SOC 2 Overview
A Service Organization Controls (SOC) 2 audit examines the controls an organization has in place to protect and secure its system, or services used by customers or partners. An organization’s security is assessed based on the requirements within a SOC 2 examination, known as the Trust Services Criteria (TSC). The is the governing body of the SOC framework and they set the U.S. standards that auditors follow for SOC 2 examinations.

The report assesses if a company’s controls are appropriately designed and working under the five TSC. They include:

• Security
• Availability
• Processing Integrity
• Confidentiality
• Privacy

Security is the only TSC that must be met in the SOC 2 report. The other four are optional but are usually added depending on the type of service(s) that an organization offers. This versatility is essential because SOC 2 reports are meant for use across all industries. No matter the nature of the business, the focus is on securing digital information.

There are , Type 1 and Type 2.

• SOC 2 Type 1 evaluates an organization’s cybersecurity controls at a single point in time. The goal is to determine whether the internal controls put in place to safeguard customer data are sufficient and designed correctly. Do they fulfill the required TSC? Type 1 audits and reports can be completed in a matter of weeks.
• SOC 2 Type 2 examines how well a service organization’s system and controls perform over a period of time (typically 3-12 months). What is their operating effectiveness? Do they function as intended? Type 2 audits can take 12 months to complete and are costlier than Type 1 audits.

How Does SOC 1 Differ From SOC 2?
SOC 1 Type 2 is an audit 911�Թ� undergoes annually. It focuses on financial controls instead of data security. If a company uses a third-party service provider to perform crucial financial reporting processes (e.g., an outsourced payroll management system or a revenue reporting platform), the company will likely ask those service providers for a SOC 1 report. As a bill review provider conducting payment processing services on behalf of clients, 911�Թ� frequently provides our SOC 1 report to customers.

Like SOC 2, there are two levels of SOC 1 audits:

• SOC 1 Type 1 evaluates the fairness of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description, as of a specified date.
• SOC 1 Type 2 evaluates the fairness of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period. Type 2 audits are much more robust than Type 1. Type 2 audits actually evaluate if a company is doing what it says over a period of time.

HITRUST Overview
Founded in 2007, the, or , is a not-for-profit organization advocating programs that protect sensitive information and manage information risk.

While the HITRUST Common Security Framework (CSF) is designed for all industries,��it is closely associated with the healthcare industry’s challenges, such as the numerous applications of controls specific to healthcare (e.g., ). Overall, the HITRUST framework is used as a guide by organizations that deal with or ePHI. The  was a response to the need to have more consistency in certifications. The aim is to have a standard regulation and risk management framework.

HITRUST CSF consolidated the varying requirements from ,��, , , and and checks for the following:

• The presence of clearly defined procedures and policies
• Capability testing to prove its implementation
• Demonstration of a company’s ability to measure and manage these controls

Compliance with this framework ensures the protection of sensitive ePHI. This is why meeting the HITRUST CSF requirements is vital to stay on top of all relevant regulations and standards.

Both SOC 2 and HITRUST reports revolve around the protection of sensitive personal data. One main difference is that SOC 2 is an attestation report, while HITRUST is a certification.

Attestation Report (SOC 2)
An attestation report discusses the confirmation of management that the information in the report is accurate. An independent author will then confirm this report with the help of an opinion. The opinion in the SOC 2 report can be clean, unqualified, qualified, or adverse. Qualified means that the testing cannot confirm that at least one objective has been identified by management. Adverse implies that the testing has failed to verify most of the purposes outlined by management. Even though it may seem it has an asterisk beside it, a qualified report is still reliable. But the company must follow up on it to prove that remediation steps have been undertaken to address any issues raised in the qualified report. SOC 2 reports are completed yearly and may go on from one to three months from completion to report delivery. This depends on how promptly the SOC 2 client can provide documentation and the evidence needed for testing.

Certification Report (HITRUST)
The HITRUST report differs from SOC 2 because it comes with a certification. It has more details peppered in with the report with five times more controls as it incorporates requirements from numerous standards within the HITRUST CSF. Within the HITRUST report, the organization’s management needs to submit a Letter of Representation instead of the management assertion inscribed within the SOC 2 report. This Letter of Representation is still collected within the SOC 2 report but is not included in the final report. The opinion in the HITRUST Certification letter is presented as a Letter of Certification or Letter of Validation, all dependent on the final score of the conducted assessment. The HITRUST certification has a duration of two years, with interim testing finished within a year. Because of the increased number of controls, it takes more time and significantly greater resources to complete.

Why 911�Թ� Chose HITRUST Certification
Given the volume of ePHI 911�Թ� stores and processes as part of our daily operations, it was clear that HITRUST certification would best serve our customers’ needs, and we made significant investments in infrastructure, processes, and personnel to achieve it. With five times the controls of SOC 2, achieving HITRUST Risk-based, 2-year (r2) Certification assures our clients that we are using the highest security standards to safeguard their sensitive data from ongoing digital threats facing the healthcare and insurance industries.

The post HITRUST vs. SOC 2 – Why 911�Թ� Chose HITRUST appeared first on 911�Թ�.

