Security, privacy, and compliance

Healthcare data protection, built for trust.

Prime Health Services protects client data through administrative, technical, and physical safeguards reviewed and attested annually through SOC 2 Type II.

SOC 2 Type II HIPAA Aligned FIPS 140-2 U.S. Operations
01

Security by design

Controls are built into applications, infrastructure, monitoring, access, and response operations.

02

Privacy governance

Client data is managed through confidentiality, integrity, availability, and role-based access principles.

03

Compliance alignment

Programs align with SOC 2, HIPAA, and CIS Critical Security Controls to support client expectations.

04

Vendor oversight

Vetted subprocessors are reviewed annually as part of Prime Health Services vendor risk management.

Layered protection across systems, data, and operations.

Prime Health Services incorporates security by design and maintains multiple complementary layers of protection across client, server, data, and transmission environments.

01

Encryption

Data is protected in transit using TLS or SFTP and at rest using FIPS 140-2 aligned controls. Keys are safeguarded and device encryption is enforced where applicable.

02

Access controls

Least-privilege RBAC, unique user IDs, 15-minute inactivity timeouts, account lockout after five invalid attempts, MFA for remote VPN and administrative access, and Azure AD Entra ID enterprise SSO.

03

Monitoring and logging

Application audit logs remain online for at least 180 days, supported by centralized monitoring, alerting, email protections, and endpoint protections.

04

Vulnerability management

Monthly vulnerability scans, monthly remediation reviews, annual third-party penetration testing, and periodic phishing assessments support ongoing readiness.

05

Incident response

A documented incident response plan covers triage, containment, eradication, recovery, lessons learned, severity categories, regulatory or client notifications, and business continuity exercises.

Data governance designed around responsible use.

Prime Health Services treats privacy as an essential principle across the data lifecycle, including cloud and on-premises environments, support processes, and role-based access controls.

01

Data classification

PHI is always treated as Confidential and protected with heightened safeguards across its lifecycle.

02

Retention and auditability

Client confidential and sensitive information is retained per contract and policy, with a baseline retention period of up to seven years.

03

Secure disposal

Media and paper containing confidential data are destroyed using approved methods with chain-of-custody evidence. Assets are sanitized before reuse or disposal.

Attested controls and healthcare-focused compliance alignment.

Prime Health Services security and privacy measures support client requirements and essential healthcare privacy standards through recurring reviews, training, and formal compliance programs.

01

SOC 2 Type II

Annual examinations cover Security, Availability, and Confidentiality. Reports are available to clients.

02

HIPAA alignment

Operations are aligned with the HIPAA Security, Privacy, and Breach Notification Rules and enforced through BAAs.

03

Industry alignment

The program is mapped to CIS Critical Security Controls Implementation Group 3 to guide continuous improvement.

04

Employee training

Employees complete required data protection and privacy training to support consistent operational safeguards.

Subprocessor oversight

Vetted partners reviewed through vendor risk management.

Prime Health Services engages vetted subprocessors to deliver services and annually reviews their security attestations, including SOC and HITRUST where applicable.

Vendor Service Assurance and Notes
Microsoft Azure Cloud hosting for production applications and storage SOC 2, FedRAMP Moderate, annual PHS review, and alignment to CMS cloud expectations for claims processing.
Acrometis Data input services Attestation reviewed annually, including SOC or HITRUST where applicable.
Smart Data Solutions EDI and clearinghouse services Attestation reviewed annually, including SOC or HITRUST where applicable.
MultiPlan PPO network access services Attestation reviewed annually, including SOC or HITRUST where applicable.

Need security documentation?

Clients can request applicable security reports, attestation details, and compliance documentation through their Prime Health Services representative.

Request Documentation