Man and woman looking at a computer screen together

Industry standards and regulations to safeguard your data and privacy

NextGen Healthcare cares deeply about security and compliance for hosting sensitive healthcare data. We protect and secure data to ensure its privacy, accuracy, and reliability on our systems and applications, for the benefit of all.

Continuous Improvement of Security and Compliance

As a leading provider of healthcare IT solutions, we are committed to continuous improvement of our security and compliance practices. We regularly evaluate and update our policies, procedures, and technologies to ensure that we meet or exceed industry standards and best practices.

We conduct periodic security audits, assessments, and tests to identify and remediate any potential vulnerabilities or gaps in our hosted environment and applications. Furthermore, we leverage feedback from our customers, partners, and regulators to enhance our security and compliance capabilities and align them with the evolving needs and expectations of the healthcare sector.

By continuously improving our security and compliance posture, we aim to provide our customers with the highest level of trust and confidence in our hosted solutions.

Cloud Security and Posture with AWS

NextGen Healthcare leverages the power and scalability of Amazon Web Services (AWS) to deliver secure and reliable hosted solutions to customers. AWS is a global leader in cloud computing, offering a wide range of services and features that enable us to design, deploy, and manage our hosted environment in accordance with the highest security standards and best practices. AWS provides us with a secure and resilient infrastructure, advanced data protection, and comprehensive compliance controls that support our security and compliance objectives.

Some of the key benefits of using AWS for our hosted solutions include:

  • Secure and resilient infrastructure: AWS maintains a high level of physical and environmental security at its data centers. , which are located in multiple geographic regions and availability zones. AWS provides us with tools and services to monitor, automate, and optimize the performance, availability, and scalability of our hosted environment, as well as to protect it from network attacks, malicious activities, and natural disasters.
  • Advanced data protection: AWS enables us to encrypt data at rest and in transit, using industry-standard encryption algorithms and keys.
  • Comprehensive compliance controls: AWS adheres to multiple security and compliance frameworks and standards, such as HIPAA, HITRUST, SOC, ISO, PCI DSS, and FedRAMP. AWS also provides us with services and resources to help comply with these and other regulatory requirements.

By partnering with AWS cloud for our hosted solutions, we can provide customers with a secure and compliant hosted environment that meets their business needs and expectations. We are confident that AWS cloud offers the best platform to deliver high-quality healthcare IT solutions that enhance patient care and outcomes.

Reliable Data Backup and Disaster Recovery

We have multiple options to backup and restore our data in the cloud, using services such as online storage, archival storage, backup management, and hybrid storage. We can also leverage the global infrastructure and availability zones of our cloud provider to replicate our data across different regions and ensure high availability and durability. In the event of a disaster, we can use services such as virtual machines, relational databases, file systems, and infrastructure automation to quickly recover applications and databases from backups or snapshots, minimizing downtime and data loss.

Secure and Compliant Development Practices

We integrate industry standards of security and compliance in developing our Cloud Hosted solutions, using industry best practices for change management, security coding principles, code inspection and review, software development lifecycle, secure code repositories, repeatable builds, separation of development and production environments, and testing plans. We also document and implement processes for vulnerability management, patching and verification of system security controls, ensuring that our solutions are always protected and up to date.

Data Security

We protect the privacy and integrity of our healthcare data by using encryption, access control, auditing, and monitoring. We encrypt our data at rest and in transit, using strong encryption algorithms and keys that are managed by a trusted key management service. We comply with the Health Insurance Portability and Accountability Act (HIPAA) and other relevant regulations, and ensure that our healthcare data is only stored within the United States, using regional storage services that restrict data movement across borders.

HITRUST Common Security Framework

We adhere to the highest standards of compliance and governance for our hosted solutions, using the HITRUST CSF framework to assess and manage our risk posture to demonstrate our operational excellence and security controls. We regularly undergo independent audits and assessments to validate our compliance and governance practices and ensure that we meet or exceed the expectations of our customers and regulators.

As a benefit of using our hosted solutions, our customers who leverage the HITRUST CSF framework can inherit many of our security and privacy controls to ease their own audit process. By aligning with the HITRUST CSF, we provide our customers with a comprehensive and consistent approach to managing their compliance and governance obligations, reducing their burden and costs. Our Letter of HITRUST CSF with scope is available upon request.  More information regarding inheritance with HITRUST Alliance can be found here.

SOC 2 Type II and SOC 3

In addition to the HITRUST CSF certification, we also undergo annual SOC 2 Type II and SOC 3 audits conducted by an independent AICPA CPA firm. These audits cover four trust service principles: security, availability, confidentiality, and privacy. The SOC 2 Type II report provides a detailed description and evaluation of our hosted solutions and the suitability and effectiveness of our controls over a 12-month period. Both reports attest to our commitment and capability to deliver secure, reliable, and trustworthy hosted solutions to our customers. Our SOC 3 report is available upon request.

TX-RAMP Level 2 Certification

We are proud to announce that we have achieved the TX-RAMP level 2 certification, a rigorous assessment of our Cloud Hosted solutions by the Texas Department of Information Resources (DIR). The TX-RAMP certification demonstrates our compliance with the Texas Cybersecurity Framework (TCF), which is based on the NIST Cybersecurity Framework and aligned with the HITRUST CSF. The TX-RAMP certification also validates our ability to provide secure, resilient, and reliable Cloud Hosted solutions to our customers in the state of Texas. Our TX-RAMP certificate is available upon request. More information regarding TX-RAMP can be found here.

Products covered under TX-RAMP are NextGen Enterprise EHR, NextGen Practice Management and NextGen Population Health.

Accredited HISP Under DirectTrust

We are also an accredited HISP (health information service provider) under DirectTrust, a non-profit organization that promotes secure and interoperable health information exchange. As an accredited HISP, we adhere to the highest standards of privacy, security, and trust for the Direct exchange network, which enables healthcare providers to securely send and receive clinical data across different EHR systems. Our accreditation status can be verified here.

Products covered under DirectTrust are NextGen Share and NextGen Connect.

For more information