3rd Party Policy
Next Health Choice makes every effort to assure all 3rd party organizations are compliant and do not compromise the integrity, security, and privacy of Next Health Choice or Next Health Choice Customer data. 3rd Parties include Customers, Partners, Subcontractors, and Contracted Developers.
Applicable Standards from the HITRUST Common Security Framework
- 05.i - Identification of Risks Related to External Parties
- 05.k - Addressing Security in Third Party Agreements
- 09.e - Service Delivery
- 09.f - Monitoring and Review of Third Party Services
- 09.g - Managing Changes to Third Party Services
- 10.1 - Outsourced Software Development
Applicable Standards from the HIPAA Security Rule
- 164.314(a)(1)(i) - Business Associate Contracts or Other Arrangements
Policies to Assure 3rd Parties Support Next Health Choice Compliance
- The following steps are required before 3rd parties are granted access to any Next Health Choice systems:
- Due diligence with the 3rd party;
- Controls implemented to maintain compliance;
- Written agreements, with appropriate security requirements, are executed.
- All connections and data in transit between the Next Health Choice Platform and 3rd parties are encrypted end to end.
- Access granted to external parties is limited to the minimum necessary and granted only for the duration required.
- A standard business associate agreement with Customers and Partners is defined and includes the required security controls in accordance with the organization’s security policies. Additionally, responsibility is assigned in these agreements.
- Next Health Choice has Service Level Agreements (SLAs) with Subcontractors with an agreed service arrangement addressing liability, service definitions, security controls, and aspects of services management.
- Next Health Choice utilizes monitoring tools to regularly evaluate Subcontractors against relevant SLAs.
- Third parties are unable to make changes to any Next Health Choice infrastructure without explicit permission from Next Health Choice. Additionally, no Next Health Choice Customers or Partners have access outside of their own environment, meaning they cannot access, modify, or delete anything related to other 3rd parties.
- Whenever outsourced development is utilized by Next Health Choice, all changes to production systems will be approved and implemented by Next Health Choice workforce members only. All outsourced development requires a formal contract with Next Health Choice.
- Next Health Choice maintains and annually reviews a list all current Partners and Subcontractors.
- Next Health Choice assesses security requirements and compliance considerations with all Partners and Subcontracts.
- Regular review is conducted as required by SLAs to assure security and compliance. These reviews include reports, audit trails, security events, operational issues, failures and disruptions, and identified issues are investigated and resolved in a reasonable and timely manner.
- Any changes to Partner and Subcontractor services and systems are reviewed before implementation.
- For all partners, Next Health Choice reviews activity annually to assure partners are in line with SLAs in contracts with Next Health Choice.