ASP-RCM Security & Compliance
ASP-RCM is audited, certified, signed off. Reviewed annually. Independent attestations available under NDA.
Certifications
- SOC 2 Type 2, Renewed annually. Report available under NDA.
- ISO 27001:2013, Information security management. Certified.
- HIPAA & HITECH, Full compliance program. BAAs executed for every client.
- HITRUST CSF, Certification roadmap underway, target 2026 Q4.
Encryption & key management
AES-256 encryption at rest. TLS 1.2+ in transit. Customer-segregated keys. No PHI is logged in plaintext at any layer of the stack.
Access controls
Role-based access with least-privilege defaults. Multi-factor authentication for all employees. Quarterly access reviews. SSO/SAML available for client portals.
Workforce security
Background checks for all personnel. Annual HIPAA, security awareness, and specialty-specific compliance training. Sanction policy on violations.
Vendor & sub-processor management
All sub-processors are reviewed annually. BAAs executed where PHI is involved. Sub-processor list available under NDA.
Incident response
24/7 incident response team. Defined breach notification procedure aligned with HIPAA Breach Notification Rule. Tabletop exercises quarterly.
Data residency
U.S. clients' PHI is stored in U.S. data centers by default. Workflow processing follows client preferences and contractual constraints.
Pen testing & vulnerability management
Annual third-party penetration testing. Continuous vulnerability scanning. Patch SLAs by severity.
Request our security package
Email [email protected] for our full vendor questionnaire response, SOC 2 report, and ISO 27001 certificate. Sent under NDA within one business day.