Commonly referred to as a SOC 1 (Service Organization Control 1), the issuance of SSAE 16 is similar to an SAS 70 and has not changed its purpose. The SSAE 16 is intended to provide interested parties with information about Benefit Strategies and an opinion on the controls in place. The SSAE 16 is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). The audit signifies that Benefit Strategies, LLC has had its control objectives and control activities examined by an independent accounting and auditing firm. A formal report including the auditor's opinion is issued to the service organization at the conclusion of the examination. The report enables service organizations to demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers.
The audit certifies that Benefit Strategies controls for Consumer Driven Healthcare (CDH) and COBRA administration services are suitable design to meet the security, availability, processing integrity, confidentiality and privacy principles set forth in TSP section 100, Trust Services Principle, Criteria, and Illustrations for Security, Availability, Process Integrity.
Benefit Strategies has annual reviews and audits to maintain this certification. Reports are available for review about request to existing or potential partners.
Benefit Strategies worked with an independent third party to test and perform a risk assessment against the HIPAA / HITECH requirements to confirm the confidentiality, integrity and availability of Electronic Personal Health Information (ePHI). The areas audited included the Security Rule, Privacy Rule, Business Associate Requirements, Breach Notification and Accounting of Disclosures. The risk assessment process included the review of documentation, interviews with Benefit Strategies staff, walkthroughs of facilities, and the testing of controls through manual and automated methods. Benefit Strategies remains compliant with the requirements of the HIPAA / HITECH regulations to protect the confidentiality, integrity and availability of ePHI.