Compliance & Security

The Stack

Frameworks Covered

Each certification is independently audited and renewed annually. Reports and documentation are available to clients and their examiners on request.

Independently Audited Certifications Renewed annually. Reports available on request.

HITRUST Attested

The recognized healthcare control framework. The standard payers, providers, and RCM outsourcers increasingly require under the HIPAA Security Rule NPRM. Operationalized across production, not just policy.

SOC 1 Type II

Validates that our financial reporting controls operate effectively over time. Required by FI clients whose external auditors need assurance that outsourced communication processes won't introduce misstatement risk.

SOC 2 Type II

Security, availability, processing integrity, confidentiality, and privacy. The full Trust Services Criteria, audited continuously and renewed annually.

ISO 27001

The international ISMS standard. Risk assessment, control selection, and continuous improvement applied across every information asset IMS touches.

PCI DSS Level 1

The highest PCI tier, required for the volumes of cardholder data flowing through statements, billing, and payment-related communications. Annual on-site audit, not self-assessment.

FSC Certified

Forest Stewardship Council certification for responsible paper sourcing. Built into ESG reporting and procurement standards for sustainability-minded buyers.

Regulatory Frameworks We Operate Under Aligned controls, mapped to current rules, evidenced on request.

HIPAA + Signed BAA

Full HIPAA compliance with a signed BAA on every healthcare engagement. Administrative, physical, and technical safeguards protect PHI at every step of the communication lifecycle.

FISMA / NIST 800-53

Federal-grade information security controls. Aligned for federal agencies, federally-funded healthcare, and state programs that require NIST-mapped vendor posture.

MARS-E

CMS Minimum Acceptable Risk Standards for Exchanges. Required for Medicaid, CHIP, and ACA marketplace communication workloads. One operator, end-to-end.

GDPR

Lawful basis, data subject rights, and processor obligations supported for regulated organizations with EU data subjects in their member, patient, or policyholder populations.

Memberships Active participation in the cyber-defense community.

IT-ISAC Member

Member of the IT Information Sharing & Analysis Center (April 2025). Federal-grade threat intelligence, sector-coordinated response, and active participation in the cyber-defense community. Beyond the checklist.

Defense in Depth

HITRUST in Practice

Frameworks describe what should be in place. This is what is. Forty years of operating evidence, modernized continuously, unbroken by a breach event.

Physical Security

Separated production sites under hardened physical controls, surveillance, and chain-of-custody documentation. Sensitive material is tracked from data intake to envelope insertion to USPS handoff.

Restricted production zones with badge-controlled access and continuous video coverage
Tamper-evident packaging and controlled-release workflows for high-sensitivity outbound mail
Document-level chain of custody from intake through production through delivery
Secure document destruction with attested disposal records
Physical control evidence ready for examiner walkthroughs and customer audits

Data Security

Defense-in-depth across endpoint, network, identity, and data layers. EDR and XDR on every endpoint including legacy production, zero-trust NAC for device verification, and segregated networks for processing and printing.

Encryption at rest and in transit across every workflow. Print, portal, omnichannel, and DR
EDR + XDR on every endpoint. Including legacy production hardware most peers leave unprotected
Segregated networks separate processing from printing, with verified-device-only access
Redundant infrastructure with automatic failover. Operations don't pause when something fails
Continuous auditing, identity-based wireless, and real-time threat detection feeding incident response

People & Training

People Hold the Controls

New Hire

Standard Operating Procedures walkthrough before production access
Department-specific training mapped to each role's handling of sensitive data
Background checks and access provisioning gated by manager approval

Ongoing

Security awareness training, refreshed and recorded for each employee
Insider-threat curriculum and role-based security training kept current
Department- and customer-specific refreshers when controls or scope changes

By Vertical

One Compliance Footprint

The structural reason consolidating to IMS lowers audit overhead instead of raising it.

Framework	Healthcare	Financial Services	Insurance	Government
HIPAA + BAA	✓	-	✓	✓
HITRUST	✓	✓	✓	✓
SOC 1 Type II	✓	✓	✓	✓
SOC 2 Type II	✓	✓	✓	✓
ISO 27001	✓	✓	✓	✓
PCI DSS Level 1	✓	✓	✓	✓
FISMA / NIST 800-53	✓	-	-	✓
MARS-E	✓	-	✓	✓
GDPR	✓	✓	✓	✓
FSC	✓	✓	✓	✓
IT-ISAC Member	✓	✓	✓	✓

Incident Posture

Incident-Ready

Our incident-response posture has never been needed for a real breach event. It has been tested, audited, and continuously improved. Examiners ask about both.

1

Detection

SIEM-fed monitoring, EDR on every endpoint, encrypted-traffic inspection, and IT-ISAC threat intelligence. Visibility beyond what frameworks require.

2

Containment

Zero-trust NAC, segmented production networks, and verified-device policies limit blast radius automatically. The controls that turn an incident into a non-event.

3

Notification

Documented client-notification, BAA-driven HIPAA reporting, and regulator playbooks per industry. Your notification SLA is on paper before anything happens, not improvised after.

4

Recovery & Review

Disaster Recovery failover, audit-grade post-incident review, and lessons fed back into the control set. The same loop that has kept the operating record clean for forty years.

Credentials Examiners Expect