Compliance is native to everything we do. All PokitDok technology solutions, business processes, engineering development, and delivery protocols are built with integrated security and compliance at their core.
All PokitDok infrastructure components are deployed within the HIPAA compliant AWS infrastructure. PokitDok is designed with forward-looking development methodologies, focused on strategic migration interoperability, allowing deployment of our infrastructure to other cloud providers such as Microsoft Azure. This cloud agnostic development approach allows for multi-cloud deployment and a more flexible disaster recovery strategy, immune to a single cloud failure. All data at rest and in transit is encrypted for both internal and external network communications. The system is designed so that there is no single point of failure; all systems are clustered for high availability and scalability.
The HITRUST Alliance is a not-for-profit coalition founded on the belief that information protection should be core to broad adoption of health information systems and exchanges. The HITRUST CSF is the most widely adopted controls framework in the healthcare industry and the basis for the HPH Sector implementation for the NIST Cybersecurity Framework. PokitDok has not only achieved HITRUST CSF Certification but actually greatly exceeded the median healthcare industry scores for all 19 criteria that were evaluated.
PokitDok is the first healthcare software company to be accredited with the CAQH® Committee on Operating Rules for Information Exchange (CORE®) PHASE IV Certification Seal, demonstrating our commitment to modernizing the business of healthcare by streamlining the electronic exchange of administrative data. The Phase IV rules apply to prior authorizations, healthcare claims, employee premium payment, health plan enrollment and dis-enrollment, and other transactions. PokitDok uses Version 5010 of the X12 HIPAA Transaction and Code Set Standards, a set of regulations for the electronic transmission of specific healthcare transactions, including: eligibility, claim status and electronic remittance advice.
As a clearinghouse under HIPAA, PokitDok has performed self-assessments to ensure HIPAA compliance. We have developed a complete security policy derived from NIST 800-53 and maintain active business associate agreements (BAAs) with all partners for performing HIPAA compliant clearinghouse functions as well as for handling other personal health information as needed. These BAAs are encoded into the data processing systems to ensure technical compliance with all BAA agreements.
Continual review of updated standards and regulations and how production processes and infrastructure are affected ensures a working backlog of tasks to maintain compliance.
Access to PokitDok APIs is controlled via OAuth2 and all activities (i.e. access, requests, responses) are logged within our platform for transactional-level auditing purposes. The Activities endpoint can be used to track the lifecycle of a customer transaction.
The SOC 2® Type II audit is recognized as the authoritative standard by which an organization’s controls can be evaluated for both design and operational effectiveness. The process involved a comprehensive and rigorous examination of PokitDok’s practices, policies, procedures, and tests of the controls related to the Security trust service principle, culminating in the formal report prepared by the independent auditing firm IS Partners, LLC. T he SOC 2® Type II audit serves as the foundation of PokitDok’s information security and assurance strategies, with audits performed each year to ensure continued effective operations of the control and compliance.
PokitDok's cross-departmental information security team ensures that all aspects of the business are considered when developing policy, implementing controls, or responding to an incident. Individuals in charge of implementing the secure business processes and technological implementations have extensive backgrounds in security. Many individuals at PokitDok have or have had active government security clearances and therefore have experience with compliance and sound security practices. Also, we have engineers with CISSP and GIAC certifications and operating system specific certifications. We employ engineers with deep experience in penetration testing, vulnerability detection, isolation and forensics. We also have many employees with extensive healthcare backgrounds that contribute to a broad and deep understanding of HIPAA.
PokitDok's infrastructure is developed with reliability as a core tenet. To survive internal system failures and potential external attacks, the infrastructure is built to scale and can be re-provisioned on demand. System components can be isolated and re-deployed as needed, thereby reducing the attack surface and enabling quick response to system failures. Taking a snapshot of isolated system components supports the ability to perform after incident forensics and audit analysis. Systems are deployed on dedicated systems, with all data at rest encrypted and all data in motion encrypted as well. Where needed, virtual private networks are created for partners covered under BAA.
PokitDok's development process includes extensive automated testing to ensure system reliability. Any code changes are peer reviewed for security, functionality and other best practices. Load and functional testing is performed in three environments prior to being manually approved for deployment in production. In addition, a manual test and review environment is under constant test cycles for additional human intervention, which also includes penetration testing on our own systems.
PokitDok regularly audits internal systems for least privilege access, security vulnerability assessment, minimal network access, logging and auditing maintenance, encrypted backups, and uptime. Real-time alerting is in place for violations of system stability, intrusion detection, and auditing. A team is monitoring this alert system 24x7x365 days a year and can remedy and/or escalate to other engineering or business contacts. System access is granted only through an approver process, with no single authority for access grants. Individuals are trained at least annually, with classes held monthly for employee compliance requirements.
PokitDok maintains a managed device system where all user devices - laptops, phones, tablets - are remotely managed by PokitDok for automation of the Acceptable Use policy. To enforce policies such as encrypted hard drives, device passwords/locking, remote data wipe, etc., PokitDok requires 2-factor authentication for users and systems wherever possible and maintains a strong password policy, as well as an encrypted user password store with secure password generation and auditing capability.