Third-party Attestation of Design and Control Effectiveness
The University of Massachusetts Medical School and Commonwealth Medicine has completed a review by a qualified third-party auditor of our Security and Availability Trust Principles aligned with the American Institute of Certified Public Accountants. We have obtained a SOC 2, Type 1 report which demonstrates the suitability of the design and operating effectiveness of our control environment. Download a copy of the SOC 2, Type 1 report.
Additionally, we are actively engaged in obtaining a SOC 2 Type 2 report with expectations that it will be complete in early 2019.
Protecting Client Data
Commonwealth Medicine, as part of the UMass Medical School (UMass), is a state entity, a research facility, and a supporting health care consulting and operations organization. This complexity subjects our organization to many federal and state privacy, security and compliance rules and regulations relating to these activities.
In the course of our work, UMass receives from or collects on behalf of its clients, personal information and protected health information. The privilege of working with and storing this data is accompanied by significant obligations to protect individuals’ privacy and ensure data security. Born from a deep commitment to provide quality services while complying with these laws, UMass has a dedicated unit, the Office of Management, to assist in:
- Fulfilling its compliance obligations,
- Maintaining the confidentiality and security of sensitive and protected health information, and;
- Upholding ethical standards.
It is the policy of UMass to comply with all laws governing its operations and to conduct business in keeping with legal and ethical standards. The Office of Management guides us to effectively respond to the changing regulatory landscape in the compliance arena. The Office Management develops policies and makes employees aware of best practices through training, monitoring, and consultation. Our employees participate in annual compliance, privacy and security training with respect to their responsibilities; the principles of which are regularly reinforced.
Among the areas that employees are instructed with respect to their responsibilities are:
- The Code of Conduct, and related Standards and Policies
- Protecting sensitive information and limitations on the use and disclosure of such information
- Complying with applicable regulatory and contractual requirements
- Identifying and reporting violations of privacy and security requirements
- Exercising sound, ethical judgment
- Promoting the best interests of the individuals with whose information we work as well as the best interests of our clients
Laws and Regulations
UMass established a Compliance Program based upon the Federal Sentencing Guidelines, CMS guidance and the U.S. Office of the Inspector General to effectively address applicable federal and state laws, rules and regulations including, but not limited to, HIPAA (as amended by the HITECH Act), The Privacy Act of 1974, Confidentiality of Alcohol and Drug Abuse Patient Records 42 CFR Part 2, and applicable Massachusetts laws including MGL c. 66A (FIPA - Fair Information Practices Act) and c. 93H (Security Breaches).
The UMass Compliance Program applies to all relevant employees, as well as our business partners including, but not limited to, Business Associates as defined by HIPAA and first tier, downstream and related entities (FDRs) as defined by CMS.
The effectiveness of the Compliance Program is built on our organizational culture and the implementation of our organization’s values. Our commitment is to conducting business in a fully ethical and compliant manner.