Today, most businesses rely on third party experts/service providers to deliver critical services to
their core business. By outsourcing systems, platforms and data operations to service providers,
client organizations can focus more on strategy, reduce costs, and leverage specialized
expertise or application of industry best practices.
Selecting a third party vendor should not be taken lightly and necessitates a commitment in
the discovery process to analyze internal needs and select a partner with the resources and
processes in place to fully deliver on their requirements.
Unfortunately, many organizations stop at that point. How do you know if your service
provider is doing what they outlined in a Statement of Work (SOW), Business Associate
Agreement (BAA) or contract? How do you validate their internal (data, security and
financial) controls on an ongoing basis? Many services are delivered in other regions of the
country (or even other places on the globe), and while the client organizations may never
interact with most individual service organizations upon which they heavily rely.
Contracting with a third party sets in motion a relationship based on trust, since the
contractor builds a dependency on its vendor. Thus, the same controls and operations
that underlie the vendor’s provision of services correlate with the purchaser’s own results,
and have broader impacts on other important factors, such as marketplace perception.
Thus it is important to assess and continually verify third party service providers have the
appropriate structure and controls in place to do the job and that they are in accordance with
industry standards. How then can financial professionals, IT security experts or compliance
professionals gain confidence that their service providers are, in fact, capable of delivering
“Establishment of a Universally-Appropriate Measure to Assess if Third Party Service Organizations are Fundamentally Sound”
One critically important tool to address this need for third party assurance is the requirement for, and reliance on, service organizations to adhere to SSAE 16 standards, and generate an annual SOC (Service Organization Control) report.
Until 2011, SAS 70 was the go-to report that provided guidance to auditors regarding how to assess service organizations, but its scope was limited only to internal financial reviews. Thus, the original SAS 70 fell short as it did not assess the do or die function of compliance and operations, which became increasingly critical as companies’ operations evolved. This remains a concern for 340B participants, given the vast amounts of data which must be processed, warehoused, reviewed and reported.
In 2011, the AICPA (American Institute of Certified Public Accountants) rose to the challenge and created a more comprehensive auditing strategy, including frameworks for sharing information which allows companies to publicly show compliance while still ensuring internal privacy controls are maintained. These reports are called Service Organizational Controls (SOC). SOC reports come in 3 forms, with varying degrees of information analyzed:
340B: A Compliance-Driven Industry
As those who work with the 340B Drug Discount Program know well, there are several issues that can have a significant impact on Covered Entities’ program success: compliance with program requirements, and a potential lack of consistency by third party operators in this environment.
340B Program requirements are overseen by the Health Services and Safety Administration (HRSA). HRSA, as a government agency, is the overseer of the 340B Drug Discount program, setting the ground rules, contracting with Covered Entities, and ensuring program compliance.
It is important to clarify that HRSA compliance is separate and distinct from SOC compliance, a set of standards endorsed by financial professionals. However, a third party vendor that has completed SOC reporting demonstrates a public commitment to a culture of compliance within their organization, and provides additional assurance regarding data security, availability, processing integrity and confidentiality as well as validation of sound internal processes and controls.
The Challenge of Comparing 340B Vendor Controls and Capabilities
Many Covered Entities evaluate 340B services through an information-gathering process that may include proposals, or less formal information requests. Covered Entities’ review of 340B third-party administrator capabilities typically include inquiries into the company background, claims processing, technology, implementation strategies, and, of course, pricing. Vendors provide their companies highly individualized responses, and then Covered Entities are left with the difficult task of comparing information, which can differ widely in terms of variations in vendors’ processes, contract pharmacy development, technology, account oversight, contracting and costs.
The extreme variations in vendors’ methodologies can significantly hamper side-by-side analysis. It is this degree of disparity to measure a third party vendors’ 340B program support that has created the need for a common ground, fundamental starting point to confirm that the vendor’s operations have the appropriate controls to mitigate risk and maximize efficiencies.
To Get It Right, Begin with the Right Foundation
There are several reasons that SOC reporting is so important to the 340B industry, including issues related to PHI, operational compliance through data management and workflows, and financial information controls.
