EN  |   ES

Privacy and Security

BMI Audit Services is dedicated to protecting the privacy and security of your Protected Health Information (PHI) and Personal Identifiable Information (PII). Because we inherently operate in a regulatory environment, we have a number of policies, practices and insurance coverage in place to help safeguard any sensitive data we may receive in course and scope of the work we are engaged to perform. We keep oral, written, and electronic PHI/PII safe using physical, technical, and procedural means in addition to our extensive insurance coverage. Additionally, BMI is a certified SOC 2 service organization as defined by the AICPA. – aicpa.org/soc. The certification is widely recognized as the worldwide standard for secure and confidential information handling.

Physical Security Safeguards

  • BMI is located at a facility that maintains restricted, off-hours access. Additionally, the offices of BMI are protected by a 24/7 security, video and alarm system maintained by a leading provider for security monitoring services.
  • Access to the BMI office and internal rooms are controlled electronically through a key fob access system. Only authorized BMI personnel have accounts and designated access to gain entry.
  • Computer, phone, and networking related equipment is secured in a locked and restricted area.
  • BMI utilizes a leading provider for secure document shredding.

Information Technology Safeguards

  • All PHI/PII data is stored on our central servers and raw data files are encrypted using AES-256 encryption technology. In addition, laptop computers utilized by BMI personnel are password-protected at the hard drive level; any data residing on a laptop’s hard drive cannot be accessed without the appropriate password even if that hard drive is placed in a different computer.
  • Only authorized BMI personnel have accounts to gain access to our environment. A strong, complex password policy is employed along with multi-factor authentication. Internal networks are segmented based on data sensitivity.
  • In addition to industry-leading anti-virus/malware, intrusion protection, data loss prevention, and advanced threat protection, resources are protected through the use of the latest software products that identify and authenticate users to validate access requirements.
  • Backups are performed on a 24/7 basis. Data that is backed up is first encrypted using AES encryption technology and then delivered to a SOC 2 certified colocation electronically for business continuity purposes. Backup infrastructure resides on private networks logically secured from other networks.
  • Remote access to the BMI network and servers is controlled using state-of-the-art firewall, monitoring, and networking technology.
  • Industry-leading managed detection and response services continuously scan our networks and endpoints of potential vulnerabilities.

Procedural Safeguards

  • All BMI personnel undergo an extensive background check prior to employment.
  • Access to systems and data are based on the principal of need-to-know and reviewed regularly.
  • Business Associate Agreements are required between contracting parties when any PHI/PII is securely exchanged.
  • Ongoing training and user adherence testing is provided relative to HIPAA, cyber security and privacy and security policies that are regularly updated in a fast-changing data security environment.
  • Extensive insurance coverages are in place: Cyber liability insurance coverage including errors and omissions, data privacy and network security liability, internet and electronic media liability, professional services liability, business interruption, cyber extortion, data and identity theft, intellectual property, and expenses related to responding to a privacy event.

SOC 2 Certified

  • BMI is a certified SOC 2 service organization, as defined by the AICPA – aicpa.org/soc.