SmartMatchApp HIPAA Adequacy

This table demonstrates how SmartMatchApp’s SOC2 Type 2 Controls align with the HIPAA (The U.S. Health Insurance Portability and Accountability Act). Additionally, some of the HIPAA Security Rule regulations do not apply to SmartMatchApp products and are not represented in this table. This information is provided by SmartMatchApp to assist readers in understanding the relationship between SmartMatchApp’s SOC Type 2 controls and the HIPAA Security Rule requirements and is not included or subject to the auditor’s opinion.

AA1, AA2
Unique user IDs and strong passwords are required in order to gain access to the infrastructure supporting the application (i.e. Active Directory, server and database accounts).

§164.308(a)(5)(ii)(D)
§164.312(a)(2)(i)
§164.312(d)
§164.530(c)

AA3
Multi-factor authentication (MFA) is enforced for user accounts with administrative access to the organization’s production platform.

§164.312(d)

AC1
Access to in-scope system components (application(s) and its underlying infrastructure) requires a documented access request and approval from management prior to access provisioning.

§164.308(a)(3)(i)
§164.308(a)(3)(ii)(A)
§164.308(a)(3)(ii)(B)
§164.308(a)(3)(ii)(C)
§164.308(a)(4)(i)
§164.308(a)(4)(ii)(A)
§164.308(a)(4)(ii)(B)
§164.308(a)(4)(ii)(C)
§164.312(a)(1)
§164.514(d)(1)
§164.514(d)(2)
§164.530(c)

AC2
Management utilizes an employee termination checklist to ensure that the termination process is consistently executed and access is revoked for terminated employees in a timely manner.

§164.308(a)(3)(ii)(C)
§164.312(a)(1)
§164.514(d)(1)-§164.514(d)(2)
§164.530(c)

AC3
Access to a generic administrator or privileged accounts on the databases and servers supporting the application is restricted to authorized personnel based on a role-based access scheme.

§164.308(a)(3)(i)
§164.308(a)(3)(ii)(A)
§164.312(a)(1)
§164.514(d)(1)
§164.514(d)(2)
§164.530(c)

AC4
Management performs a quarterly user access review for in-scope system components to ensure that access is restricted appropriately. Access is modified or removed in a timely manner based on the results of the review.

§164.308(a)(3)(i)
§164.308(a)(3)(ii)(B)
§164.308(a)(4)(ii)(C)
§164.312(a)(1)
§164.514(d)(1)
§164.514(d)(2)

OC11 The organization utilizes Tugboat Logic platform to manage its Information Security policies and procedures. Internal policy and procedure documents relating to security, confidentiality, and availability are maintained and made available to employees. The policies and procedure documents are reviewed and approved by management annually or during significant changes.

§164.308(a)
§164.310(a)(1)
§164.310(a)(2)(i)
§164.310(a)(2)(ii)
§164.310(a)(2)(iii)
§164.530(c)

OC12
Employees are required to complete an information security and awareness training annually.

§164.308(a)(5)(i)
§164.308(a)(5)(ii)(A)
§164.308(a)(5)(ii)(B)
§164.308(a)(5)(ii)(C)
§164.308(a)(5)(ii)(D)

CR2
Full back-ups are performed every six hours using an automated system and replicated to an offsite location. Backups are monitored for failure using an automated system.

§164.308(a)(7)(ii)(A)
§164.310(d)(2)(iv)

CR6
Business Continuity and disaster recovery plans (including restoration of backups) have been developed and tested annually. Test results are reviewed and consequently, contingency plans are updated.

§164.308(a)(7)(i)
§164.308(a)(7)(ii)(B)
§164.308(a)(7)(ii)(C)
§164.308(a)(7)(ii)(D)
§164.308(a)(7)(ii)(E)
§164.308(a)(8)
§164.310(a)(2)(i)

DP8
A data integrity policy exists that provides guidelines with respect to data integrity. The organization has a privacy policy in place which specifies that data subjects are responsible for providing complete and accurate personal information to the organization during collection or in case of any changes.

§164.312(c)(1)
§164.312(c)(2)

DP9
Organization has appointed a Privacy Officer who is accountable for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disclosure of personal information.

§164.308(a)(2)
§164.530(a)

DS4
Formal data retention and disposal procedures are in place to guide the secure retention and disposal of information.

§164.316(b)(2) (i)
§164.414(a)
§164.508(b)(6)
§164.508(c)(1-4)
§164.310(d)(2)(i)
§164.310(d)(2)(ii)
§164.520(e)
§164.524(e)
§164.530(j)

IR2
Notifications regarding confirmed data breaches are provided to affected data subjects, regulators, and others within an acceptable timeframe to meet the organization’s privacy commitments.

