Skip to main content

Compliance

Orbita ensures that our customers’ data is being handled in a manner that is in accordance with applicable laws, regulations, and industry standards. As healthcare technology professionals, Orbita fully understands and supports the requirements to meet applicable regulatory requirements for the industries that we serve. Our compliance objectives are to meet or exceed our client’s compliance objectives as they relate to the services we provide. In addition, Orbita maintains equal or greater requirements from all suppliers that are used as a part of our services.

    • Assessments, auditing, and evaluation As part of Orbita's security, privacy, and compliance objectives, assessments are performed to ensure that we meet or exceed expectations using industry standards and assessments. To validate, Orbita has third-party assessments performed to ensure compliance objectives are met regarding our policies, controls, and safeguards to protect customer data. Orbita has aligned to the AICPA SSAE 18 System and Organization Controls and Orbita's Conversational Platform has undergone a 3rd party evaluation against the common criteria of the SOC 2 Type 2 Security Trust Principles. A SOC 2® Type 2 assessment report was created from the evaluation against these principles. Orbita will share the SOC 2 Type 2 report with customers under agreement. To obtain a copy, please request from your Sales Representative.
    • HIPAA The Health Insurance Portability and Accountability Act (HIPAA) represents the standard for the protection of patient sensitive data. Companies handling protected health information (PHI) must have appropriate protective processes and safeguards in place and follow them in order to ensure HIPAA Compliance if they are also handling PHI. Other entities including subcontractors and other related business associated must also be in compliance. Orbita solutions are designed to allow customers to have full control of their data including the potential use of ePHI. As Orbita does not manage this data directly, we may act on behalf of our customers as a business associate and have supporting systems in place to ensure compliance to HIPAA.
    • Risk management framework A risk management framework is in place to determine, measure, manage and monitor risks relating to data and information. The objectives of the Orbita Risk Management Framework are to: Discover and report on new risks during information processing and handling activities. Assess and measure risks based on the system with consideration of likelihood and impact. Efficiently and effectively treat risks with safeguards to address root causes. Maintain documentation to justify reasons and rationale for safeguards and treatments used to manage active risks. Monitor active risks to track and control residual risk or new risks that may be introduced along with any treatments. Support a system of continuous improvement regarding data handling and processing activities.
    • Administrative safeguards Administrative safeguards and controls have been added to ensure comprehensive coverage for the risks and potential threats utilizing industry best practices. Dedicated Security Personnel have been appointed and responsible for maintaining information security and data privacy management systems. Information Access Management – Identification validation and access controls are in place to ensure that data access is permitted according to classification as permitted and planned. A system of approval is used to govern access requests with reporting, periodic review, and monitoring. Training - is established and used to support the Orbita workforce that performs processing activities to ensure that relevant safeguards are trained. Evaluation of security programs' requirements and objectives are reviewed regularly to ensure alignment with the business goals and objectives while seeking opportunities for improvements.
    • Physical safeguards Physical safeguards are in place to ensure that critical data processing facilities are compliant with Orbita physical security policies and objectives. Third-party vendor facilities where data may be hosted have been assessed to ensure compliance with Orbita requirements. Physical security and environmental controls are in place to properly safeguard all critical equipment to protect against accidental or malicious misuse.
    • Technical safeguards Physical safeguards are in place to ensure that critical data processing facilities are compliant with Orbita physical security policies and objectives. Third-party vendor facilities where data may be hosted have been assessed to ensure compliance with Orbita requirements. Physical security and environmental controls are in place to properly safeguard all critical equipment to protect against accidental or malicious misuse. Access Control - access is controlled and managed based on the principle of least privilege (PoLP), restricting access by default and a system of approval is in place to ensure that access requests are tracked and managed by authorized resources. Auditing is performed through internal and external auditing of systems and processes to ensure that the requirements and objectives of the security programs at Orbita are successful and improving. Integrity Controls – data-at-rest including backup systems and data are encrypted, separated from their source, and protected according to industry best practices. In addition, restrictive controls limit access to all such data. Monitoring and review ensure all data-at-rest is unchanged from its genuine form. Transmission Security for all transmission endpoints and critical services are encrypted and protected to prevent unauthorized access. A breach management process is in place to handle reports of security incidents and events. If customer data is stolen, accessed by unauthorized sources, or suspected of being compromised actions will be taken according to Orbita’s policies and procedures including timely notice to any affected Orbita customers.

For more information, please visit the Orbita Trust Center page.