We take the protection of your employees' personal information very seriously. That's why we've implemented state-of-the-art electronic security systems and certifications that exceed industry standards.
Ameriflex maintains a comprehensive HIPAA Privacy/Security Policy and an FTC Red Flags policy. Ameriflex uses an internal HIPAA committee led by a corporate HIPAA Privacy/Security officer. Additionally, every department that comes in contact with protected health information (PHI) maintains department-level procedures that are updated on a regular basis. All employees are trained and evaluated in part based upon compliance with HIPAA and Ameriflex security policies. All infrastructure, facilities and computer systems are governed by our HIPAA security procedures.
We take this commitment to HIPAA compliance a step further by contracting with an outside firm to perform a HIPAA audit every two years. The auditors provide an accurate and thorough assessment of any potential risks and vulnerabilities by examining our business processes, systems infrastructure, and access control. The auditors also perform vulnerability scans on external-facing and select internal infrastructure devices and servers in order to determine high-risk vulnerabilities, as well as operational details such as patch levels, configuration errors, and filtering rules. While the law does not require this audit, we have made it standard protocol so as to ensure that we are truly maintaining the highest data integrity levels possible.
We maintain multiple hosting sites, both on-location with redundant backups between our Texas and New Jersey operations centers (with automatic failover), and off-location at geographically diverse data centers that exceed Department of Defense (DoD) standards for a Sensitive Compartmented Information Facility (SCIF). The security and reliability features of our data centers and network provider are too numerous to list; however, we boast 99.99%+ uptime. Ameriflex and all its subcontractors are SAS 70 or SSAE 16 (SOC1) Type II reviewed. All data transmitted to our self-service systems is done using PGP with customizable password and CAPTCHA requirements on a client-by-client basis.
Ameriflex employees undergo PHI and HIPAA training during their onboarding process. They are also instructed on a comprehensive visitor security policy at each facility location, as well as clean desk and computer workstation security policies.
Ameriflex has redundant operating centers in Texas and New Jersey, along with automatic database replication and system failover in the event that one site temporarily goes down. Critical systems and databases are not only replicated multiple times per day between the two operating centers, but they are also backed up and hosted in off-site datacenters. We run continuous database backups and store encrypted copies off-site per our SSAE 16 control list. We have a disaster recovery plan that takes advantage of our infrastructure and allows us to service clients from either of our operating centers; in addition, with the redundancies built into our systems and datacenters, clients can continue to self-service in the event of an outage at an office location.