Log in Join Today

9amHealth | Trust Center

Keeping our patients’ data safe is a key concern of 9amHealth. Read more about how we ensure the security and confidentiality of our patient’s data at all times.

As a healthcare company, 9amHealth stores and processes sensitive information. Protecting our patients’ health and privacy is our top concern. Security efforts at 9amHealth encompass the entire organization, including top management, suppliers, and partners. We want to be leaders in applying security best practices, meet our members’ requirements and expectations at all times, be open and transparent about our approach, and be diligent in identifying and mitigating any security issue or threat that may arise.

Do you have any questions or concerns around data security at 9amHealth? Contact us at security@join9am.com!

Compliance

  • SOC 2 badge

    SOC 2 Type II

  • HIPAA

  • HITRUST

Resources

Controls

Infrastructure security

  • Unique production database authentication enforced
  • Encryption key access restricted
  • Unique account authentication enforced

Organizational security

  • Asset disposal procedures utilized
  • Anti-malware technology utilized
  • Employee background checks performed

Product security

  • Data encryption utilized
  • Control self-assessments conducted
  • Penetration testing performed

Internal security procedures

  • Continuity and Disaster Recovery plans established
  • Continuity and disaster recovery plans tested
  • Cybersecurity insurance maintained

Data and privacy

  • Data retention procedures established
  • Customer data deleted upon leaving
  • Data classification policy established

Data collected by 9amHealth

  • Account Data (email, password, tokens)

  • Identifying Data (date of birth, name, gender, language)

  • Activity Data (events, browser data)

  • Insurance and Benefits (pharmacy, employer, PBM, prior authorizations)

  • Medical Records and Treatment Data (intake questionnaires, progress notes, treatment plans, consultations, clinical issues, prescriptions)

  • Labs (orders, requisitions, statuses, results)

  • Shipments (addresses, preferences, history)

  • Payments (payment history, billing preferences, coupons and discounts)

  • Communication (email address, phone number, emails, messages, uploaded files, customer support requests)

Resources

  • SOC 2 Type II and HIPAA Report

  • SOC 2 Type II Engagement Letter

  • HITRUST Certification Letter

  • HITRUST Validated Assessment Report

  • Penetration Test

  • Access Control Policy

  • Code of Conduct

  • Asset Management Policy

  • Human Resource Security Policy

  • Physical Security Policy

  • Data Management Policy

  • Operations Security Policy

  • Risk Management Policy

  • Business Continuity and Disaster Recovery Plan

  • Cryptography Policy

  • Incident Response Plan

  • Information Security Policy (AUP)

  • Information Security Roles and Responsibilities

  • Secure Development Policy

  • Third-Party Management Policy

  • HIPAA Compliance Policy

  • HIPAA Workstation Security Policy

  • Incident Response Plan HIPAA Addendum with Breach Notification Procedures

  • Fraud, Waste and Abuse Prevention Policy

Controls

Infrastructure security

  • CONTROL STATUS

  • Unique production database authentication enforced

    The company requires authentication to production datastores to use authorized secure authentication mechanisms, such as unique SSH key.

  • Encryption key access restricted

    The company restricts privileged access to encryption keys to authorized users with a business need.

  • Unique account authentication enforced

    The company requires authentication to systems and applications to use unique username and password or authorized Secure Socket Shell (SSH) keys.

  • Production application access restricted

    System access restricted to authorized access only

  • Access control procedures established

    The company's access control policy documents the requirements for the following access control functions:
    - adding new users;
    - modifying users; and/or
    - removing an existing user's access.

  • Production database access restricted

    The company restricts privileged access to databases to authorized users with a business need.

  • Firewall access restricted

    The company restricts privileged access to the firewall to authorized users with a business need.

  • Production OS access restricted

    The company restricts privileged access to the operating system to authorized users with a business need.

  • Production network access restricted

    The company restricts privileged access to the production network to authorized users with a business need.

  • Access revoked upon termination

    The company completes termination checklists to ensure that access is revoked for terminated employees within SLAs.

  • Unique network system authentication enforced

    The company requires authentication to the "production network" to use unique usernames and passwords or authorized Secure Socket Shell (SSH) keys.

  • Remote access MFA enforced

    The company's production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method.

  • Remote access encrypted enforced

    The company's production systems can only be remotely accessed by authorized employees via an approved encrypted connection.

