Today, most businesses rely on third party experts/service providers to deliver critical services totheir core business. By outsourcing systems, platforms and data operations to service providers,client organizations can focus more on strategy, reduce costs, and leverage specializedexpertise or application of industry best practices.
Selecting a third party vendor should not be taken lightly and necessitates a commitment inthe discovery process to analyze internal needs and select a partner with the resources andprocesses in place to fully deliver on their requirements.
Unfortunately, many organizations stop at that point. How do you know if your serviceprovider is doing what they outlined in a Statement of Work (SOW), Business AssociateAgreement (BAA) or contract? How do you validate their internal (data, security andfinancial) controls on an ongoing basis? Many services are delivered in other regions of thecountry (or even other places on the globe), and while the client organizations may neverinteract with most individual service organizations upon which they heavily rely.
Contracting with a third party sets in motion a relationship based on trust, since thecontractor builds a dependency on its vendor. Thus, the same controls and operationsthat underlie the vendor’s provision of services correlate with the purchaser’s own results,and have broader impacts on other important factors, such as marketplace perception.
Thus it is important to assess and continually verify third party service providers have theappropriate structure and controls in place to do the job and that they are in accordance withindustry standards. How then can financial professionals, IT security experts or complianceprofessionals gain confidence that their service providers are, in fact, capable of deliveringreliable results?
“Establishment of a Universally-Appropriate Measure to Assess if Third Party Service Organizations are Fundamentally Sound”
One critically important tool to address this need for third party assurance is the requirement for, and reliance on, service organizations to adhere to SSAE 16 standards, and generate an annual SOC (Service Organization Control) report.
Until 2011, SAS 70 was the go-to report that provided guidance to auditors regarding how to assess service organizations, but its scope was limited only to internal financial reviews. Thus, the original SAS 70 fell short as it did not assess the do or die function of compliance and operations, which became increasingly critical as companies’ operations evolved. This remains a concern for 340B participants, given the vast amounts of data which must be processed, warehoused, reviewed and reported.
In 2011, the AICPA (American Institute of Certified Public Accountants) rose to the challenge and created a more comprehensive auditing strategy, including frameworks for sharing information which allows companies to publicly show compliance while still ensuring internal privacy controls are maintained. These reports are called Service Organizational Controls (SOC). SOC reports come in 3 forms, with varying degrees of information analyzed:
340B: A Compliance-Driven Industry
As those who work with the 340B Drug Discount Program know well, there are several issues that can have a significant impact on Covered Entities’ program success: compliance with program requirements, and a potential lack of consistency by third party operators in this environment.
340B Program requirements are overseen by the Health Services and Safety Administration (HRSA). HRSA, as a government agency, is the overseer of the 340B Drug Discount program, setting the ground rules, contracting with Covered Entities, and ensuring program compliance.
It is important to clarify that HRSA compliance is separate and distinct from SOC compliance, a set of standards endorsed by financial professionals. However, a third party vendor that has completed SOC reporting demonstrates a public commitment to a culture of compliance within their organization, and provides additional assurance regarding data security, availability, processing integrity and confidentiality as well as validation of sound internal processes and controls.
The Challenge of Comparing 340B Vendor Controls and Capabilities
Many Covered Entities evaluate 340B services through an information-gathering process that may include proposals, or less formal information requests. Covered Entities’ review of 340B third-party administrator capabilities typically include inquiries into the company background, claims processing, technology, implementation strategies, and, of course, pricing. Vendors provide their companies highly individualized responses, and then Covered Entities are left with the difficult task of comparing information, which can differ widely in terms of variations in vendors’ processes, contract pharmacy development, technology, account oversight, contracting and costs.
The extreme variations in vendors’ methodologies can significantly hamper side-by-side analysis. It is this degree of disparity to measure a third party vendors’ 340B program support that has created the need for a common ground, fundamental starting point to confirm that the vendor’s operations have the appropriate controls to mitigate risk and maximize efficiencies.
