If data transmitted between your enrollment system and Selerix BenSelect contains Personally Identifiable Information (PII) with Protected Health Information (PHI), Selerix and its partners are required by law to maintain compliance with the Health Insurance Portability and Accountability Act (HIPAA) or risk non-compliance penalties. Electronic transmission of data such as an applicant's Social Security Number, Driver's License Number, medical and financial information must be transferred securely to protect individual privacy. To that end, Selerix requires applicants be securely authenticated and identified and data transmissions to be encrypted using strong encryption methodologies.
As dictated by the path you take to integrate with BenSelect, Selerix will use some combination of these technologies to guarantee data transmissions are secure:
- Secure Hypertext Transfer Protocol (HTTPS) to transmit encrypted SOAP messages:
- HTTP Strict Transport Security (HSTS) policy enforced
- Private key certificates held only by the owner/originator
- X.509 Public Key Infrastructure (PKI) to manage the public key certificates used by the Transport Layer Security protocol (TLS v1.1 or v2.0). These are signed, public key certificates used by both parties for data encryption. They are bound to X.509 and are used for message-level signing and encryption and for back channel exchanges over TLS.
- Security Assertion Markup Language (SAML) v1.1 strictly to launch a BenSelect enrollment via Single Sign-on (SSO) only when applicant data is not included in the SAML message envelope.
- Security Assertion Markup Language (SAML) v2.0 is required to launch a BenSelect enrollment via Single Sign-on when data is included in the SAML envelope. This is the preferred approach in general since SAML v2.0 includes support for XML encryption which adds an additional layer of security.
- Secure Sockets Layer (SSL) to establish an encrypted link between the browser and the server and to ensure privacy during payload transmissions
- Selerix employs additional techniques to further obfuscate web communications such as a unpublished partner-specific URL and group identifiers that must be known ahead of time before group access is allowed.
Refer to the Enrollment Integration Quick Start section for information about acquiring an unpublished URL and steps required to register your private security key with Selerix.
