Once upon a time, news of PHI disclosures or healthcare data breaches only caught the interest of security and privacy nerds.  Now they grab headlines and prompt worries and distress among practice owners, privacy officers, CFOs, and patients alike.

The disastrous data breach of the collection firm American Medical Collection Agency (AMCA) is the latest to cause sleepless nights, particularly since, after the count of US citizens affected by the breach exceeded 20 million, actions by AMCA clients left AMCA no choice but to file for bankruptcy protection.

What made this breach especially scary to providers is that their patients’ data was exposed due to the actions or inactions of a vendor they assumed they could trust.

Since the AMCA breach, some Quadax clients have contacted us to learn whether or not we have been impacted by this event. In this article, we’d like to assure our audience that 1) we have no relationship with AMCA, and 2) we do have strong controls in place to protect our clients’ data both for our systems and for the third parties with which we contract for ancillary services.

As much as we’d like to tell you that you will never experience this kind of failure when you trust Quadax, we must admit that there is nothing in the world that will ever be completely hack-proof.  As soon as something is ‘hacker-proof,’ the universe builds a more devious hacker.  For that reason, Quadax never stops working at security and privacy; it’s never a box to be checked ‘finished’ so that we can move on to other matters.

Security is a full-time, never-ending endeavor. Three of the facets of the Quadax security efforts germane to this discussion are:

• Our SOC 2 Report
• Our extensive (exhaustive) vendor vetting program
• Our perpetual security monitoring program, including penetration testing, resource utilization monitoring, and routine vulnerability assessments

SOC 2

Quadax submits annually to audit processes to produce the System and Organization Controls (SOC) for Service Organizations Report Relevant to Security, Availability, Processing Integrity, and Confidentiality Principles.  Each year, our external auditor conducts an examination of Quadax controls in accordance with attestation standards established by the American Institute of Certified Public Accountants. Their determination affirms that our controls were suitably designed and are operating effectively to meet the Applicable Trust Services Criteria throughout the specified period of time.

Vendor Vetting

Among the controls and processes examined by our auditor is Sub-Server and Vendor Management.  Quadax maintains a stringent Vendor Management program that begins with initial vetting and carries through to annual assessments to ensure ongoing reliability and integrity. The Quadax Compliance and Legal departments collaborate on the process, with input from the Security Officer.

The vetting methodology proceeds through stages of assessment as data is collected, attestations are reviewed, and a number along a scale is assigned to indicate the “critical level,” reflecting the degree of risk the engagement represents to security and privacy.

Baseline verifications include:

• General Service Administration (GSA) System for Award Management (SAM) database: Is the vendor in good standing, or has the vendor for any reason been excluded, sanctioned, or debarred by a Federal agency?
• Office of Inspector General (OIG) List of Excluded Individuals and Entities (LEIE): Is the vendor in good standing, or has the vendor for any reason been excluded from participation in Medicare, Medicaid, and other Federal health care programs?
• Has the vendor been placed under a Corporate Integrity Agreement?
• Does the vendor appear on the Health & Human Services (HHS) “wall of shame”?

From there, collection of key data points helps Quadax to establish the critical level of the potential vendor through a thorough understanding of how the vendor will be operating: precisely what access is required; whether or not PHI will be stored, transmitted, processed, or accessed; whether or not there would be any offshore components; and several other important factors.

Third-party attestations to the compliance and operating standards of the vendor are also examined. Quadax requires that vendors provide either SOC 2, ISO 27001, or EHNAC, and potentially also PCIcompliance, as applicable.

Legal documents governing the relationship between Quadax and the vendors with which it chooses to engage, each carefully stipulating services, requirements, and penalties for nonconformance, will include some or all of these, depending on the nature of the services and the critical level assigned:

• Business Associate Agreement
• Non-Disclosure Agreement
• Vendor Insurance Standards Agreement
• Vendor Security Standards Agreement
• The Master Service Agreement (MSA) Agreement

Quadax leaves no stone unturned when it comes to safeguarding data and reputations – our own, and our clients’.

Security Monitoring

On a continual, ongoing basis, Quadax uses logging and monitoring software to collect data from system infrastructure components and systems to monitor system performance, potential security threats and vulnerabilities, to evaluate resource utilization, and to detect unusual system activity.  Key indicator reports, along with other tools, serve to alert management of deviations from expected activity which may signal unauthorized access attempts.  Quadax separately conducts routine vulnerability assessments on the corporate infrastructure, searching for any potential weaknesses that could be exploited so they may be mitigated before it’s too late.  It’s important for vulnerability testing to be part of standard, regular routines since weaknesses may arise in any number of circumstances: through the installation of a new patch that corrects a different problem; through the implementation of a new application or an upgrade to an existing one; or through the introduction of a new client or vendor access channel, to name just a few.

It’s expensive and resource-intensive to maintain this degree of vigilance, but as a company entrusted with protected health information (PHI), personally identifiable information (PII), and confidential business information, we make security and privacy a top priority.  You can read more examples of the serious commitment Quadax makes to compliance on our website.

