DPC Security Requirements

104 views
Skip to first unread message

Ken Bradley

unread,
May 26, 2022, 2:32:15 PM5/26/22
to Data at the Point of Care (DPC) Community
Hello, we're a small start-up that wants to help providers understand where their patients have received care in the past.

We want to develop the solution in the Sales Force and AWS environments, both of which are HITRUST certified. My question is if the solution is developed in these environments, would this satisfy the security requirement for DPC production access?

Thanks so much for your response.

 


Data at the Point of Care (DPC) Community

unread,
Jun 3, 2022, 9:11:22 AM6/3/22
to Data at the Point of Care (DPC) Community

Hi,

Thanks for the question and interest in the Data at the Point of Care (DPC) Production Pilot Program.

No, the development environment alone will not be enough to meet DPC's security requirement. According to the DPC Terms of Service, it is a requirement that the software and its associated IT systems (i.e. AWS, Sales Force, etc.) meet one or more of these security requirements:

  • Office of the National Coordinator for Health Information Technology (ONC) Health IT Certification
  • Active Health Information Trust Alliance (HITRUST) CSF Validated Assessment
    • Active HITRUST self-validation assessment (valid for one year from date of first implementation if currently pursuing the HITRUST validated assessment)
  • Electronic Healthcare Network Accreditation Commission (EHNAC) Accreditation
    • Accountable Care Organization Accreditation Program (ACOAP)
    • Data Registry Accreditation Program (DRAP)
    • DirectTrust Privacy & Security (DT P&S)
    • EHNAC Privacy & Security (EHNAC P&S)
    • Financial Services Accreditation Program for Electronic Health Networks (FSAP-EHN)
    • Financial Services Accreditation Program for Lockbox Services (FSAP-Lockbox)
    • Health Information Exchange Accreditation Program (HIEAP)
    • Healthcare Network Accreditation Program for Medical Billers (HNAP-Medical Biller)
    • Healthcare Network Accreditation Program- Third party administrator (HNAP-TPA)
    • Management Service Organization Accreditation Program (MSOAP)
    • Outsourced Services Accreditation Program (OSAP)
    • Practice Management System Accreditation Program (PMSAP)
    • Trusted Dynamic Registration & Authentication (TDRAAP) Comprehensive
    • Trusted Network Accreditation Program - Participant/Participant Member (TNAP - Participant/Member)
    • Trusted Network Accreditation Program (TNAP - QHIN)
  • System and Organization Controls (SOC) 2 certified
    • Type 1certified (valid for one year from date of first implementation if currently pursuing type 2)
    • Type 2 certified
  • International Organization for Standardization (ISO): 27001, 27017, or 27018 certified

Here is a link to the section of the Terms of Service being referenced:  

https://dpc.cms.gov/terms-of-service#:~:text=At%20the%20time%20of%20registration%20and%20each%20time%20the%20software%20submits%2C%20requests%2C%20or%20retrieves%20information%20from%20DPC%2C%20you%20are%20attesting%2C%20subject%20to%20validation%20by%20CMS%2C%20that%20the%20software%20and%20its%20associated%20IT%20systems%20meet%20one%20or%20more%20of%20these%20security%20requirements


Thanks,

The DPC Team

Reply all
Reply to author
Forward
0 new messages