§164.404(a)
§164.404(b)
§164.404(c)(1)
§164.410
§164.314(a)(2)(i)(C)
§164.412
§164.414(b)

IR3
A formal incident management process has been established and implemented which requires incidents to be tracked, documented and resolved in a complete, accurate and timely manner. The process document is reviewed by management on an annual basis and updated as required.

§164.308(a)
§164.308(a)(5)(ii)(C)
§164.308(a)(6)(i)
§164.308(a)(6)(ii)
§164.530(f)

IR4
All incidents related to security are logged, tracked and communicated to affected parties. Incidents are resolved in a timely manner in accordance to formal incident management process.

§164.308(a)
§164.308(a)(5)(ii)(C)
§164.308(a)(6)(ii)
§164.530(f)

OC1
The organization maintains an inventory of production information assets including details on asset ownership, data classification and location. The asset inventory listing is reviewed and updated by management on an as-needed basis.

§164.310(b)
§164.310(c)

OC8
The organization uses Tugboat Logic to document their internal controls and continuously monitor its effectiveness. An assessment over the effectiveness and efficiency of the internal controls, processes and policies is reviewed by management on at least an annual basis and identified deficiencies are remediated in a timely manner.

§164.316(b)(1)
§164.316(b)(2) (i)

OC9
The organization has established communication channels that allow employees to securely and anonymously report issues related to fraud, harassment and other issues impacting the organization’s ethical and integrity requirements.

§164.308(a)(1)(ii)(C)
§164.414(a)
§164.530(e)
§164.530(e)(1)
§164.530(g)

RA1
Management maintains insurance coverage through an external service provider against major financial risks for overall business.

§164.402(1)(i)-(iii)
§164.402(2)(i)-(iv)

RA2
Management performs a formal risk assessment (which includes risks related to security, fraud, regulatory and technology changes) on an annual basis or in the event of significant changes. Identified risks along with mitigation strategies are documented and implemented by the organization’s executive management.

§164.308(a)(1)(ii)(A)
§164.308(a)(1)(ii)(B)
§164.308(a)(8)

SO11
A formal network diagram outlining boundary protection mechanisms (e.g. firewalls, IDS, etc.) is maintained for all network connections and reviewed annually by IT management.

§164.312(e)(1)

SO13
An external penetration test is performed on an annual basis to identify security exploits. Issues identified are classified according to risk, analyzed and remediated in a timely manner.

§164.308(a)(8)

SO14
Logging is enabled to monitor administrative activities, logon attempts and data deletions at the application and infrastructure level. Logs are retained for forensic purposes and interrogated as needed for issue resolution.

§164.308(a)(1)(ii)(D)
§164.308(a)(5)(ii)(C)
§164.312(b)

SO15
System firewalls are configured on the application gateway and production network to limit unnecessary ports, protocols and services. Firewall rules are reviewed on an annual basis by IT management.

§164.312(e)(1)

SO17
Vulnerability scan is performed on a quarterly basis to identify threats and vulnerabilities to the production systems. Issues identified are analyzed and remediated in a timely manner.

§164.308(a)(8)

SO4
The organization uses its cloud provider key management service to encrypt data at rest and to store and manage encryption keys. Access to production access keys is restricted to authorized individuals.

§164.312(a)(2)(iv)
§164.312(c)(2)
§164.312(e)(1)
§164.312(e)(2)(i)
§164.312(e)(2)(ii)
§164.530(c)

SO5
Customer data is encrypted at rest (stored and backup) using strong encryption technologies.

§164.312(a)(2)(iv)
§164.312(c)(2)
§164.312(e)(2)(ii)
§164.530(c)

SO6
Encryption technologies are used to protect communication and transmission of data over public networks and between systems.

§164.312(a)(2)(iv)
§164.312(c)(2)
§164.312(e)(1)
§164.312(e)(2)(i)
§164.312(e)(2)(ii)
§164.530(c)

VM1
Third-party contractors working on behalf of the organization are required to sign an agreement outlining the standard code of conduct, security and confidentiality requirements.

§164.308(b)(1)
§164.308(b)(2)
§164.308(b)(3)
§164.504(e)
§164.314(a)(1)
§164.314(a)(2)(i)(C)
§164.314(a)(2)(i)(A)
§164.314(a)(2)(i)(B)
§164.314(a)(2)(i)(C)
§164.314(a)(2)(ii)
§164.410

VM2, VM3
On an annual basis, management performs reviews of SOC reports from service providers/vendors who are on a subscription-based service to review the appropriateness of scope, impact of identified exceptions, and applicable complementary user entity Controls. A vendor management process has been implemented whereby management performs risk assessments of potential new vendors and evaluates the performance of existing vendors on an annual basis. Corrective actions are taken as required based on the results of the assessments.

§164.310(a)(1)
§164.310(a)(2)(i)
§164.310(a)(2)(iv)
§164.504(e)(1)

VM4
Vendor management process has been implemented that includes security procedures to be followed in case vendor terminations.

§164.504(e)