Our Privacy + Security Practices Lead the Industry

Hixny sets the bar for privacy and security compliance in the exchange of health information. Take a look at our certifications and see how you can report or obtain regulated information.

Federal and New York State Compliance

Hixny complies with federal and state laws, rules, and regulations governing the exchange of medical information, as well as voluntary, specialized, and accreditation/certification standards such as:

  • The HIPAA Privacy Rule
  • The HIPAA Security Rule
  • The HIPAA Breach Notification Rule
  • 42 CFR Part 2
  • DirectTrust’s  Privacy and Security Framework
  • The NYS OHIP System Security Plan (SSP) Moderate Plus Impact Controls
  • HITRUST’s Common Security Framework (CSF)
  • 10 NYCRR Part 300
  • The Privacy and Security Policies and Procedures for Qualified Entities and their Participants in New York State under 10 NYCRR § 300.3(b)(1)
  • NYS Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500)
  • NYS Shield Act
Self-Developer Transparency

The Office of the National Coordinator for Health Information Technology requires us to provide the following disclosure regarding the DIRECT messaging through the Hixny HISP:

  • Developer Name: Hixny
  • Product Name: Hixny HISP
  • Product Version: 1.0
  • Certification ID: 15.07.05.3020.HIXN.01.02.1.230227
  • Certification Date: February 27, 2023
  • Criteria certified:
    • 170.315 (d)(1): Authentication, Access Control, Authorization
    • 170.315 (d)(2): Auditable Events and Tamper-Resistance
    • 170.315 (d)(3): Audit Report(s)
    • 170.315 (d)(5): Automatic Access Time-out
    • 170.315 (d)(6): Emergency Access
    • 170.315 (d)(7): End-User Device Encryption
    • 170.315 (d)(8): Integrity
    • 170.315 (d)(12) Encrypt authentication credentials
    • 170.315 (d)(13) Multi-factor authentication
    • 170.315 (g)(4): Quality Management System
    • 170.315 (g)(5): Accessibility-Centered Design
    • 170.315 (h)(2): Direct Project, Edge Protocol and XDR/XDM
  • Clinical Quality Measures certified: 0
  • Automated Numerator Recording certified: 0
  • Automated Measure Calculation certified: 0
  • Additional software required for certification: Microsoft Window TCP/SMTP, Direct Project, InterSystems HealthShare, Microsoft Exchange
  • Additional Costs: None

Disclaimer: This Health IT Module is compliant with the ONC Certification Criteria for Health IT and has been certified by an ONC-ACB in accordance with the applicable certification criteria adopted by the Secretary of Health and Human Services. This certification does not represent an endorsement by the U.S. Department of Health and Human Services.

HITRUST

In 2018, Hixny became one of the first organizations of our kind to pursue and achieve certification from Health Information Trust Alliance (HITRUST) for implementing the Common Security Framework (CSF).

HITRUST CSF certification indicates that Hixny meets the highest security standards—including those set by HIPAA and the Centers for Medicare and Medicaid Services (CMS)—in maintaining the confidentiality, integrity and availability of personal health information (PHI) and other private data.

HITRUST CSF Certifications

HITRUST certification is a robust, two-year certification that requires an interim-year assessment.

  • 2018 Hixny achieved HITRUST CSF® certification on Version 9.1 for patient information security
  • 2019 Hixny attained interim-year certification
  • 2020 Hixny achieved HITRUST CSF recertification
  • 2021 Hixny attained interim-year certification
  • 2022 Hixny achieved HITRUST CSF recertification
  • 2023 Hixny attained interim-year certification
  • 2024 Hixny attained HITRUST CSF r2 certification

OHIP Moderate-Plus Security Controls

Hixny also adheres to the Office of Health Insurance Programs (OHIP) System Security Plan (SSP) Moderate-Plus Impact Level Controls. This standard is documented in a System Overview and 18 security control families set forth in CMS ARS and NIST 800-53.

OHIP introduced this baseline incorporating security elements from:

  • Centers for Medicare and Medicaid Services (CMS) Acceptable Risk Safeguards (ARS)
  • National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, implemented at the Moderate level
  • New York State Policies and Standards

Request or Report Compliance Information

From time to time, members of our healthcare community may have reason to ask questions about Hixny’s privacy and security compliance practices, to report concerns, or to review records.

For example, Hixny is required to maintain continuous audit records of user activity to ensure proper emergency access to patient records (Break the Glass requests) and individual facility adherence to record-keeping standards of patient consent.

Compliance Requests and Reviews

Hixny will not share your information except as may be legally required.

What’s New from Hixny

Exchanging Information May Be What We Do, But It’s Not What We Deliver (Part 2)

December 22, 2025

Read more

Exchanging Information May Be What We Do, But It’s Not What We Deliver

December 10, 2025

Read more

Celebrating the Launch of SHIN-NY Statewide Encounter Alerts Powered by Hixny

August 27, 2025

Read more