We take a risk-based approach to evaluating partners that may access, process, or store personal health information (PHI). Our goal is to protect patient data while ensuring high-quality integrations.

So, if you’re interested in integrating with Jane, here are our ground rules. Give them a read, and if you’re on the same page as us, we’d love to chat.

Core security expectations for PHI-handling partners

Partners that handle PHI should be able to demonstrate:

1. Security attestation and regulatory compliance: Provide a SOC 2 Type II report covering relevant Trust Service Criteria (not older than 12 months) and demonstrate compliance with applicable regulations (HIPAA, GDPR) including a signed Business Associate Agreement for PHI.

2. Security program management: Maintain documented policies and procedures for information security, incident response, change management, and secure development with regular staff training.

3. Encryption and data security: Implement AES-256 encryption for data at rest and TLS 1.2+ for data in transit with documented exceptions. Ensure data is stored in agreed-upon jurisdictions with proper residency controls.

4. Access control: Implement role-based access control (RBAC), Single Sign-On (SSO), enforce least privilege principles, and require multi-factor authentication (MFA) for all privileged accounts.

5. Incident management: Maintain a documented incident response plan with breach notification commitments (within 24 hours of detection) and demonstrate capability to investigate and remediate security incidents.

6. Monitoring and logging: Implement comprehensive system monitoring with audit logging capability, retaining logs for at least 12 months. Enable auditing of all account activities within platforms accessed by staff.

7. Vulnerability management: Conduct regular vulnerability scans, implement timely patching, and adhere to defined Service Level Agreements for remediation (e.g., 30 days for critical issues).

8. Secure development: Follow secure software development lifecycle (SDLC) practices, employing SAST/DAST tools and conducting annual penetration testing with prompt remediation of identified vulnerabilities.

9. Third-party risk management: Provide a comprehensive list of subprocessors, ensure their compliance with security requirements, and maintain oversight of their security practices.

10. Authentication and authorization: Implement strong authentication mechanisms such as OAuth 2.0, mTLS, bearer tokens, etc., secure session management, and proper authorization controls for all application functions and API endpoints.

If you’re interested in speaking with the Jane Integration team to learn more, you can reach them at [email protected].