If you’re not currently working with Quadax, but you’d like to learn more about our compliant revenue cycle solutions for hospitals, laboratories, or physicians and other professional providers, please get in touch. We’re always pleased to demonstrate how our services can help healthcare providers thrive despite today’s complex reimbursement environment.

Part 2: Audit Requirements

To assist private companies in understanding what the auditors will request and review, we have identified some of the relevant auditing standard requirements below.

Management’s implementation plan and documentation

Management’s implementation plan encompasses many activities—scoping, accounting assessment, solutions development, and other activities. Auditors need obtain an understanding of this plan.

From a scoping perspective, management is expected to have a variety of key processes and controls implemented to identify revenue streams, relevant contract components and features and business practices to support their accounting policy conclusions. Auditors need to understand how management selected contracts to validate the contract components and features identified during the initial scoping phase. Auditors will also need to perform testing to validate management’s assessment in order to provide support to the audit opinion.

From an accounting assessment perspective, the auditing standards require the auditor to obtain an understanding of the entity’s accounting policies including the reasons for any changes in these policies. To do so, auditors will be reviewing management’s documentation to determine if the accounting policies comply with ASC 606, and validating that the company’s accounting complies with those policies.

Internal control considerations

The auditing standards require the auditor to obtain an understanding of company’s internal controls relevant to the audit. Further, the auditor must evaluate the design of the controls and determine whether they have been implemented by performing procedures in addition to inquiry of the entity’s personnel. As a result, management must evaluate how any changes due to the implementation of ASC 606 impact its control environment.

Further, the new guidance requires management to either recast prior-period financial statements presented for comparative purposes (full retrospective method) or record a transition adjustment and provide disclosures of significant changes by financial statement line item (modified retrospective method). Management must have controls and processes in place for either method chosen. Auditors must obtain an understanding of those controls and test to substantiate there is not a material misstatement.

Extensive new disclosures

The extensive new disclosures required by ASC 606 may require companies to update systems, processes, and controls used to develop disclosures. It is important to note that those companies that assert they will experience little or no impact to top line revenue due to adopting ASC 606 will likely still expend a significant amount of effort to comply with the extensive new disclosure requirements. The auditors will need to perform testing in order to substantiate the new disclosures and underlying information used to support those disclosures.

Management’s progress

It is important for companies to keep their auditors abreast of implementation issues and progress. The more communication the company and auditors have throughout the implementation process, the less likely it is that surprises will arise.

The following indicators may lead the auditor to conclude that management is behind or failing to execute their implementation plan and, therefore, may necessitate additional work:

• • • Inability of management to articulate the details of their implementation plan or make progress toward implementing that plan
    • Lack of a detailed implementation plan and timeline
    • Evidence that key deadlines from the timeline have been missed and that there are neither plans to catch up nor enough time to do so
    • Poor tone at the top, including lack of involvement from those charged with governance

Where do we start?

A comprehensive implementation plan that includes the right people across the right functions is critical to a successful implementation of the new guidance. Companies should consider the following action items as they tackle ASC 606:

• • • Train employees across the organization on ASC 606, and allow employees to help identify impacts to their own functional areas (forecasting, employee benefits, tax, sales teams)
    • Develop an overall implementation plan and timeline
    • Evaluate competence across the organization, and consider hiring external service providers to assist with the implementation process, as needed
    • Inventory all contracts with customers and identify key terms and conditions, as well as any deviations from those standard terms
    • For areas of change between existing GAAP and ASC 606, identify cross-functional impacts to the organization (including tax impacts)
    • Make any accounting policy elections and document new policies, as needed
    • Document and implement any internal control changes
    • Identify disclosure gaps that require system updates or changes, and initiate the process to close those gaps

“One of the biggest takeaways we hear from public companies is not to underestimate the amount of time required to complete the implementation of ASC 606. Because the new guidance touches so many areas of the business, the implementation requires extensive coordination across functional areas which, of course, takes time and effort.”

Cullen Walsh, Partner
Grant Thornton Accounting Advisory Services

Want to learn more about how ASC 606 can affect your organization?  Join Cullen Walsh, Partner, Accounting Advisory Services at Grant Thornton and Walt Williams, Director of Revenue Optimization and Strategy at Quadax, as they present, “ASC 606 – Lessons Learned and What You Need to Know” on Tuesday, November 27 at 2:00 p.m. EST.

Register For Webinar

For more information on how Grant Thornton can help your company, contact your GT Audit Partner Daryl Buck, Cullen Walsh, Matthew McCleary, Chris Stephenson, or your local GT service provider.

“Grant Thornton” refers to Grant Thornton LLP, the U.S. member firm of Grant Thornton International Ltd (GTIL), and/or refers to the brand under which the GTIL member firms provide audit, tax and advisory services to their clients, as the context requires. GTIL and each of its member firms are separate legal entities and are not a worldwide partnership. GTIL does not provide services to clients. Services are delivered by the member firms in their respective countries. GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for one another’s acts or omissions. In the United States, visit grantthornton.com for details.

© 2018 Grant Thornton LLP. All rights reserved. U.S. member firm of Grant Thornton International Ltd