Payment Card Industry (PCI) Compliance
- Plum has achieved Level 1 compliance with Payment Card Industry Data Security Standards (PCI DSS).
- Plum’s Level 1 compliance designation is certified by an approved Qualified Security Assessor (QSA).
- Our systems are scanned externally by an Approved Scanning Vendor (ASV) every 90 days to ensure there are no vulnerabilities.
- Our systems are also subjected to an external network penetration scan to ensure that access is not easily allowed into the secure environment.
- Only a specific set of authorized Plum employees have access to Plum’s secure environment.
- Our QSA has verified that any PCI data entering Plum’s secure hosting environment was handled securely.
- Our QSA also verified that firewalls and systems were secure and that only authorized individuals for Plum had access to the secure hosting environment.
- Plum’s services and products operate in class A data center facilities that maintain the physical security of the systems and network equipment of its secure cloud environment. The facility requires bioscan (fingerprint) verification along with a physical badge to gain access.
- Plum also has an Incident Response Team to respond to any emergencies or disasters should one occur.
SOC 2 Compliance
- Plum complied with AT101 standards for the security, availability, and processing integrity principles of Trust Services Principles (TSP) section 100.
- Plum also underwent testing by an external auditor to examine the suitability of the design and operating effectiveness of Plum’s internal policies and procedures for security, availability, and processing integrity.
- There is no electronic protected health information (ePHI) stored within our secure cloud environment. All ePHI that we transmit as a result of delivering our IVR services within our secure cloud environment is treated as confidential and private.
- Access to network equipment and systems within our secure cloud environment is provided only to authorized Plum employees within our operations team. These systems and network devices can be accessed only via two- factor authentication.
- Plum does not share any patient or provider information with any of our vendors, clients, partners, contractors, or temporary or part-time employees.
- Plum has a designated Information Security Officer. Our Information Security Officer has the responsibility for the development and implementation of Plum’s information security policies, procedures, and technology.
- Plum has established secure audit logging and tracking mechanisms that document any access to the secure cloud environment.
- Plum has established training programs focused on privacy policies to inform employees on the handling of electronic protected health information data as required by HIPAA protocols.
Notice of Privacy
Under HIPAA, Plum is not a “Covered Entity”, but rather a “Business Associate” and also does not store any Protected Health Information (PHI) within its secure environment. Therefore, Plum does not retain the ability to disclose any PHI to individuals because of this operating model.