3rd Party Policy

RosettaHealth makes every effort to assure all 3rd party organizations are compliant and do not compromise the integrity, security, and privacy of RosettaHealth or RosettaHealth Customer data. 3rd Parties include Customers, Partners, Subcontractors, and Contracted Developers.

Applicable Standards

Applicable Standards from the HITRUST Common Security Framework

  • 05.i - Identification of Risks Related to External Parties

  • 05.k - Addressing Security in Third Party Agreements

  • 09.e - Service Delivery

  • 09.f - Monitoring and Review of Third Party Services

  • 09.g - Managing Changes to Third Party Services

  • 10.1 - Outsourced Software Development

Applicable Standards from the HIPAA Security Rule

  • 164.314(a)(1)(i) - Business Associate Contracts or Other Arrangements

Policies to Assure 3rd Parties Support RosettaHealth Compliance

  1. All connections and data in transit between HealthBus and 3rd parties are encrypted end to end.

  2. A standard business associate agreement (BAA) with Customers is defined and includes the required security controls in accordance with the organization’s security policies. Additionally, responsibility is assigned in these agreements.

  3. Only 3rd parties with which RosettaHealth has a BAA are permitted to access ePHI as defined by the BAA.

  4. RosettaHealth has BAA with any Subcontractors that have access to the production systems through interfaces other than those used by Customers.

  5. RosettaHealth has Service Level Agreements (SLAs) with Subcontractors with an agreed service arrangement addressing liability, service definitions, security controls, and aspects of services management.

    • Subcontractors must coordinate, manage, and communicate any changes to services provided to RosettaHealth.

    • Changes to 3rd party services are classified as configuration management changes and thus are subject to the policies and procedures described in Configruation Management; substantial changes to services provided by 3rd parties will invoke a Risk Assessment as per Risk Management policy.

    • RosettaHealth utilizes monitoring tools to regularly evaluate Subcontractors against relevant SLAs.

  6. No RosettaHealth Customers or Partners have access outside of their own environment, meaning they cannot access, modify, or delete anything related to other 3rd parties.

  7. RosettaHealth does not outsource software development.

  8. RosettaHealth maintains and annually reviews a list all current Partners and Subcontractors.

    • The list of current Partners and Subcontractors is maintained including details on all provided services (along with contact information).

    • The annual review of Partners and Subcontractors is conducted as a part of the security, compliance, and SLA review referenced below.

  9. RosettaHealth assesses security, compliance, and SLA requirements and considerations with all Partners and Subcontractors. This includes annual assessment of SOC2 and/or HITRUST reports for all RosettaHealth infrastructure partners.

  10. Regular review is conducted as required by SLAs to assure security and compliance. These reviews include reports, audit trails, security events, operational issues, failures and disruptions, and identified issues are investigated and resolved in a reasonable and timely manner.

  11. Any changes to Partner and Subcontractor services and systems are reviewed before implementation.

  12. For all partners, RosettaHealth reviews activity annually to assure partners are in line with SLAs in contracts with RosettaHealth.

  13. The 3rd Party Assurance process is reviewed annually and updated to include any necessary changes.

  14. Changes to the 3rd Party Assurance process will also be made on an ad-hoc basis in cases where operational changes require it or if the process is found lacking.