RosettaHealth, Inc (“RosettaHealth”) is committed to ensuring the confidentiality, privacy, integrity, and availability of all electronic protected health information (ePHI) it receives, maintains, processes and/or transmits on behalf of its Customers. As providers of compliant, hosted health information exchange services used by health technology vendors, public health agencies, healthcare organizations, and health information exchanges, RosettaHealth strives to maintain compliance, proactively address information security, mitigate risk for its Customers, and assure known breaches are completely and effectively communicated in a timely manner. The following documents address core policies used by RosettaHealth to maintain compliance and assure the proper protections of infrastructure used to store, process, and transmit ePHI for RosettaHealth Customers.

Technical Overview

Software as a Service (SaaS)

The RosettaHealth Platform provides a Software as a Service (SaaS) integration and exchange solution. Customers utilize these services to facilitate the exchange of healthcare information specific to their trading partners and their business needs. These services are deployed on systems secured and managed by RosettaHealth’s networking infrastructure partner, ClearData (https://www.cleardata.com), a HIPAA Compliant and HITRUST certified organization, on the Amazon Web Services platform.

Platform Components

At its core the RosettaHealth Platform is a cloud-scale HIT messaging system that enable health information exchange between organizations. A number of high level services and APIs are used to support the integration to any number of HIT systems. Supporting these capabilities is the HealthBus Rules Engine and HealthBus Queues. This provides the mechanisms to define the specific actions that are to be taken, and exchange specific data needed, for any transaction going through the platform.

Finally supporting the platform is a comprehensive set of auditing, logging and reporting capabilities. Metadata about every transaction occurring within the platform is captured and securely stored. That data is then available for reporting purposes both by RosettaHealth and by platform Customers.

HIPAA Compliant Cloud Hosting

The physical infrastructure environment for the production RosettaHealth Platform is hosted at Amazon Web Services (AWS) in the us-east-1 region (US East -N. Virginia) using FedRAMP certified services. ClearDATA is responsible for providing and managing all AWS components and services used by the platform. ClearDATA provides a proprietary, HITECH certified implementation of the AWS environment through it’s Dynamic PHI Cloud Platform. The diagram below shows the delineation of responsibilities between RosettaHealth (orange) and ClearDATA (blue).

Information Security Overview

Rosettahealth has developed an Information Security Management Plan (ISMP) based on the NIST Cybersecurity Framework. The RosettaHealth ISMP covers the following 5 core functions:

  • Identify – Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.

  • Protect – Develop and implement appropriate safeguards to ensure delivery of critical services.

  • Detect – Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.

  • Respond – Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.

  • Recover – Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.

RosettaHealth has developed polices and procedures that align with these core functions to ensure that all aspects of the RosettaHealth Platform and operations comply with applicable regulatory requirements. In addition RosettaHealth has had these polices and procedures audited and accredited by ENHAC for compliance to the applicable HIPAA Privacy and Security rules for a Business Associate.