Author: Luis De Barros and Aarti Mathur
For those who work in healthcare IT, it is a nightmare to realize that software they built, developed, implemented or maintained caused avoidable harm to a patient, or was exploited to have a negative impact on large sets of clinical records. Healthcare IT in general, has a proven track record in improving patient safety and reducing human errors, so when something goes wrong, it is troubling, unexpected, inordinately expensive and potentially dangerous to the patients.
Healthcare IT is a fast-growing field, with many companies offering the promise of expert and secure solutions. Choosing solutions, managed implementations and support services can be a complex and costly decision. It requires the balance of innovation and adaptability, with trusted security and delivery.
At Smile Digital Health (Smile), we achieve this balance through the HL7® FHIR® open framework – allowing organizations to collaborate, transform, enrich and share meaningful health information – with the intentional rigor of quality assurance, proven security standards and certifications. These certifications are awarded to companies who have proven discipline in the end-to-end product design and development process and ongoing management.
As an interoperability solution, our Health Data Fabric (HDF) is flexible and adaptable to customers’ evolving needs without compromising safety, security and privacy. This allows Smile to handle your organization’s growing data needs, at a global scale.
As a vendor-partner, this enables your organization to stay compliant and enjoy the benefits of your data transformation journey, without recreating all the work, cost and effort. Your internal stakeholders such as your privacy and compliance officer, risk management and information security officers will be satisfied by our mature programs and services. Your clients, members and patients will appreciate the lengths that you go to ensure that their data is protected to the highest standards by selecting a vendor that builds all of its products with security as a core requirement. Your organization will be able to ingest data from 3rd party vendors and SMART on FHIR apps to help expand your clinical and business insights, keeping access, consent, data portability and audit protocols intact.
The Certifications and What They Mean
Smile Digital Health has obtained various certifications and attestations (listed below) that show our commitment to international standards, while also providing third-party assessments of our programs and processes. We believe that building trust, integrity and credibility is a process. The process of achieving and maintaining privacy and security certifications enables us to develop and implement solutions rapidly and safely, while maintaining quality and ensuring better patient outcomes.
As you proceed on the journey of enhancing your Healthcare IT environments with new solutions and products, we encourage you to explore the list below, either with potential vendors or within your organization. If you do choose Smile Digital Health products and services, then you are on the right path to meet regulatory compliance — current and evolving.
HITRUST r2 Certification
The HITRUST r2 Certification audits how data is stored and transmitted in compliance with HIPAA (Health Insurance Portability and Accountability Act) and other regulatory mandates. The certification process tests alignment and integration of all aspects of risk management and is trusted by many health networks. It has become a gold standard in healthcare IT service delivery as it proves an organization’s maturity in its privacy and security practices. In April 2023, Smile received the HITRUST Award for Maintaining the Highest Information Security and Privacy Standards.
Smile not only offers a premier FHIR-based health data fabric solution but also provides the option to have it hosted and fully managed by Smile Managed Services providing the implemented processes required for the HITRUST certification. When you host your data with us, you can inherit our HITRUST-certified controls.
For our payer and provider customers, HITRUST is the broadest, widest and deepest set of requirements. Having completed our HITRUST r2 certification, we were audited for over 350 different controls. The time and effort for an individual organization to prove PHI (Protected Health Information) protection on their own and gain HITRUST certification is considerable.
Smile Digital Health is part of the Global Healthcare Compliance Scale Program with partners like HITRUST and Microsoft Azure which enables the simplification of regulatory compliance in order to accelerate solution adoption and value, without compromising security.
SOC 2 - Type II
SOC 2® - Type II is a comprehensive third-party attestation that confirms that all internal controls report and capture how a company safeguards customer data and how well and accurately those controls are operating. Rather than look at processes from a snapshot, this certification looks at processes across a time span.
The SOC 2 Type II attestation focuses on a wide range of internal controls related to security, availability, confidentiality, processing integrity, and privacy. It involves the extensive validation of testing recovery plans, vulnerability scanning, access management and audits, to name a few.
This allows Smile to keep privacy and security at the core of all processes. As a company, we pioneer processes that enable flexibility in an evolving industry landscape without compromising stability and security.
Smile Digital Health takes security seriously, period. The ISO 27001 certification is awarded to companies who have successfully completed an independent audit of their information security management system. This series of standards outlines best practices to help organizations establish, implement, operate, monitor, review, maintain and continually improve information security management while safeguarding customer information.
In the last few years, security as a theme has made headlines, due to threats and attacks at major health institutions. Given the growing cyber threats to healthcare organizations world-wide, it is a challenge to meet interoperability demands while guarding the security and privacy of sensitive information, including health records. Smile chose to seek certification and take a proactive, risk-based approach to information security management that prioritizes data protection and upholds stakeholder confidence. Our level of exposure, especially compared to our competitors, most of whom do not have this certification, is significantly lower.
ISO/IEC 27018: 2019
The ISO/IEC 27018 certification is a code of practice that focuses on cloud data protection and consent management. An add-on to ISO 27001, ISO 27018 establishes controls, objectives and guidelines to implement measures and protect PII (Personally Identifiable Information).
This certification is proof of privacy adherence within the organization and especially in our Managed Services solutions. In the healthcare sector ensuring the privacy of data is paramount, and this certification demonstrates our organization’s commitment to protecting PHI/PII. All processes have been designed to enable Smile to offer transparency and visibility to our customers as required for their organization’s regulatory compliance.
Most people are familiar with ISO 13485 — an internationally recognized standard that demonstrates commitment to the design, safety, quality and installation of medical devices. It involves a rigorous certification process that assesses all aspects of software manufacturing and risk management, ensuring the highest quality products. All of this confirms that Smile’s software development processes are secure, consistent and reproducible in any clinical setting.
This means that all our Smile products have a reliable, formally approved process that maintains a high standard of quality. As FHIR regulation and standards evolve, our development teams ensure that our products evolve consistently.
ONC Health IT Certification Program, G(10)
The (g)(10) (and related criteria) mandates the use of HL7® FHIR as the standard to support the ONC interoperability strategy. It certifies interoperability and compliance with the Centers for Medicare and Medicaid (CMS) mandates. The ONC certification ensures that Smile’s FHIR solution adheres to the FHIR standard and performs interop reliably and according to the details of FHIR and Da Vinci specifications.
As a provider organization in the US partnering with Smile — a vendor who has the ONC g(10) certification — will help alleviate significant administrative burdens, as our product suite is functionally compliant with US federal regulations. This results in cost and resource savings, as your organization avoids re-creating all the processes and tests for this certification internally when you use our product. We’ve already done it!
What This Means for Your Organization
At Smile, we believe that your organization does not have to take on the all administrative burden and rigor of obtaining privacy and security certifications. Duplication of effort is a feature of siloed legacy organizational thinking, a notion that we like to challenge. With our above certifications and processes, the burden of effort to achieve compliance on your organization is reduced. This gives you the ability to focus effort and resources, and specialize on your business innovations.
On your journey of data transformation, it is essential that as part of the health IT industry your organization assesses gaps proactively. You may even use this list above to confirm that your current vendor(s) comply with risk management certifications and processes.
But of course, it is far easier to achieve gold-standards of security and regulatory compliance by choosing Smile’s trusted and secure products and services.