  • Intrusion detection system utilized

    The company uses an intrusion detection system to provide continuous monitoring of the company's network and early detection of potential security breaches.

  • Log management utilized

    The company utilizes a log management tool to identify events that may have a potential impact on the company's ability to achieve its security objectives.

  • Infrastructure performance monitored

    An infrastructure monitoring tool is utilized to monitor systems, infrastructure, and performance and generates alerts when specific predefined thresholds are met.

  • Network segmentation implemented

    The company's network is segmented to prevent unauthorized access to customer data.

  • Network firewalls reviewed

    The company reviews its firewall rulesets at least annually. Required changes are tracked to completion.

  • Network firewalls utilized

    The company uses firewalls and configures them to prevent unauthorized access.

  • Network and system hardening standards maintained

    The company's network and system hardening standards are documented, based on industry best practices, and reviewed at least annually.

  • Service infrastructure maintained

    The company has infrastructure supporting the service patched as a part of routine maintenance and as a result of identified vulnerabilities to help ensure that servers supporting the service are hardened against security threats.

Organizational security

  • CONTROL STATUS

  • Asset disposal procedures utilized

    The company has electronic media containing confidential information purged or destroyed in accordance with best practices, and certificates of destruction are issued for each device destroyed.

  • Anti-malware technology utilized

    The company deploys anti-malware technology to environments commonly susceptible to malicious attacks and configures this to be updated routinely, logged, and installed on all relevant systems.

  • Employee background checks performed

    The company performs background checks on new employees.

  • Code of Conduct acknowledged by contractors

    The company requires contractor agreements to include a code of conduct or reference to the company code of conduct.

  • Code of Conduct acknowledged by employees and enforced

    The company requires employees to acknowledge a code of conduct at the time of hire. Employees who violate the code of conduct are subject to disciplinary actions in accordance with a disciplinary policy.

  • Confidentiality Agreement acknowledged by contractors

    The company requires contractors to sign a confidentiality agreement at the time of engagement.

  • Confidentiality Agreement acknowledged by employees

    The company requires employees to sign a confidentiality agreement during onboarding.

  • Performance evaluations conducted

    The company managers are required to complete performance evaluations for direct reports at least annually.

  • Password policy enforced

    The company requires passwords for in-scope system components to be configured according to the company's policy.

  • MDM system utilized

    The company has a mobile device management (MDM) system in place to centrally manage mobile devices supporting the service.

  • Visitor procedures enforced

    The company requires visitors to sign-in, wear a visitor badge, and be escorted by an authorized employee when accessing the data center or secure areas.

  • Security awareness training implemented

    The company requires employees to complete security awareness training within thirty days of hire and at least annually thereafter.

Product security

  • CONTROL STATUS

  • Data encryption utilized

    The company's datastores housing sensitive customer data are encrypted at rest.

  • Control self-assessments conducted

    The company performs control self-assessments at least annually to gain assurance that controls are in place and operating effectively. Corrective actions are taken based on relevant findings. If the company has committed to an SLA for a finding, the corrective action is completed within that SLA.

  • Penetration testing performed

    The company's penetration testing is performed at least annually. A remediation plan is developed and changes are implemented to remediate vulnerabilities in accordance with SLAs.

  • Data transmission encrypted

    The company uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks.

  • Vulnerability and system monitoring procedures established

    The company's formal policies outline the requirements for the following functions related to IT / Engineering:
    - vulnerability management;
    - system monitoring.

Internal security procedures

  • CONTROL STATUS

  • Continuity and Disaster Recovery plans established

    The company has Business Continuity and Disaster Recovery Plans in place that outline communication plans in order to maintain information security continuity in the event of the unavailability of key personnel.

  • Continuity and disaster recovery plans tested

    The company has a documented business continuity/disaster recovery (BC/DR) plan and tests it at least annually.

  • Cybersecurity insurance maintained

    The company maintains cybersecurity insurance to mitigate the financial impact of business disruptions.

  • Configuration management system established

    The company has a configuration management procedure in place to ensure that system configurations are deployed consistently throughout the environment.

  • Change management procedures enforced

    The company requires changes to software and infrastructure components of the service to be authorized, formally documented, tested, reviewed, and approved prior to being implemented in the production environment.

  • Production deployment access restricted

    The company restricts access to migrate changes to production to authorized personnel.

  • Development lifecycle established

    The company has a formal systems development life cycle (SDLC) methodology in place that governs the development, acquisition, implementation, changes (including emergency changes), and maintenance of information systems and related technology requirements.

