CSS understands the importance of information security and respondent confidentiality.

Healthcare consumers need to know that the organizations entrusted with their personal information will treat that data with the utmost care. In working with leading healthcare organizations serving millions of health plan members and patients, CSS understands the importance of information security and respondent confidentiality, and allocates the appropriate resources to ensure data is always protected.

CSS implements industry best practices to provide the best protection and confidentiality for all data and software systems. CSS incorporates into our work the controls and procedures within the policies defined by CSS's IT team, state and Federal regulations, and our contractual obligations. Our organization adheres to the professional ethics standards stated in CASRO Code of Standards and Ethics for Survey Research to protect the confidentiality and privacy of research participants. We also enter into HIPAA-compliant business agreements with all data sources and provide assurances that all submitted data will be securely handled.

CSS undergoes an annual SSAE 16 SOC 2 Type 2 review, during which our privacy and security policies, our data management systems, and our IT infrastructure are tested by an independent external auditor. A report of our annual review is available upon request. Our organization implements comprehensive security controls, including:

  • Mandatory annual data security training for all CSS employees;
  • Mandatory background checks and confidentiality agreements for all CSS employees;
  • Limiting access to office facilities and equipment to employees only;
  • Regular third party security and vulnerability scans;
  • System logging and monitoring;
  • Disaster recovery plans, which are tested regularly;
  • Automatic tracking of data transmissions;
  • Secure, encrypted storage and transmission of all sensitive data; and
  • Managed access rights.

Additional steps taken by CSS to protect patient confidentiality include the following:

All of our policies for data security adhere to HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH) regulations. CSS adheres to the Minimum Necessary Requirement standard of the HIPAA Privacy Rule when implementing survey projects and protects confidentiality by separating personally identifiable information (PII) from survey responses. Specific policies and procedures are available upon request.