Compliance matters.
Growth is the lifeblood of any organization; especially start up companies that have investors counting on them going to the moon with their business thesis. The challenge for many of these companies is that they don’t think compliance, security, and managing risk can drive revenue. Let’s face it: compliance elements typically don’t make the list during the proverbial white board brainstorm of growth strategies. However, security and compliance will make it onto the whiteboard if that CEO and his team have experience selling to employer groups using compliance as differentiators. Many start up companies view compliance and security as cost burdens, whereas those who previously have sold to employers in the health benefit space view compliance and security as revenue generating table stakes. I personally have always viewed compliance like I view buying parachutes and LASIK eye surgery: don’t cut corners and don’t be cheap.
In the past couple of years, unless you were a Fortune 500 company, you were rarely asked in an RFP or during finalist meetings if you had successfully completed a SOC audit or if you have HITRUST in place. Today, with the advent of the Affordable Care Act, those “scary terms” are becoming more important and are moving downstream into smaller organizations. The savvy few who have been in this space for more than a few years understand and realize that security and compliance tools matter and really do drive revenue. In today’s world, market differentiation lies not only in finding a better way to play the game, but also in consistently following the rules along the way.
The ACA was signed into law on March 23, 2010 and upheld in the Supreme Court on June 28, 2012. That means many employers and brokers are on their second round of selecting solution vendors to assist with various aspects of employee health and benefits. During the first round, a modern user interface was what was hot in the streets. This time around, more sophisticated buyers are insisting on four key foundational components:
1. Modern shopping experience and user interface
2. Robust administrative back end
3. Proven service model (with references to back it up)
4. Compliance and security
Yes, compliance has officially made the list, and not just because many vendor mishaps have recently made headlines. The ACA created new complexity and requirements that have further burdened already overworked and underequipped HR staffs, and now they’re desperately seeking help. Plus, most HR people went to school to learn how to create cultures, handle employee conflict and recruit new talent – not to learn how to submit their 1094 and 1095 forms correctly. Worthy vendors relieve some of this heavy compliance burden off of HR departments. Great vendors do that along with the other components listed above.
When selecting a solution vendor, here are several critical checkpoints to ensure that vendor is truly trustworthy of sensitive employee data and the compliance of your business:
1. Proof of certification. Establish that vendors are up-to-date on all certifications. Employers should feel comfortable asking for proof of licenses, audits and assessments. Note how frequently these audits are made, and if they had a Security Risk Assessment in the past year. If there is no proof of the vendor’s certifications, that’s a red flag.
2. SSAE 16 Type II compliance. Many companies are becoming fully SSAE 16 compliant — an annual assessment ensuring that a service organization is up-to-date on compliance policies and procedures. Employers should ask to see the SSAE 16 Type II report, if the vendor is claiming compliance. If the vendor does not know what this is, or does not have a report as proof that it is SSAE 16 compliant, that’s a red flag.
3. Third-party validation. Prospective employers need to ensure that current customers are happy with the vendor, and that they are comfortable with the level of security and compliance that the vendor provides. Further, employers should inquire if vendors are members of national and regional industry groups dedicated to compliance. If so, can they share peer references to verify that the vendor maintains compliance? If customers or industry references aren’t available, that’s a red flag.
4. Policies and procedures. Employers must verify that the vendors they are considering are willing to sit down and walk through due diligence. If a vendor only says they comply with regulations but don’t have any written policies and procedures in place, that’s a red flag.
5. Compliance Talent. As vendors fully integrate security and compliance into their core business model, employers should investigate if they employ experienced compliance teams, and even better, a Compliance Officer to whom these teams report. Not having any dedicated compliance experts on staff is a sign that the vendor may be ignorant of how crucial compliance expertise really is. Further, employers should look into the qualifications that staff has and their background in security and compliance, including certifications such as Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA) and Certified Ethical Hacker (CEH). If there are no staff members dedicated to security and compliance, that’s a red flag.
6. Open communication. Employers should expect to receive monthly newsletters to keep them abreast of new and pending regulations and hot topics in the compliance arena. Webinar offerings are an industry best practice to help employers understand key compliance issues that impact their regulatory requirements. If a vendor isn’t on top of what’s happening or doesn’t provide reliable insights, that’s a red flag.
Brokers can also serve as a third-party trusted source of security and compliance expertise and guidance. Brokers who are knowledgeable and up-to-date on the latest technology, regulations, and legislative changes can also be key in ensuring the effective compliance of their clients.
Regardless of title, department or job function – from executive leadership to newly trained staff members – all must understand that compliance is a top priority. In this age of modern data management and cloud-based technology and service solutions, those who comply will thrive. Vendors, welcome to the postmodern ACA world. Use compliance and security as a revenue driving differentiation tool. Trust me – it works (and you will sleep better at night).