To Get It Right, Begin with the Right Foundation
There are several reasons that SOC reporting is so important to the 340B industry, including issues related to PHI, operational compliance through data management and workflows, and financial information controls.
The intensely personal nature of individual healthcare means that there is widespread public interest in ensuring that appropriate baseline controls are in place. One conflicting factor is that healthcare is a multi-tiered process, often entailing physicians, medical groups, hospitals, insurers, pharmacies and related companies like 340B third-party administrators, all of which require information gathering, sharing and storage. When dealing with Protected Health Information (PHI), companies are charged with safeguarding the privacy of patients. The careful maintenance of PHI is established by the Health Insurance Portability and Accountability Act (HIPAA). As with the rules of 340B, the requirements are stated, and companies, including 340B third-party administrators, are left to interpret and comply.
Healthcare data is subject to the same security threats as any other type of data and it seems an almost everyday occurrence to hear about cyber attacks or data vulnerabilities. It is in the Covered Entities’ best interest to know that their business associate has the structures in place to avoid a breech and protect patient data.
Experian’s 2017 Data Breach Forecast underscored this issue: “An increase in hospital breaches means the consequences for healthcare organizations that don’t properly manage this risk will increase. Healthcare organizations of all sizes and types need to ensure they have proper, up to date security measures in place.”
The safest practice to protect ePHI is confirmation that controls and standards are in place wherever that data may reside. Vendors that invest in sound data facility infrastructure and security controls are recommended.
SOC reporting supplies the critical details about a third party administrator’s controls and operations. It allows Covered Entities and other business partners to ask potential partners to open their books to qualified outside auditors, to obtain an impartial review of their ability to fundamentally perform. SOC reports are undertaken at a vendors’ own expense, and they provide valuable assurance that a company has set appropriate control objectives and has the capability of fulfilling them.
The SOC Report Impact on the Vendor Assessment Process
SOC reports should be an important factor in considering an engagement with potential vendors. During the selection process, and subsequent annual vendor re-assessment processes, service providers should be required to deliver an up-to-date SOC report relative to the services they are expected to process.
In today’s world of reliance on outsourcing support, it is critical that all service providers are monitored and held accountable for delivering service that meets defined business needs. If the vendor is unable to generate third-party verification of their control environment, they are putting additional (and unnecessary) risk on the Covered Entity which are, ultimately, the accountable parties for program compliance.
During your vendor review process, look for the AICPA logo (below), indicating that an organization has undertaken an SOC review and that the associated report is available.
Is Your 340B Administrator SOC Compliant?
Any organization participating within the highly-regulated healthcare market knows that the need to protect health and patient data is paramount. In addition, there is the need to do what all businesses, regardless of industry, should do when finding a partner – conduct due diligence in ensuring third party partners are fundamentally capable by ensuring operation and financial controls are both in place and in effect.
The 340B industry, in particular, brings many organizations together to work in close coordination. With so many dependencies, from the Covered Entity’s own eligibility information to data storage facilities, there are numerous individual operational strategies, and underlying government rules that must be in place. Having an SOC-aligned baseline in evaluating 340B administrators’ processes is a cost-effective and powerful tool in evaluating and ultimately selecting new potential partners. On an ongoing basis, a third party vendor’s commitment to maintaining compliance with SOC standards provides added confidence that necessary protections are in place.
Wellpartner is SOC Compliant
Wellpartner works with RSM US LLP, an independent third-party auditor, to produce our SOC reports. For SOC 1 reports, we define our objectives and demonstrate compliance. For SOC 2, we are assessed on attributes relating to security and availability, which are among the core principles of our business.
Wellpartner also chooses to perform the more rigorous SOC Type 2 report, and includes twelve months of history instead of the minimum of six. In addition, Wellpartner updates its SOC reports every year, meaning that there are never any gaps between reports. We insist on providing our customers with this level of SOC compliance to demonstrate the seriousness with which we regard our extensive, consistent efforts in protecting our clients’ financial risk, and safeguarding their data.