Many providers contend the shift is the result of sicker patients coupled with the widespread implementation of electronic medical records, as treatment and documentation of more complex cases requires greater time and effort. But the persistent increase in costlier codes has made pursuing potential billing abuse a Justice Department priority.

One area of focus for federal investigators has been upcoding, the practice of deliberately billing for more extensive and costly services than were actually performed.

In February 2017, nationwide hospital staffing provider TeamHealth Holdings agreed to plus interest to settle allegations that its hospitalist group practice, IPC Healthcare, submitted upcoded bills to Medicare, Medicaid, the Defense Health Agency, and the Federal Employee Health Benefits Program.

In June 2017, Carolinas Healthcare System agreed to to resolve allegations that it billed federal health care programs for “high complexity” urine drug tests when the tests conducted were only of “moderate complexity.” According to court documents, this upcoding persisted for four years and cost the government an extra $80 per test.

In October 2017, multi-location New York Spine & Wellness Center agreed to to resolve improper billing claims after a federal inquiry determined the practice routinely billed for moderate sedation services – which require physicians spend at least 16 minutes with patients – despite its doctors not meeting the minimum time criteria.

But upcoding is not exclusive to tax-payer funded health care. In the case of New York Spine & Wellness Center, for example, a private insurer first detected the Center’s sedation upcoding in January 2015, initially rejecting two claims that fell short of the 16-minute rule. A subsequent audit by the same insurer resulted in more rejections, but the Center continued its upcoding abuse for two more years until the U.S. Attorney’s Office intervened, seeking to recover overpayments by the state’s Medicaid program. Indeed, of the $1.9 million settlement, more than $660,000 will be returned to the New York Medicaid coffers.

Outcomes such as these are terrific news for taxpayers, but such retrospective vigilance by the Feds has little to no impact on private insurers, employee organizations, and individual payers.

While the government concentrates on recouping federal dollars post-payment, medical cost containment firms must protect private payer clients from overpaying upfront. For example, 911�Թ� uses tools such as in-depth bill review by certified coders and nurse auditors and pre-negotiated, bundled rates to wean out upcoding and other billing abuses on a transactional level. Such proactive approaches are a key core competency of medical cost management, and continue to be as important today as they have been historically.

The post Upcoding Crackdown: Federal Efforts Fail to Benefit Private Insurers appeared first on 911�Թ�.

To help combat this crisis, organizations such as the Official Disability Institute (ODG) and The American College of Occupational and Environmental Medicine (ACOEM) have released guidelines for prescribers in the appropriate use of opioids for treating pain specific to workplace injuries.

In a published in a recent edition of the Journal of Occupational and Environmental Medicine, researchers at the ReedGroup and Kaiser Permanente retroactively applied ACOEM’s April 2017 guidelines to 7,840 patients who underwent carpal tunnel release (CTR) surgery from 2007 to 2014. Of the 70 percent of cases prescribed an opioid, 29 percent were contrary to the guidelines, which recommend no more than a five-day supply of short-acting opioids for acute postoperative pain for new users. Patients given greater dosages averaged disability durations 1.9 days longer and medical costs $422 higher than their ACOEM-compliant counterparts.

While these cases were not exclusively workers’ compensation related, given the volume of injured workers who require CTR surgery annually, it’s easy to see how following the guidelines could substantially benefit payers and patients. The study estimates if 29 percent of the 577,000 CTR procedures performed annually were prescribed an opioid according to ACOEM’s guidelines, the potential medical cost savings is $71 million per year with a reduction in disability durations by 124,000 days. Incredible.

Clinicians at the Center for Surgery and Public Health at Brigham and Women’s Hospital took guideline research a step further by analyzing more than 200,000 postoperative opioid prescribing patterns to define the ideal prescription length by procedure type. Their , published by JAMA Surgery, determined the optimal length of opiate prescription was four to nine days for general surgery procedures, four to 13 days for women’s health procedures, and six to 15 days for musculoskeletal procedures.

While it’s too soon to know the time and monetary impact these guidelines could yield if implemented, it’s heartening to see that the risk of prescription opioid misuse is being considered when looking to alleviate temporary acute pain. We must all be mindful of what is in the patient’s long-term best interests and limiting opioid prescription duration is a critical step in that process.

The post The Road to Optimal Opioid Prescription Length appeared first on 911�Թ�.

At Kaiser Permanente, virtual patient encounters now outnumber in-person visits. , his health system saw more than 110 million people last year, with some 59 million connecting through online portals, virtual visits or the health system’s apps. That figure represents more than half of the organization’s total 2016 visits.

“We are going through a major transformation in healthcare,” said Tyson.

At (NYP), their suite of telemedicine services includes adult and pediatric emergency and urgent care, virtual follow-up visits for surgical and psychiatric patients, and a second opinion program.  Such telehealth adoption has yielded dramatic results. In the ER, for example, low-acuity patients are now seen virtually by an ER physician elsewhere in the health system, reducing average wait times from 2.5 hours to 31 minutes.

Moving forward, NYP aims to make 20 percent of all patient visits virtual, a goal that seems readily attainable given its volume of virtual visits has increased 100 percent every month since it began piloting telehealth services in 2015.