  • SOC 2 - System Description

    Complete a description of your system for Section III of the audit report

  • Whistleblower policy established

    The company has established a formalized whistleblower policy, and an anonymous communication channel is in place for users to report potential issues or fraud concerns.

  • Board oversight briefings conducted

    The company's board of directors or a relevant subcommittee is briefed by senior management at least annually on the state of the company's cybersecurity and privacy risk. The board provides feedback and direction to management as needed.

  • Board charter documented

    The company's board of directors has a documented charter that outlines its oversight responsibilities for internal control.

  • Board expertise developed

    The company's board members have sufficient expertise to oversee management's ability to design, implement and operate information security controls. The board engages third-party information security experts and consultants as needed.

  • Board meetings conducted

    The company's board of directors meets at least annually and maintains formal meeting minutes. The board includes directors that are independent of the company.

  • Backup processes established

    The company's data backup policy documents requirements for backup and recovery of customer data.

  • System changes externally communicated

    The company notifies customers of critical system changes that may affect their processing.

  • Management roles and responsibilities defined

    The company management has established defined roles and responsibilities to oversee the design and implementation of information security controls.

  • Organization structure documented

    The company maintains an organizational chart that describes the organizational structure and reporting lines.

  • Roles and responsibilities specified

    Roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls are formally assigned in job descriptions and/or the Roles and Responsibilities policy.

  • Security policies established and reviewed

    The company's information security policies and procedures are documented and reviewed at least annually.

  • Support system available

    The company has an external-facing support system in place that allows users to report system information on failures, incidents, concerns, and other complaints to appropriate personnel.

  • System changes communicated

    The company communicates system changes to authorized internal users.

  • Access reviews conducted

    The company conducts access reviews at least quarterly for the in-scope system components to help ensure that access is restricted appropriately. Required changes are tracked to completion.

  • Access requests required

    The company ensures that user access to in-scope system components is based on job role and function or requires a documented access request form and manager approval prior to access being provisioned.

  • Incident response plan tested

    The company tests their incident response plan at least annually.

  • Incident response policies established

    The company has security and privacy incident response policies and procedures that are documented and communicated to authorized users.

  • Incident management procedures followed

    The company's security and privacy incidents are logged, tracked, resolved, and communicated to affected or relevant parties by management according to the company's security incident response policy and procedures.

  • Physical access processes established

    The company has processes in place for granting, changing, and terminating physical access to company data centers based on an authorization from control owners.

  • Data center access reviewed

    The company reviews access to the data centers at least annually.

  • Company commitments externally communicated

    The company's security commitments are communicated to customers in Master Service Agreements (MSA) or Terms of Service (TOS).

  • External support resources available

    The company provides guidelines and technical support resources relating to system operations to customers.

  • Service description communicated

    The company provides a description of its products and services to internal and external users.

  • Risk assessment objectives specified

    The company specifies its objectives to enable the identification and assessment of risk related to the objectives.

  • Risks assessments performed

    The company's risk assessments are performed at least annually. As part of this process, threats and changes (environmental, regulatory, and technological) to service commitments are identified and the risks are formally assessed. The risk assessment includes a consideration of the potential for fraud and how fraud may impact the achievement of objectives.

  • Risk management program established

    The company has a documented risk management program in place that includes guidance on the identification of potential threats, rating the significance of the risks associated with the identified threats, and mitigation strategies for those risks.

  • Third-party agreements established

    The company has written agreements in place with vendors and related third-parties. These agreements include confidentiality and privacy commitments applicable to that entity.

  • Vendor management program established

    The company has a vendor management program in place. Components of this program include:
    - critical third-party vendor inventory;
    - vendor's security and privacy requirements; and
    - review of critical third-party vendors at least annually.

  • Vulnerabilities scanned and remediated

    Host-based vulnerability scans are performed at least quarterly on all external-facing systems. Critical and high vulnerabilities are tracked to remediation.

Data and privacy

  • CONTROL STATUS

  • Data retention procedures established

    The company has formal retention and disposal procedures in place to guide the secure retention and disposal of company and customer data.

  • Customer data deleted upon leaving

    The company purges or removes customer data containing confidential information from the application environment, in accordance with best practices, when customers leave the service.

  • Data classification policy established

    The company has a data classification policy in place to help ensure that confidential data is properly secured and restricted to authorized personnel.