Relatient Security Q&A: Certifications, Compliance, and Protecting Healthcare Data
According to the U.S. Department of Health and Human Services, more than 112 million individuals had their healthcare data compromised in 2023, more than double the 48.6 million affected in 2022. Healthcare providers remain the most impacted group among HIPAA-covered entities, underscoring the importance of strong security and compliance practices in healthcare technology.
At Relatient, protecting patient data is inseparable from delivering our comprehensive patient access platform. We are proud to hold a HITRUST i1 certification, have successfully completed a SOC 2 Type 2 examination, and maintain full HIPAA compliance. Together, these achievements demonstrate our commitment to meeting rigorous industry standards and ensuring that our platform is secure, compliant, and trusted by healthcare organizations.
To help you understand what these certifications mean in practice, we sat down with Nike Segun, our Information Security Analyst, for a Q&A on how Relatient safeguards healthcare data and builds trust through compliance.
Why do healthcare organizations need third-party validated security certifications from their technology vendors?
Healthcare organizations need third-party validated security certifications from their technology vendors for several reasons. First, regulations like HIPAA require vendors to undergo annual certifications to ensure we meet specific security standards. It’s a way for regulators to confirm that technology partners are truly complying with what is required.
Second, these certifications support risk management. They give assurance that we are following established security practices, continuously assessing ourselves, reviewing our endpoints and products, and actively mitigating risks across the organization.
And third, they build trust. Our clients gain confidence knowing that through these certifications we are demonstrating due diligence. It shows that we are not just evaluating ourselves internally. Outside auditors are also validating what we are doing and identifying areas where we can improve. That external perspective helps strengthen our processes and ultimately deepens the trust between us and our clients.
What does achieving HITRUST i1 Certification and completing a SOC 2 examination say about Relatient’s security posture?
Achieving HITRUST i1 certification and completing a SOC 2 examination signals to outsiders that we have a structured, rigorous approach to security. It shows that we follow established standards and frameworks that cover security, privacy, compliance, and overall trustworthiness. It also tells our current and future clients that we have implemented effective security controls and practices, giving both partners and customers confidence in how we protect their data.
It demonstrates that we are a company committed to continuous improvement. These certifications highlight areas where we are strong and help us identify where we can keep getting better.
Most of all, it reflects accountability. Completing these certifications shows our clients and auditors that we are willing to undergo review and scrutiny, and that we take responsibility for maintaining strong security across everything we do.
How does HIPAA, HITRUST i1 and SOC 2 Type 2 help organizations feel confident using platforms like Dash®?
HIPAA, HITRUST i1, and SOC 2 Type 2 help organizations feel confident using platforms like Dash® in several ways. One clear example is something as simple as logging into our applications. We have multi-factor authentication in place, so users can validate that they are the ones accessing their accounts without any uncertainty.
From a HIPAA standpoint, it shows that we are committed to protecting sensitive patient information. That’s critical for us as a company, and it’s critical to me as a security professional. We make sure Protected Health Information (PHI) is protected by having strong administrative controls by regularly reviewing who has access, ensuring the right people have the access they need, and preventing access for those who don’t. That’s very important.
We also maintain technical safeguards, especially within our cloud security. Altogether, these frameworks demonstrate that patient data is protected at every level, which is top of mind for me and for Relatient as a whole.
As Relatient went through the HITRUST and SOC 2 audits, what did you learn about Dash®, our processes, and security maturity?
Going through the HITRUST and SOC 2 audits really highlighted areas where our processes could be strengthened and streamlined, which actually reinforced that we are on the right track. I’m always amazed during audits at how much we learn about the maturity of our security practice. The evaluations showed where we are strong and where we still have opportunities for development and investment, which is reflected in the corrective action plans we receive and actively work to resolve.
As a security analyst, I’m often the one working across teams to make sure we understand those corrective action items and address them quickly. We stay on top of every recommendation and work through each action to continue maturing in those areas. A big priority for Relatient is making sure security is part of our culture by reinforcing it through training, awareness, and consistent practices.
As the product grows, I have seen us steadily tighten up processes across the company to ensure each product has the right security measures in place. That includes working with different teams and managers to ask the right questions early, vetting our vendors carefully, checking that they hold the proper certifications, and making sure they are doing their part to keep our clients’ information secure. We are committed to that due diligence, and the audits help confirm that we are moving in the right direction.
What should healthcare organizations ask when evaluating the security of any technology vendor?
First is confirming whether the vendor has relevant security certifications such as HITRUST, SOC 2, or others. There are also equivalent certifications like ISO that I review when assessing a vendor. There are numerous security certifications a vendor may hold, and they want to make sure they have vetted those properly.
They should also understand the vendor’s plan for managing breachers. Make sure they have a clear, documented process in place. And especially today, ask how they are protecting data: What encryption practices do they use? What are their data handling procedures? Those are key areas to review.
Another important factor is third-party risk management. Ask how they evaluate and monitor their subcontractors. Are they onboarding partners without any vetting, or do they have a defined process? You want to get a clear picture of how they are handling subcontractors and the risks associated with them.
Interested in learning more about Relatient’s security and compliance certifications? Explore our Trust Center.