Data Security and Privacy

Roji Health Intelligence ensures robust security and data privacy throughout Roji Health Intelligence hardware and software.

Does Roji Health Intelligence meet HIPAA Security and Privacy standards in allowing access to the Registry?

Yes, we meet or exceed all HIPAA and HITECH requirements. Access to the Roji Registry requires individual authentication and is role-based.

How does Roji Health Intelligence physically secure the data?

Roji Health Intelligence is currently transitioning storage of data from a physical ultra-secure facility to an Amazon Web Services (AWS) environment that will provide even greater security and scalability. Vastly increased EHR clinical data and new services, like Episodes and Improvements, call more data simultaneously to populate views. Our move to AWS helps to ensure that greater insights don’t come at the expense of performance.

AWS is used by the largest governmental and private organizations, including health care, and provides additional security features for Roji applications and our clients’ data. The final transition will be complete in spring 2021.

Roji Health Intelligence production servers are currently located in an ultra-secure facility meeting the highest standards in the industry. The facility is an SAS 70 II/SSAE 16 compliant co-location, and has successfully attained SOC 2 Type 2 and SOC 3 reports. We have a redundant system backup at AWS, which provides SOC 1, SOC 2, and SOC 3 reports via the AWS Artifact. Regardless of the environment, we maintain strict physical and user access restrictions to all Roji applications and data.

What data security protections exist in the processing of data?

  • All data remains encrypted while moving between the client and Roji Health Intelligence.
  • All lines of communications are required to be encrypted between the client and Roji Health Intelligence.
  • Server data security is managed using users’ access rights.
  • Separation is maintained between web server and data server.
  • Firewalls are managed using the services of security professionals.

How is data protected from hackers?

In keeping with high security standards, the web portal and database are on separate servers, to protect immediate access to the data. Data is encrypted and appears only as needed through Roji Health Intelligence Applications. Our Applications undergo routine, frequent security reviews and testing to ensure that they remain safe from hacking.

How is data shared with others?

Patient and Practice data is seen only within the client organization and is specified in Roji Health Intelligence Business Associate Agreements. Clients who participate in benchmarking may agree to see aggregate, unidentified results of other clients but no patient data is shared outside of the organized health system stipulated in the Roji Health Intelligence Services Agreement and Business Associate Agreement.

Do patients need to authorize the collection or use of patient data?

Not typically. Patient data related to quality is permissible to share under HIPAA because it is part of health care operations, as long as Business Associate Agreements and underlying practices protect its privacy to this purpose. Also, Roji Health Intelligence restricts that sensitive data which may require patient consent.

How is access to the data secured?

Role-based User Access
  • Access to the data is controlled by ‘group’ membership.
  • The client organization defines the group assignments for their users.
Logins
  • Separate provider and administrator login types.
  • All passwords are stored salted and encrypted with a one-way hash, so that passwords can be checked but cannot be read.
  • Passwords must adhere to rigid requirements.
  • Separate authentication of user prior to granting of login.

What is the 3-2-1 Rule?

The 3-2-1 Rule states the following:
  • There should be 3 copies of data
  • On 2 different storage types
  • With 1 copy being off-site

How does Roji backup its data?

At Roji Health Intelligence, we take our backups seriously. This is not just to cover CMS or HIPAA requirements, this is to satisfy ourselves; that we are actively ensuring the integrity of the data given to us, and that we are using it to verify the reporting created by the data is valid. We use the 3-2-1 Backup
Rule at Roji Health Intelligence. All of our data is encrypted at rest, both production data and static backups.

  • We have 3 copies of our data, 1 of which is the Production Dataset that you view when you
    access the Roji Registry. The other copies of data are also securely maintained and encrypted.
  • We have backups on 2 different storage types, provided by AWS.
  • We have 1 backup offsite.
  • We also run 2 different backup processes, so if 1 fails, the other will continue unimpeded.

Take the first step to build your path to success.

Contact Roji Health Intelligence