Compliance
Meeting the highest standards of regulatory compliance
HealthPriceWatch is built to help hospitals maintain compliance with CMS price transparency regulations. We also hold ourselves to the highest compliance standards for data security, privacy, and industry regulations.
45 CFR 180.50 Compliance
Our monitoring system validates hospital pricing files against all requirements of the CMS Hospital Price Transparency final rule (45 CFR 180.50):
✓ Machine-Readable File Requirements
Validates JSON format, schema, and required fields
✓ Standard Charge Data
Verifies all required pricing data elements are present
✓ File Accessibility
Ensures files are publicly accessible without barriers
✓ Update Frequency
Monitors for required annual updates (at minimum)
✓ Metadata Requirements
Validates hospital information and file metadata
Our validation logic is updated whenever CMS publishes new guidance or enforcement interpretations.
Data Security & Privacy Compliance
SOC 2 Type II (In Progress)
We are actively pursuing SOC 2 Type II certification, with expected completion in Q2 2026. This audit validates our controls for:
- Security - Protection against unauthorized access
- Availability - System uptime and reliability
- Processing Integrity - Accurate and complete processing
- Confidentiality - Protection of sensitive information
HIPAA Alignment
While HealthPriceWatch does not handle Protected Health Information (PHI) and is not a HIPAA covered entity, we implement HIPAA-aligned security controls as a best practice for healthcare data handling.
GDPR & CCPA Compliance
We comply with major privacy regulations:
- Right to access your data
- Right to data portability (export)
- Right to deletion ("right to be forgotten")
- Transparent privacy practices and notices
- Data processing agreements with subprocessors
- Limited data collection (privacy by design)
Industry Standards
OWASP Top 10
Our application is hardened against OWASP Top 10 security risks with regular vulnerability assessments and remediation.
PCI DSS
Payment processing handled by Stripe (PCI DSS Level 1 certified). We never store credit card information.
ISO 27001 Alignment
Our information security management practices align with ISO 27001 standards and controls.
NIST Framework
Security controls based on NIST Cybersecurity Framework for risk management and threat mitigation.
Ongoing Compliance Monitoring
We maintain compliance through:
- Quarterly third-party security assessments
- Annual penetration testing by certified ethical hackers
- Continuous vulnerability scanning and patch management
- Regular policy reviews and updates
- Employee security training (quarterly)
- Incident response drills and tabletop exercises
- Compliance monitoring of CMS guidance updates
Audit & Documentation
We maintain comprehensive documentation for compliance audits:
Security Policies
Complete security policy documentation covering access control, incident response, data protection, and business continuity.
Audit Logs
Detailed logs of all system access, data modifications, and administrative actions retained for 7 years.
Change Management
Documented procedures for system changes, deployments, and configuration updates with approval workflows.
Business Continuity
Disaster recovery and business continuity plans tested quarterly to ensure service resilience.
Third-Party Compliance
All third-party vendors are vetted for compliance:
| Vendor | Service | Certifications |
|---|---|---|
| Vercel | Application Hosting | SOC 2 Type II, ISO 27001 |
| Supabase | Database & Auth | SOC 2 Type II |
| Stripe | Payment Processing | PCI DSS Level 1 |
| Resend | Email Delivery | GDPR Compliant |
Compliance Resources
Questions About Compliance?
For compliance documentation requests or questions about our practices: