NACOR^® + ACR Security FAQs

Q: What product(s) are being covered?

A: National Anesthesia Clinical Outcomes Registry (NACOR) from the Anesthesia Quality Institute (AQI)

• NACOR Quality Capture Application (Optional data acquisition tool used by clinicians)
• NACOR Patient Experience Survey (Optional tool used by anesthesia practices and departments to capture feedback from patients)
• NACOR Anesthesia Community Registry (ACR) is NOT covered by this page. The ACR is sold by AQI in partnership with Epic and is a feature of Epic, operated independently of AQI. Questions about the security of the ACR should be directed to your Epic anesthesia team.

Q: What third-party validated security certifications cover NACOR?

A: NACOR today has a SOC 2, type 2 certification through its hosting provider.  For information about NACOR’s current SOC2 compliance, contact [email protected].  NACOR is being redesigned and will be self-hosted by AQI on the Microsoft Azure Fabric environment starting in January 2027.

• The redesigned NACOR is currently undergoing SOC 2 certification with Meditology as it is being developed with a projected timeline of SOC 2 Type 1 in the fall of 2026 and SOC 2 Type 2 in spring of 2027.  
• The NACOR SOC 2 certification will address NACOR controls and all environments that process, transmit, access, or store the client’s data in NACOR.

Q: What types of client data will NACOR access, receive, transmit, process or store?

NACOR and (optional) NACOR Quality Capture App

A: Similar to the current NACOR platform, the new NACOR Quality Capture App (QCA) will access, receive, process, transmit and store client’s Protected Health Information in a Limited Data Set as defined under HIPAA.

• Data is deidentified for the patient except for the following data elements (date of birth, age, patient sex, patient city, state, zip code, and date of service). In the redesigned NACOR, a hashed (one-way encryption) identifier will be included for patients for the purpose of longitudinal assessments across anesthesia encounters over time.
• Identifiable data for the provider includes NPI number.
• Identifiable information for the facility may include NPI number.

(Optional) NACOR Patient Experience Survey

• The new NACOR Patient Experience Survey (PES) will access, receive, process, transmit, and store client’s Protected Health Information as defined under HIPAA.

• Data is identified for the patient using name, phone number, email address, encounter ID, age, sex, and date of service. A hashed (one-way encryption) identifier is included for patients for the purpose of longitudinal assessments across anesthesia encounters over time.
• Identifiable data for the provider includes NPI number.
• Identifiable information for the facility may include NPI number and facility name.

• NACOR data is encrypted in transit and at rest.
• NACOR does not receive, store, process, access, or transmit client's PII, Employee Information, Internal/Proprietary Information or PCI information.
• Participation in NACOR requires execution of a Business Associate Agreement (BAA) between the organization that owns the data and AQI.

Q: Does the NACOR environment utilize client data or the client’s on-premises environment?

A: The NACOR environment does not include any on-customer-premises devices, systems, software or OS.

• NACOR is a completely hosted data registry with an application for administration and viewing dashboards.
• The (optional) NACOR Quality Capture Application is a hosted application.
• The (optional) NACOR Patient Experience Application is a hosted application.
• The Anesthesia Community Registry is provided by Epic within the Epic environment.

• The NACOR environment receives, stores, processes, transmits and allows access to client data in AQI’s hosted Microsoft Azure environment and the NACOR online application. Specifically, claims and quality data will be transmitted to NACOR via one of three methods. Once received, NACOR processes will translate and populate the NACOR data warehouse and perform measure calculations. Results will be available in the NACOR dashboards.

• Claims and Quality data may be collected via a third party billing company or application and transmitted to NACOR via secure FTP.
• Quality data is be transmitted from the (optional) NACOR Quality Capture Application to the NACOR registry via dedicated direct data integration process on a scheduled basis
• Quality and billing data is (optionally) extracted by Epic and stored in the Anesthesia Community Registry (ACR) and subsequently extracted into the NACOR registry via a dedicated data integration process on a scheduled basis.

• NACOR does not receive, process, transmit, store or access any of this client's data outside of the United States.

Q: Does NACOR provide remote access or require access to a client’s network?

A: NACOR does not provide remote access that connects any part of its infrastructure and/or endpoints to the client’s network or data (e.g., VPN).

• NACOR does not require onsite access to the client that allows connecting AQI-controlled systems or endpoints to assets on the client's network.
• NACOR can establish IP whitelists to limit user access to the client’s data within approved locations.

Q: Does AQI or NACOR have a physical environment with on-premises systems?

A: AQI has two physical office location(s) in which employees work, and its physical network infrastructure is managed by the American Society of Anesthesiologists (ASA), solely for the purpose of accessing cloud services. No NACOR or AQI operational services or physical server/data storage infrastructure are operated at AQI physical office locations. NACOR and AQI have an entirely virtual infrastructure (cloud hosted servers, applications, domains, etc. only).

Q: Does AQI maintain any operations or perform any services outside of the United States?

A: No.

Q: Does AQI have any Fourth Party Disclosures relating to NACOR?

A: AQI utilizes three third-party vendors or sub-contractors (fourth parties to your customer) in the build or delivery of NACOR: Microsoft for hosting and Proximo and DataFlip for development.

Q: Does AQI maintain a formal secure Software Development Life Cycle (SDLC) process that includes secure software design practices?

A: NACOR development is currently outsourced. The development of the redesigned NACOR, the new NACOR Quality Capture App and the new NACOR Patient Experience Survey are being performed by ASA/AQI personnel, and two external software development vendors. All organizations attest to following formal secure SDLC processes.

Q: Does your product undergo routine secure code scanning and remediation consistent with the processes established in your Secure SDLC?

A: Yes. The redesigned NACOR, new NACOR Quality Capture App, and the new NACOR Patient Experience Survey will, prior to release. 

Q: What authentication measures are designed into NACOR?

A: AQI maintains customer-facing documentation that contains instructions for NACOR security settings and configurations upon implementation. Secure FTP instructions are provided for transfer of XML data files. With the redesign of NACOR, AQI is developing documentation on assigning security roles within NACOR that governs who at the client site has access to NACOR dashboards. This documentation will be completed when the redesign NACOR is available for full production release in January 2027.

• NACOR audit logs are generated at each stage of data processing: when data is received from the customer, processed into the database, when measures are calculated and each time data is manipulated. The system generates logs for the change containing the user or process and timestamp when the change was made.
• NACOR supports role-based account management and access controls (RBAC) and audit logs are generated whenever a security role is added, changed or removed.
• NACOR will not support federated identity (Active Directory, LDAP, SAML, Single Sign On, etc.) with other AQI or ASA services except for the optional NACOR Quality Capture Application and Patient Experience Survey management portal, which will use the same NACOR login credentials.

• NACOR encrypts data in transit.

• Any XML Data submitted to AQI for NACOR is transmitted via secure FTP.
• The optional Quality Capture Application transmits data to NACOR via a dedicated integration process over an encrypted connection to AQI Microsoft Azure environment over HTTPS.
• The optional Patient Experience Survey transmits data to NACOR via a dedicated integration process over an encrypted connection to AQI Microsoft Azure environment over HTTPS.
• All NACOR applications require HTTPS connections.
• Data is extracted into NACOR from the optional Anesthesia Community Registry via a dedicated integration process via an encrypted connection over a private VPN tunnel to Epic’s Microsoft Azure environment.

• NACOR applications encrypt data at rest and are hosted in HIPAA compliant MS Azure environment. Further, patient identifiers for longitudinal assessment of anesthesia encounters are stored as one-way hashes.

NACOR and Quality Capture Application

• NACOR and the NACOR Quality Capture Application require multi-factor authentication for all users that access the online applications and has the following password requirements:

• Must contain at least three of the four:
  • Contain at least 1 uppercase character (A-Z)
  • Contain at least 1 lowercase character (a-z)
  • Contain at least 1 base 10 digit (0 through 9)
  • Contain at least 1 non-alphabetic characters (for example, !, $, #, %)

• Additionally, the following password requirements are being explored as part of the NACOR design.

• The password cannot be a password used previously
• The password will not contain the parts of the user id or parts of the full name that exceed two consecutive characters
• There should be a maximum password length that is not less than 64 characters
• There should be a minimum password length of 16 characters
• The password must be checked against a list of commonly used or breached passwords.

• NACOR online application will have a Smart Lockout mechanism to detect suspicious activity.
• NACOR supports an account lockout feature for secure FTP that will lock an FTP account after 5 failed attempts.

NACOR Patient Experience Survey

• Patients using the NACOR Patient Experience Survey (PES) will not require patients to login. Patients will have direct links to their Patient Experience survey. Opinionable APD administrators could require the date of service for validation.
• Administrators access the NACOR Patient Experience Survey using their NACOR login.

Anesthesia Community Registry

• The Anesthesia Community is authenticated through Epic and not covered in the scope of this document.
• Secure FTP connections will require cryptographic keys to connect.
• Secure FTP services, MS Azure environment, and Power BI reports used in the NACOR dashboards all receive automatic security and patch updates for their respective environments. The cloud environment in which NACOR resides is being built considering cloud security best practices.

Q: Does AQI perform external and internal penetration tests on its network and the NACOR application?

A: ASA and AQI perform external and internal penetration tests on the corporate network (e.g., systems, applications, users, access controls, networks, or architecture that supports business operations outside of the products directly provided to customers) annually and has done so within the past 365 days.

• AQI has not yet performed penetration tests on the redesigned NACOR to be offered to pilot customers for testing in Q3 2026. As part of the in-process pursuit of SOC 2 compliance, penetration testing is scheduled to be performed, and any required remediations completed, when the beta version is completed and before clients can transmit, access, process or store client data on the redesigned NACOR as part of the NACOR pilot program.

Q: Does AQI have an incident response plan for NACOR that is tested?

A: NACOR’s current hosting provider, Provation, has an incident response plan and a disaster recovery plan for NACOR, both of which are tested annually. As part of its pursuit of SOC 2 compliance, AQI is developing an incident response plan and a disaster recovery plan for NACOR, and both will be tested annually.

Q: Does AQI have a dedicated security leader?

A: The ASA Senior Manager of Infrastructure and Security is designated as the Information Security Officer for ASA, AQI, and NACOR.

Q: Does AQI have a third-party risk management program for NACOR?

A: NACOR’s hosting provider currently maintains a program to manage NACOR’s Vendor Security Risk Management (VSRM) or Third-Party Risk Management (TPRM). As part of its pursuit of SOC 2 compliance, AQI is developing and will maintain a program to manage NACOR’s Vendor Security Risk Management (VSRM) or Third-Party Risk Management (TPRM).

Q: Do AQI employees receive cybersecurity training?

A: All AQI and ASA employees receive continuous cybersecurity training and regular phishing tests. In addition, all AQI and ASA employees with access to client data in NACOR receive annual HIPAA business and security training.

• Any contractors and vendors that work on NACOR or have access to client data are required to have annual cybersecurity training and HIPAA business and security training.

Q: Does AQI have cyber liability insurance that covers NACOR?

A: NACOR’s current hosting provider maintains active cyber liability insurance that covers cyber threats or breaches involving computer systems and data. In addition, ASA maintains active cyber liability insurance that covers AQI. In January 2027, ASA will assume full coverage when the redesigned NACOR is operating fully in-house.

Q: Has AQI experienced a publicly reported breach within the last 6 months?

A: No.