FAIR Health Maintains SOC 2 Type 2 Compliance for Fifth Year

January 18, 2024

In December 2023, for the fifth consecutive year, FAIR Health continued to maintain its SOC 2 Type 2 compliance. SOC (System and Organization Controls) 2 is a security framework that specifies how service providers should protect customer data from cybersecurity risks based on five “Trust Service Principles”: security, availability, processing integrity, confidentiality and privacy. FAIR Health again demonstrated its compliance with this framework through a rigorous process known as a Type 2 audit.

SOC 2 Audits
SOC 2 audits were developed by the American Institute of Certified Public Accountants (AICPA), which designed the SOC 2 standard. A SOC 2 audit provides an independent assessment of the service provider’s security and privacy control environment. Being SOC 2-compliant is important because it assures data contributors and customers that the organization has the infrastructure, tools and processes in place to protect their information.

There are two types of SOC 2 audits. A Type 1 audit assesses whether the service provider’s security controls are designed to meet the relevant trust principles. A Type 2 audit assesses whether those controls work as intended over a period of time. FAIR Health’s SOC 2 assessments cover all systems that handle, store or transfer protected health information (PHI).

FAIR Health dedicates significant resources to complete the intensive SOC 2 Type 2 audits, which can take from 8 to 12 weeks to complete. As part of the assessment, the organization first needs to define the scope, considering all business processes and supporting infrastructure. Then the organization has to provide evidence for all individual control requirements, including samples of reports, screenshots, meeting minutes, policies and procedures, and contracts, among others. Over 180 unique controls are tested as part of the audit, such as security training, role-based access restrictions and password lockout policy. The auditors may request walk-through meetings to obtain an understanding of controls through observation, and may also ask for clarification on the evidence provided or request additional evidence.

Once fieldwork has been completed, the auditors issue a final audit report, valid for 12 months, showing compliance with the framework. The report contains a description of all unique controls in place, the tests performed to evaluate them, the results of these tests and an overall judgment of the design and operational effectiveness of these controls.

Data Security at FAIR Health
In addition to maintaining compliance with SOC 2 Type 2, FAIR Health’s systems for processing and storing PHI have earned HITRUST Common Security Framework (CSF) Certified Status by meeting key healthcare regulations and industry requirements for protecting and securing sensitive private healthcare information. HITRUST is a privacy and security framework that can be used to demonstrate compliance with the provisions of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule for electronic protected health information and the NIST SP 800-122 standards for personally identifiable information. In further recognition of the organization’s data security policies and privacy practices, the Centers for Medicare & Medicaid Services certified FAIR Health as a Qualified Entity under the Qualified Entity Certification Program, a designation that requires rigorous data security evaluations. This enables FAIR Health to receive traditional Medicare claims data for all 50 states and Washington, DC.

FAIR Health rigorously protects the privacy of healthcare data and employs administrative, procedural, technical and physical safeguards that comply with applicable law and meet or exceed industry standards and best practices.

FAIR Health President Robin Gelburd stated: “FAIR Health is charged with protecting and de-identifying claims information for many of the nation’s largest health plans, as well as the entire nation’s fee-for-service Medicare collection, and therefore is intensely focused on maintaining the highest data privacy and security standards. Our continuing compliance with SOC 2 Type 2 and HITRUST are two important ways we demonstrate this focus.”