Although telemedicine has yet to significantly impact workers’ compensation or auto, its day is coming. Workplace health clinics, such as the kind operated by , are now augmenting onsite occupational care with telemedicine services. Consider the case of a California factory worker with a blistery hand rash who had her condition treated via a teledermatology visit at her employer-sponsored clinic. It’s only a matter of time before onsite injury assessments, follow-up status calls, and prescription management are conducted virtually, with great cost, comfort and convenience benefits for all parties involved.

The post The Future is Now – Telemedicine in the Marketplace appeared first on 911�Թ�.

However, sometimes organizations can get bogged down with too many key performance indicators (KPIs), copious desirable employee traits and overly complex review processes, so it’s nice to have a quick, “back-of-the-napkin” measure of employee value.

According to businessman Mark Cuban, the secret to career longevity in his billion-dollar empire is the ability to lower his stress level.

In a recent with Money magazine, Cuban shared, ‘’Anybody who reduces my stress becomes invaluable to me.  I never want to get rid of them.’”

Cuban’s approach really resonated with me. It’s a seemingly simple litmus test that easily encapsulates so many desirable workplace traits:

• Reliability
• Accountability
• Resourcefulness
• Team Player
• Skilled Communicator
• Solution-Oriented
• Conflict Resolver

As any manager can attest, leading teams and organizational functions is often stressful. With so many responsibilities to juggle, it makes perfect sense that an employee who minimizes disruption and spares you headaches is an invaluable asset.

So, the next time I’m considering an employee for a promotion, conducting a review or assessing performance coaching opportunities, I’ll be keeping Cuban’s insight in mind. Asking myself, “Does this person reduce my stress?” is a wise way to gauge an employee’s current worth and potential coaching needs.

The post The One Litmus Test for Indispensable Employees appeared first on 911�Թ�.

I think back to college. There were courses I admit I put off most of my effort until a day or two before the test. I would then “cram” all the information in as quickly as possible. It worked on test day, but if asked the same questions a few months later, I likely would not have known the answers. Had I spread out my learning over the whole semester, doing a little bit of learning and coming back to it, my ability to retain the information would have been much higher.

Imagine filling a bucket with a hose on full force. Let go, and the bucket has water, but it still has lots of room at the top. Try again. Water flies out of the bucket and still there is room at the top for more water when you are done. Now put the bucket under a faucet with a slow drip. Eventually the bucket will not only fill to the top, its water will actually bead up over the bucket’s edge, yet all the water is still retained. It appears learning works much the same way.

During my years of practicing Jiu Jitsu, we successfully used the interleaving method. Instead of teaching students a single technique until they perfected it, we would introduce a technique and not come back to it for a while. We would vary their training exercises. Mastery still required students to exert sustained effort over time but avoiding repetitive practice sessions sped their progress.

Not only do mixed practice sessions increase learning rates, they also improve retention. Upon completion of three months of math instruction, a University of South Florida showed that middle schoolers taught using the interleaving method tested 25% better than their blocking-educated peers. More impressive, they scored 76% better one month later.

One explanation for interleaving’s dramatic results is that the technique actually makes it difficult for the brain to rely on rote responses. Since practice sessions cover multiple skills, the same approach cannot be applied to every task. Think about your daily commute. Most of us take the same route every day, driving almost on auto-pilot. But what happens if there’s a detour and you find yourself on unfamiliar streets? You’re forced to pay more attention to get where you’re going. Interleaving is taking “deliberate detours” to hone one’s abilities and cultivate critical thinking.

Sleep is another theory for why interleaving works. During sleep, your body moves memories, thoughts, and learning from short term to long term memory. But not all of this information goes from short to long term in one night. Each time you come back to a subject, more of that knowledge is transferred into your long term memory while you sleep, allowing your body to add more pieces to the puzzle and making the learning more permanent.

When training new hires, many organizations teach and test on one procedure at a time over the course of long, consecutive days. This can produce a false sense of mastery, with employees using a single strategy, held temporarily in their short term memories, to fulfill onboarding requirements. For greater, long term impact, training topics need to be varied and sessions need to be conducted in smaller time increments. Topics need to be repeated over time. While it requires more initial effort, the rewards of interleaving make it well worth the extra planning.

The post Rest and Fewer Reps Hasten Learning appeared first on 911�Թ�.

Expertise and experience should be a competitive advantage when it comes to innovation. Yet, the most experienced people are oftentimes blind to new opportunities.

It’s called the “paradox of expertise​” – the more closely a person is immersed in an industry, the more successful they’ve been in a company or a profession, the harder it can be to see new patterns, prospects, and possibilities.

In fact, show “experts” are no better at predicting their industry’s future than actuarial tables.

One way to avoid the paradox of expertise is to cultivate new knowledge, drawing inspiration from other industries and collective insights. Leaders who neglect to be learners plateau. The best leaders are almost always insatiable learners.

“” is a question I put to myself daily and one I encourage all leaders, wherever they are in an organization, to ask themselves too.

The post The Paradox of Expertise appeared first on 911�Թ�.