Certifications & Standards

Privacy and security are core priorities at Onpoint, which is why our systems and solutions are built with rigorous safeguards, continuous monitoring, and proactive privacy protections. 

 

Guided by national and federal frameworks, our security practices are embedded in both our technology infrastructure and our corporate culture, ensuring that our clients’ data are protected throughout collection, transmission, processing, delivery, and reporting. 

 

Our robust Information Security Program has successfully achieved both HITRUST CSF® Certification – the elite, gold standard in health data security – and Qualified Entity Certification Program (QECP) security compliance from the U.S. Centers for Medicare & Medicaid Services (CMS).

Certifications & Standards

HITRUST is a healthcare-specific common security framework that covers security requirements from the International Organization for Standardization (ISO), the U.S. National Institute of Standards and Technology (NIST), the U.S. Health Insurance Portability and Accountability Act (HIPAA), and other leading standards.

Onpoint is the CMS Data Custodian for many of our clients, offering more than 15 years’ experience successfully satisfying all terms and conditions contained in our clients’ negotiated Data Use Agreements and Data Management Plans with CMS.

 

Secure Solutions Using Best Practices

Onpoint’s systems and solutions are deployed exclusively within Amazon Web Services (AWS) using FedRAMP-compliant, SOC 2-certified cloud services and industry-leading physical and technical protections. All systems are designed with layered security architecture to ensure the confidentiality and integrity of protected data. Safeguards include:

End-to-End Encryption

Sensitive data are encrypted both at rest and in transit using NIST-approved algorithms, additional encryption layers, and secure transmission protocols.

 

Isolated Storage

Each client’s data are hosted in isolated environments within virtual private clouds that are separated into distinct functional tiers and protected using layered firewalls and Intrusion Detection and Prevention Systems.

 

Deliberate Redundancy

Encrypted, automated nightly back-ups are performed for all production databases, and disaster recovery tests are regularly conducted to confirm continuity and rapid restoration capabilities.

 

Continuous Monitoring

Onpoint employs continuous monitoring through cloud-certified engineers and trusted third-party security partners. Logs are analyzed in real time to detect and respond to anomalies, and all systems undergo regular external penetration testing and third-party audits.

 

Role-Based Access

Data access is rigorously controlled using role-based privileges, “minimum necessary” standards, and multi-factor authentication (MFA) for all user and administrator end points.

 

Ongoing Vigilance

Onpoint’s staff undertakes mandatory, annual HIPAA, HITECH, and security awareness training, supplemented by ongoing phishing simulation exercises, logging of all system activity, third-party testing, and monthly meetings of our security team to review evolving threats, emerging risks, and corrective actions.