Information Security

Protecting Our Greatest Asset

The confidentiality, integrity, and availability of our customers’ data is the focus of our security program.
Security and Privacy Overview
As a leading provider of data and analytics technologies and services, Health Catalyst has an unwavering commitment to deliver the highest level of information security and data privacy to its clients.With safeguards that meet rigorous privacy certification standards, clients can rest assured that their confidentiality, integrity, and availability of nonpublic information is protected.
HIPPA logo
Health Insurance Portability and Accountability Act (HIPAA)
Health Catalyst adheres to the regulatory framework of Health Insurance Portability and Accountability Act (HIPAA), with adequate measures for saving, accessing, and sharing individual medical and personal information.
National Institute of Standards (NIST)
Our cybersecurity approach builds its foundation on the National Institute of Standards (NIST) Cybersecurity Framework CSF—a cybersecurity infrastructure focused on preventing, detecting, and managing any security threat or risk.
Center for Internet Security
Health Catalyst operational standards are based upon CIS baselines and benchmarks that provide global standards for cybersecurity.
Health Catalyst Recognized as Cybersecurity Transparent Leader at ViVE 2023
Health Catalyst was recognized by Censinet and KLAS as one of twenty healthcare vendors who have achieved and sustained their KLAS Cybersecurity Transparent designation.
Learn more
Current Third-Party Audits and Certifications
SOC 2 Type II
The Health Catalyst SOC 2 Type II report is an independent assessment of our control environment performed by a third party. The SOC 2 report is based on the AICPA’s Trust Services Criteria and is issued annually in accordance with the AICPA’s AT Section 101 (Attest Engagements). Health Catalyst’s 2024 reports cover the following periods;
  • Platforms (DOS, Ignite Data and Analytics Platform, KPI Ninja, and Interoperability) — July 1, 2023 to May 1, 2024
  • Applications (Embedded, Twistle, MeasureAble) — July 1, 2023 to May 1, 2024
  • Vitalware — June 1, 2023 to May 1, 2024
  • ARMUS — July 1, 2024 to June 30, 2025
Each cover 12+ months periods and details the design and operating effectiveness of controls relevant to any covered environments containing customer data as part of the Health Catalyst’s offerings to its customers. All Health Catalyst SOC 2 report addresses three of the five Trust Services Criteria (Security, Availability, Confidentiality).
SOC 3
The American Institute of Certified Public Accountants (AICPA) has developed the Service Organization Control (SOC 3) framework for safeguarding the confidentiality and privacy of information that is stored and processed in the cloud.The Health Catalyst SOC 3 report, an independent assessment of our control environment performed by a third party, is publicly available and provides a summary of our control environment relevant to the security, availability, confidentiality of customer data.Follow the below links to access our available SOC 3 reports.
HITRUST CSF ®
HITRUST®: Leverages nationally and internationally accepted standards including ISO, NIST, PCI and HIPAA to ensure a comprehensive set of baseline security controls. Health Catalyst maintains HITRUST CSF® Certification across three of its business unit products and platforms. The applicable platforms and supporting architecture included and the applicable HITRUST framework versions certified are:
  • HealthCatalyst Applications (HITRUST CSF r2 v9.x certified on 8/13/2024): Population Health Management, Patient Engagement, Clinical Quality, Patient Safety, Cost Management and Revenue Cycle management (inclusive of Embedded).
  • Health Catalyst Platforms (HITRUST CSF r2 v9.x certified on 8/23/2024): DOS, Ignite Data, and Health Information Exchange Platforms: Interoperability and KPI Ninja.
  • Twistle by Health Catalyst (HITRUST CSF r2 v9.x on 5/23/2023)
  • Lumeon by Health Catalyst (HITRUST CSF r2 v11.x on 6/27/2025)
  • Upfront Healthcare (Emerald) (HITRUST CSF r2 v11.x on 12/20/2024)
  • Upfront Healthcare (Ruby) (HITRUST CSF e1 v11.x on 8/6/2025)
ISO 27001 / ISO 9001
Lumeon by Health Catalyst maintains ISO 27001 and ISO 9001certification across its UK-based platform and supporting architecture.
Texas Department of Information Resources
The Texas Risk and Authorization Management Program provides a standardized approach for security assessment, certification, and continuous monitoring of cloud computing services that process the data of Texas state agencies.
Level 2 Certification for the following:
KLAS
KLAS presents a high-level overview of Censinet’s more-detailed risk assessments. This information should not replace a more thorough provider-conducted cybersecurity risk preparedness process. KLAS has invited all vendors, at no cost, to complete a full cybersecurity preparedness evaluation with Censinet, a KLAS partner specializing in risk management, assessment, and operations across the healthcare IT industry.

Visit the KLAS report to see a full breakdown.
“Health Catalyst has implemented best-practice data security and privacy standards to provide our clients with the highest information privacy, security, and compliance.”
- Kevin Scharnhorst, CISSP, CISM, CPHIMS, Chief Information Security Officer
White Health Catalyst flame logo
Transforming Healthcare Is Our Passion
Stay Informed
Join our growing community of healthcare leaders and stay informed with the latest news and updates from Health Catalyst.
Thank you!
We’ve received your request to join the Health Catalyst newsletter. Welcome to the community!
SolutionsData & Analytics​Clinical QualityRevenue & CostRegulatory & CybersecurityPopulation Health &
Value-Based Care
ResourcesUse CasesSuccess StoriesInsightsWebinarseBooksWhite PapersVideosInfographics
CompanyNewsroomEventsAbout UsJob OpeningsInvestor RelationsHAS
ContactRequest a DemoContact UsClient SupportInformation SecurityTax Documentation (1095-C)
Facebook LogoLinkedIn LogoX LogoYouTube Logo
©2025 Health Catalyst. All rights reserved.
Terms + ConditionsPrivacy Policy