Security and Privacy Overview
As a leading provider of data and analytics technologies and services, Health Catalyst has an unwavering commitment to deliver the highest level of information security and data privacy to its clients.
With safeguards that meet rigorous privacy certification standards, clients can rest assured that their confidentiality, integrity, and availability of nonpublic information is protected.
Protecting Our Greatest Asset
The confidentiality, integrity, and availability of our customers’ data is the focus of our security program.
Health Catalyst adheres to the regulatory framework of Health Insurance Portability and Accountability Act (HIPAA), with adequate measures for saving, accessing, and sharing individual medical and personal information.
Center for Internet Security:
Health Catalyst operational standards are based upon CIS baselines and benchmarks that provide global standards for cybersecurity.
Our cybersecurity approach builds its foundation on the National Institute of Standards (NIST) Cybersecurity Framework CSF—a cybersecurity infrastructure focused on preventing, detecting, and managing any security threat or risk.
Current Third-Party Audits and Certifications
The Health Catalyst SOC 2 Type II report is an independent assessment of our control environment performed by a third party.The SOC 2 report is based on the AICPA’s Trust Services Criteria and is issued annually in accordance with the AICPA’s AT Section 101 (Attest Engagements). The report covers the 12-month period of June 1 through May 31, and details the design and operating effectiveness of controls relevant to any system containing customer data as part of the Health Catalyst Cloud hosting solution. The Health Catalyst SOC 2 report addresses three of the five Trust Services Criteria (Security, Availability, Confidentiality).
The American Institute of Certified Public Accountants (AICPA) has developed the Service Organization Control (SOC 3) framework for safeguarding the confidentiality and privacy of information that is stored and processed in the cloud.The Health Catalyst SOC 3 report, an independent assessment of our control environment performed by a third party, is publicly available and provides a summary of our control environment relevant to the security, availability, confidentiality of customer data.
Follow the below links to access our available SOC 3 reports.
SOC 3 for Health Catalyst DOS, Interoperability, Healthfinch and Able Health.
SOC 3 Vitalware
21 CFR Part 11 is the FDA’s regulations for electronic documentation and electronic signatures. This compliance audit considers Health Catalyst’s compliance with the administration as a business associate to our customers in relation to electronic records in Health Catalyst’s data platform. Compliance with 21 CFR Part 11 ensures that data is maintained safely and securely, to ensure data is not corrupted or lost. It also is centered on ensuring data integrity.
HITRUST®: Leverages nationally and internationally accepted standards including ISO, NIST, PCI and HIPAA to ensure a comprehensive set of baseline security controls. Health Catalyst maintains HITRUST CSF® Certification across three of its business unit products and platforms. The applicable platforms and supporting architecture included and the applicable HITRUST framework versions certified are:
- Health Catalyst, Inc. (HITRUST CSF v9.x certified on 10/22/2022): Health Catalyst Data Operating System Platform, Touchstone, Care Management, and the Business Intelligence Application Platform.
- Health Catalyst Interoperability (HITRUST CSF v9.x certified on 10/16/2020): HCI Application Suite, consisting of HCI Connect, HCI Notify, HCI Exchange, HCI Organize, and HCI Explore.
- Healthfinch (HITRUST CSF v9.x on 6/5/2020): Charlie Platform hosted by Amazon Web Services (AWS) and Employees’ Workstations.
EHNAC Healthcare Network Accreditation is a national standard that indicates that healthcare stakeholders including electronic healthcare networks, financial services organizations, medical billers, third party administrators, outsourcers, ePrescribing networks, Healthcare Information Service Providers (HISP), Practice Management Systems vendors, and others have met or exceeded EHNAC’s criteria. The criteria includes conformance with federal healthcare reform legislation including HIPAA, HITECH/ARRA, ACA, Omnibus Rule, and other applicable state legislation. Further, the criteria encompass the areas of privacy, security, and confidentiality; technical performance; business practices; and resources. EHNAC accreditation is based on independent peer evaluation of an entity’s ability to perform at levels based on industry-established criteria. The accrediting process permits applicants to review their existing performance levels and to bring those levels into accordance with industry-established minimums, best practices, and conformance with applicable federal and state healthcare reform legislation.
KLAS presents a high-level overview of Censinet’s more-detailed risk assessments. This information should not replace a more thorough provider-conducted cybersecurity risk preparedness process. KLAS has invited all vendors, at no cost, to complete a full cybersecurity preparedness evaluation with Censinet, a KLAS partner specializing in risk management, assessment, and operations across the healthcare IT industry.
Visit the KLAS report to see a full breakdown.
Meet Our Security Experts
Kevin Scharnhorst, CISSP, CISM, CPHIMS
Chief Information Security Officer,
Stacey Jenkins, JD
Chief Compliance Officer,
“Health Catalyst has implemented best-practice data security and privacy standards to provide our clients with the highest information privacy, security, and compliance.”