The intensely personal nature of individual healthcare means that there is widespread public interest in ensuring that appropriate baseline controls are in place. One conflicting factor is that healthcare is a multi-tiered process, often entailing physicians, medical groups, hospitals, insurers, pharmacies and related companies like 340B third-party administrators, all of which require information gathering, sharing and storage. When dealing with Protected Health Information (PHI), companies are charged with safeguarding the privacy of patients. The careful maintenance of PHI is established by the Health Insurance Portability and Accountability Act (HIPAA). As with the rules of 340B, the requirements are stated, and companies, including 340B third-party administrators, are left to interpret and comply.
Healthcare data is subject to the same security threats as any other type of data and it seems an almost everyday occurrence to hear about cyber attacks or data vulnerabilities. It is in the Covered Entities’ best interest to know that their business associate has the structures in place to avoid a breech and protect patient data.
Experian’s 2017 Data Breach Forecast underscored this issue: “An increase in hospital breaches means the consequences for healthcare organizations that don’t properly manage this risk will increase. Healthcare organizations of all sizes and types need to ensure they have proper, up to date security measures in place.”
The safest practice to protect ePHI is confirmation that controls and standards are in place wherever that data may reside. Vendors that invest in sound data facility infrastructure and security controls are recommended.
SOC reporting supplies the critical details about a third party administrator’s controls and operations. It allows Covered Entities and other business partners to ask potential partners to open their books to qualified outside auditors, to obtain an impartial review of their ability to fundamentally perform. SOC reports are undertaken at a vendors’ own expense, and they provide valuable assurance that a company has set appropriate control objectives and has the capability of fulfilling them.
The SOC Report Impact on the Vendor Assessment Process
SOC reports should be an important factor in considering an engagement with potential vendors. During the selection process, and subsequent annual vendor re-assessment processes, service providers should be required to deliver an up-to-date SOC report relative to the services they are expected to process.
In today’s world of reliance on outsourcing support, it is critical that all service providers are monitored and held accountable for delivering service that meets defined business needs. If the vendor is unable to generate third-party verification of their control environment, they are putting additional (and unnecessary) risk on the Covered Entity which are, ultimately, the accountable parties for program compliance.
During your vendor review process, look for the AICPA logo (below), indicating that an organization has undertaken an SOC review and that the associated report is available.
Is Your 340B Administrator SOC Compliant?
Any organization participating within the highly-regulated healthcare market knows that the need to protect health and patient data is paramount. In addition, there is the need to do what all businesses, regardless of industry, should do when finding a partner – conduct due diligence in ensuring third party partners are fundamentally capable by ensuring operation and financial controls are both in place and in effect.
The 340B industry, in particular, brings many organizations together to work in close coordination. With so many dependencies, from the Covered Entity’s own eligibility information to data storage facilities, there are numerous individual operational strategies, and underlying government rules that must be in place. Having an SOC-aligned baseline in evaluating 340B administrators’ processes is a cost-effective and powerful tool in evaluating and ultimately selecting new potential partners. On an ongoing basis, a third party vendor’s commitment to maintaining compliance with SOC standards provides added confidence that necessary protections are in place.
Wellpartner is SOC Compliant
Wellpartner works with RSM US LLP, an independent third-party auditor, to produce our SOC reports. For SOC 1 reports, we define our objectives and demonstrate compliance. For SOC 2, we are assessed on attributes relating to security and availability, which are among the core principles of our business.
Wellpartner also chooses to perform the more rigorous SOC Type 2 report, and includes twelve months of history instead of the minimum of six. In addition, Wellpartner updates its SOC reports every year, meaning that there are never any gaps between reports. We insist on providing our customers with this level of SOC compliance to demonstrate the seriousness with which we regard our extensive, consistent efforts in protecting our clients’ financial risk, and safeguarding their data.
About the Author
CFO & Executive Vice President, Finance & Administration, Wellpartner
Ken Bodmer joined Wellpartner in July 2014 bringing with him more than 25 years of financial, operations and sales experience in pharmacy benefit management and specialty pharmacy services. His responsibilities include Finance, Human Resources, Information Technology, Analytics and Legal. Throughout his career, Mr. Bodmer has consistently contributed to growing the bottom line and adding value through expanding profitable business lines and strategic acquisitions.
Prior to joining the company, Mr. Bodmer held senior finance and operations positions at Catamaran pharmacy benefit management company, United BioSource Corporation, a division of Medco, Accredo Health Group and Medco.
Mr. Bodmer earned a B.S. in Accounting from Villanova University and an MBA from Seton Hall University. He is a member of the Financial Executive Institute, Institute of Management Accountants, and the American Institute of CPAs.