...
NACHC employs an information technology (IT) team of experienced and appropriately credentialed personnel to monitor and maintain data security and privacy. For selected security functions, NACHC partners with various information security vendors and subject matter experts. The executive sponsor for NACHC data security and privacy is the CFO. Outside of the IT team, NACHC shares the responsibility to ensure that data is protected and treated with the utmost respect with all NACHC staff and contractors. NACHC is exploring hiring a compliance officer. For staff and contractors handling health data, NACHC expects those individuals to understand and abide by the additional requirements defined in the HIPAA Privacy and Security Rules.
...
Currently, NACHC does not undergo regular compliance reviews. NACHC is exploring hiring a compliance officer. For health data, NACHC recognizes that HIPAA compliance begins with organizational policies, procedures, and practices that are reinforced through appropriately secured technology and training of staff. As a steward of health data from other organizations, NACHC recognizes the requirement to fully comply with HIPAA, HITECH, and the data sharing agreements in place with partners. NACHC requires a data sharing agreement to be executed between any organization with whom data is shared in order to clearly define the expectations of the data provider and recipient. NACHC requested an audit of AWS assets by CloudNexa to assess their alignment with the 'Well Architected' framework (WA) that defines best practices for security, reliability, performance efficiency, cost optimization, operational excellence, and serverless lens.
...