To conform with the highest security standards, Hixny complies with HITRUST’s Common Security Framework (CSF) and its Comprehensive Security Assessment. HITRUST certification is a robust, two-year certification that requires an interim-year assessment. As such, we are obligated to continuously maintain all of the controls mandated by the CSF.


2018  Hixny’s system successfully meets the requirements of HITRUST CSF® certification on Version 9.1 for patient information security.

2019  Hixny successfully completes its interim-year certification.

2020  Hixny’s system achieves HITRUST CSF recertification.


Significance of HITRUST CSF Certification

Achieving HITRUST CSF certification indicates that Hixny meets the highest established security standards—including those set by HIPAA and the Centers for Medicare and Medicaid Services (CMS)—and makes the protection of private data a top priority. It helps demonstrate why patients and providers alike can trust us to protect privacy and keep records secure.


HITRUST Controls

The baseline requirements for achieving HITRUST CSF certification are robust, yet Hixny chose to pursue—and achieved—the more rigorous goal of meeting all applicable CSF controls. By implementing these controls comprehensively, we demonstrate a commitment to mitigating those threats and exposures that are most likely to result in a breach.

Through HITRUST, organizations may also choose to include additional controls in its certification process, and we have chosen the following:

Minimum Acceptable Risk Standards for Exchanges (MARS-E)

Established by CMS as part of the Affordable Care Act to set stringent security criteria for health insurance exchanges— like the New York State of Health—to protect personal identifying information (PII), personal health information (PHI) and federal tax information. Meeting these higher standards established Hixny among the most secure HIEs in the nation.

NYS Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500)

Ultimately, the certification of Hixny’s system requires demonstrating proper policy and procedure documentation for, and adequate implementation of, well over 850 controls across the following 19 security domains:

  • Information Protection
  • Endpoint Protection
  • Portable Media Security
  • Mobile Device Security
  • Wireless Security
  • Configuration Management
  • Vulnerability Management
  • Network Protection
  • Transmission Protection
  • Password Management
  • Access Control
  • Audit Logging and Monitoring
  • Education, Awareness, and Training
  • Third Party Assurance
  • Incident Management
  • Business Continuity and Disaster Recovery
  • Risk Management
  • Physical and Environmental Security
  • Data Protection and Privacy

Additional Security Measures

In addition to HITRUST CSF certification, Hixny monitors, audits and assesses our own network, processes and employees—both internally and through third-party security experts with whom we partner. These additional measures are taken to ensure continued awareness at all levels of the organization and secure Hixny from outside threats.


Security Assessment Requests

Our HITRUST certification is robust and covers or exceeds what is required by third-party security assessments. However, if your organization would like Hixny to complete a security assessment for you or your third-party vendor, you may contact us. These assessments are subject to a per-hour fee, which we will discuss directly with you or your vendor.


Questions and Concerns



Hixny will be performing extended maintenance beginning Thursday, December 31 through Friday, January 1. During this time, all services
will be impacted and unavailable—including access to the provider portal.
The annual SHIN-NY survey is live!

If you receive an invitation from, please take a few minutes to respond—
your input makes it possible for us to continue improving.