Overview

TREND Health Partners (“TREND”) is an independent, tech-enabled company founded by innovators and leaders in the payment integrity industry. We provide comprehensive tools and solutions designed to support both payer and provider processes.

Data security and privacy is a critical must-have in today’s healthcare environment. TREND’s unique solutions are built on an advanced HIPAA-compliant, cloud-based technology platform with the most up-to-date and secure technology. This includes all aspects of our business and service delivery infrastructure.

Our web-based platforms, CAVO and TRENDConnect (the “Systems”), enable us to provide our customers with a range of services including credit balance identification and recovery, payment accuracy services, denials management, DRG and itemized bill reviews, root-cause analysis, and invoice payment tracking. This customer commitments document describes our promise to customers relative to the availability, confidentiality, security, and privacy of the Systems.

​

TREND’s information security program was established with a foundation based on the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 and the HITRUST Common Security Framework (CSF). These guidelines incorporate and leverage security and privacy requirements including state, federal and international legislation, regulatory agency rules and guidance, and industry frameworks.

TREND’s Chief Information Security Officer (CISO) has vast experience in healthcare security and holds an ISC2 Certified Information Systems Security Professional (CISSP) certification along with a master’s degree in Cybersecurity and Information Assurance.

The CISO is supported by a dedicated Security staff as well as a diverse technology team consisting of software development, infrastructure, and data transformation professionals. The CISO chairs TREND’s Security and Compliance Governance Committee and serves on the Cybersecurity and Compliance Subcommittee of TREND’s Board of Directors.

TREND’s Data Protection and Privacy program is designed to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) along with all other state and local regulations and applicable industry standards.

TREND’s Senior Director of Privacy and Compliance has extensive experience in healthcare and payment integrity and is supported by a dedicated privacy and compliance team.

The Senior Director of Privacy and Compliance co-chairs TREND’s Security and Compliance Governance Committee and serves on the Cybersecurity and Compliance Subcommittee of TREND’s Board of Directors.

TREND is dedicated to conducting independent third-party assessments to provide assurance to our customers. This includes a commitment to conduct the following annually:

The system is typically available and online 24/7, and any scheduled downtime is communicated to users in advance via in-site notifications and/or e-mail. However, exceptions do occur. Our availability promises to our customers are as follows:

*Annualized uptime of 99.9% during posted system hours and excluding any force majeure events or any other events beyond the reasonable control of Trend Health Partners, including those resulting from user entity or third-party equipment, services, actions, or lack thereof.

When major updates or critical changes are implemented in the Systems, impacted users will be notified of the changes made as well as the expected end-user impact. This communication shall be made by way of e-mail, phone, or in-app notifications.

All users, both internal and external, are required to complete confidentiality and/or non-disclosure agreements prior to being granted access to the Systems.

All TREND employees undergo background checks and security screenings. Prior to accessing any sensitive data, all TREND employees complete mandatory Privacy and Security training.

Access is granted based on an individual’s role within the organization and restricted to the minimum necessary. TREND enforces mandatory multi-factor authentication for all access to sensitive data.
​

All data is encrypted in transit and at rest. This includes all storage (databases, backups, workstations, mobile devices, servers, etc.) and transfers within the infrastructure and to/from third parties as well as between endpoints and applications and services.

The Systems currently operate within Microsoft Azure infrastructure as a service (IaaS) tenants located in the East and West U.S. regions, as well as Amazon Web Services (AWS) infrastructure as a service (IaaS) tenants located in the East and West U.S. regions. In this cloud service model, Microsoft and AWS share responsibility with TREND for host infrastructure and network controls, and are solely responsible for physical security of their data centers. Other domains such as data classification & accountability, client & end-point protection, identity & access management, and application-level controls are TREND’s responsibility.

Both cloud service providers both supply customers with detailed information on Security, Privacy and Compliance within their service offering, including audit reports to verify technical compliance and control requirements. Please refer to the links below for more information:

Microsoft Trust Center: https://www.microsoft.com/en-us/trust-center/ AWS Whitepapers: https://aws.amazon.com/whitepapers/

System and data backups are performed daily. Backup frequency and retention are determined by criticality and regulatory/contractual requirements. All backup types are tested at least monthly. Data no longer required for legal, regulatory, or business reasons is destroyed. Upon termination or expiration of a client contract or business associate’s agreement, it is TREND's policy to return or destroy client data, PHI, or other individually identifying health information in its possession and not associated with TREND work product or required per the Company's retention policy.

TREND maintains a Business Continuity / Disaster Recovery Plan that is tested no less than annually.

In addition to maintaining regular backups across geo-redundant storage, the Systems are replicated to a second cloud region to ensure redundancy and availability.

Audit and application logs are collected from all systems. Logging and alert data are stored in a Security Information and Event Management (SIEM) solution whenever possible. The log entries are in line with industry standards for audit trails. TREND maintains system logs for two years and application logs for six years.

System security, performance, and availability monitoring tools are configured to alert support personnel of any anomalies so that they can quickly respond and mitigate findings

TREND uses a Continuous Integration / Continuous Delivery (CI/CD) pipeline for managing code deployments.

Code changes are peer reviewed, approved by separate QA staff, and tested in a staging environment before they are pushed into production.

Testing includes unit, integration, and regression tests, using a combination of manual and automated processes. The staging and production environments are logically separated, and no data is shared between them.

Code reviews include evaluation against project standards, practices, and security considerations including OWASP Top Ten best practices.
​

All software development and testing staff are required to complete OWASP Top 10 Security Risks training annually.

Web application vulnerability scans are performed monthly, and third-party application penetration tests are performed annually. Any findings from these tests are documented, reviewed, and resolved in order of criticality.

TREND regularly monitors vulnerability warnings from manufacturers, regulators, and industry sources and routinely scans all internal and external systems and networking devices for new vulnerabilities and required patches. Patches that are considered critical will be deployed on all applicable systems within thirty (30) days of their official release, and when appropriate and possible, after thorough testing has been performed to verify that patches will not cause disruption in business operations. All other security patches will be applied to appropriate systems within ninety (90) days of release.

This policy was last updated September 5, 2024.