RosettaHealth provides compliant hosted software infrastructure for its Customers. RosettaHealth has been through a HIPAA compliance audit to validate and map organizational policies and technical controls to HIPAA rules. In addition, RosettaHealth’s company policies, procedures are cross mapped to HITRUST Controls as well. RosettaHealth’s services offerings on AWS are managed by ClearDATA. ClearData has created and operates the server and network infrastructure compliant with their own HITRUST certified process and procedures.

RosettaHealth does not act as a covered entity, RosettaHealth signs business associate agreements (BAAs) with its Customers. These BAAs outline RosettaHealth obligations and Customer obligations, as well as liability in the case of a breach. In providing infrastructure and managing security configurations that are a part of the technology requirements that exist in HIPAA, as well as future compliance frameworks, RosettaHealth manages various aspects of compliance for Customers. The aspects of compliance that RosettaHealth manages for Customers are inherited by Customers, and RosettaHealth assumes the risk associated with those aspects of compliance. In doing so, RosettaHealth helps Customers achieve and maintain compliance, as well as mitigates Customers risk.

Applicable Standards

  • CFR 160 – Subpart B.

Compliance Policies

  1. RosettaHealth recognizes that:

    1. HIPAA generally preempts state laws regarding medical or health privacy. However, state laws that provide stronger protections for confidential health data, or that provide for better patient and consumer access to health data than HIPAA, will generally preempt HIPAA regulations.

    2. HIPAA Covered Entities and Business Associates must follow both HIPAA law and state law when possible. If there is a conflict between the two, a preemption analysis and determination must be made to assess which laws (HIPAA, State Laws, or both) must be followed.

  2. It is the Policy of RosettaHealth to comply, whenever possible, with both state law in the state(s) where we operate, as well as HIPAA law and regulations.

  3. RosettaHealth ‘s designated Security and Privacy Official(s) shall analyze HIPAA preemption issues, in cooperation with legal counsel, and make preemption determinations.

  4. RosettaHealth ‘s designated Privacy Official shall create, modify, or amend organization policies to accurately reflect preemption determinations and provide guidance to management on HIPAA and state law preemption issues.

  5. If off-the-shelf or custom preemption analyses are obtained from external sources, it is the responsibility of the RosettaHealth ‘s designated Privacy Official, in cooperation with legal counsel, to certify the validity and accuracy of such external preemption analyses before applying those analyses to RosettaHealth operations.

  6. RosettaHealth ‘s designated Privacy Official shall conduct ongoing research to monitor legislative changes in the state(s) where we operate that could affect HIPAA preemption issues.

HIPAA Mappings to RosettaHealth Controls

RosettaHealth maps each of its policies and procedures control documents to relevant HIPAA requirements. This mapping is detailed in controls_regulatory_mapping.