving a third-party assessment from HITRUST. Outcome holds a HITRUST R2 certification, which is the most involved level offered by HITRUST.
For HIE clients who also pursue HITRUST R2 certification, we participate in the HITRUST inheritance program allowing the client to simplify their assessment process for our platform and components. Our HITRUST R2 certification report is available on request.
We utilize the following Administrative Safeguards:
- Role-Based Access Control (RBAC): Access to PHI is limited to authorized personnel
- Audit Logs: Detailed logs track user activities with PHI
- Security Training: Regular staff training on PHI protection responsibilities
- Incident Response Plan: A defined plan for addressing security incidents
Technical Safeguards:
- Data Encryption: Strong encryption for data at rest and in transit
- Access Controls: Enforced based on the principle of least privilege
- Audit Logs: Comprehensive logs for monitoring PHI activities
- EDR / Endpoint Detection and Response
- SIEM / Security Information and Event Management
- SAST / Static Application Security Testing
- DAST / Dynamic Application Security Testing
- Realtime Vulnerability Scanning and Timed Remediation Processes
- Periodic Penetration Testing
Physical Safeguards:
- Access Controls: Restricted physical access using key cards and biometric scanners
- Surveillance: Security systems monitor sensitive areas
- Secure Disposal: Procedures for secure disposal of documents containing PHI