SANDATA: Achieving CMS Certification with HITRUST
Helping Vulnerable Populations with Technology
Sandata Technologies, a leading software provider for Medicaid providers and payers, serves an important segment of the healthcare industry. Its customers include home care providers, intellectual/developmental disabilities (I/DD) providers, state payers, and managed care organizations (MCOs), all of which have highly specialized needs for both softwaresolutions, and the regulatory and compliance requirements that accompany their unique role in the healthcare space.
To navigate these requirements, Sandata hired Michael Alcide, Security Director, to serve as the company’s security and privacy lead. As an accomplished security and privacy professional with a strong background in facilitating enterprise-level security risk assessments and building information security programs, he quickly established himself as a highly skilled expert in all aspects of HIPAA compliance, in addition to serving as the company’s security and privacy lead. “What ultimately drives the Sandata team is the desire to use our talent and passion for technology to serve the healthcare industry and help vulnerable populations achieve the best quality of life possible,” said Michael.
A Specific Need for Healthcare Compliance
To aid our nation’s efforts to provide high-quality healthcare services, the 21st Century Cures Act was enacted by the U.S. Congress in December 2016. Part of this law requires states to implement electronic visit verification (EVV), a technology invented by Sandata, for all Medicaid personal care services (PCS) and home healthcare services (HHCS) that involve in-home visits by a provider.
“HITRUST certification has been really great for us because it allows us to meet state requirements while also going to market with a top-tier security posture.”
Michael Alcide, Security Director, Sandata
Because EVV has been instrumental in combating fraud and abuse that had previously run rampant in in-home care services, states can be assessed penalties if they don’t partner with an EVV vendor and have a sufficient EVV program in place. However, if a state payer can demonstrate compliance with the Cures Act, they are reimbursed partially for the EVV software they buy as well as for other Medicaid expenses.
Centers for Medicare & Medicaid Services (CMS) certification is essential for state agencies to prove compliance with the Cures Act and receive reimbursement for implementation and operational costs associated with EVV. In 2018, Michael’s team and the state of Ohio began discussing a path toward CMS certification for Sandata’s EVV technology.
Ultimately, Sandata wanted to create a new iteration of their EVV solution (which has now been deployed) to be CMS certified and compliant with the Cures Act. That means any organization that uses the current version of their EVV software is automatically compliant as well. To achieve this, one of the many CMS requirements Michael and his team had to fulfill was an extensive privacy and security assessment.
“With dozens of frameworks that can be adopted, we ultimately wanted to earn a certification that would provide maximum value by demonstrating our dedication to best-in-class information security and our commitment to ensuring regulatory compliance,” said Vincent Luciani, Sandata’s Chief Information Officer. “Our customers’ data security and privacy is paramount, and having obtained HITRUST certification demonstrates our commitment to them.”
“HITRUST Risk-Based, 2-year (r2) Certifications — formerly known as HITRUST CSF Certifications — are the gold standard in information protection assurances because of the comprehensiveness of control requirements, depth of quality review, and consistency of oversight. HITRUST assessments are based upon the HITRUST CSF which is a tailorable framework that incorporates dozens of authoritative sources representing other leading information protection frameworks and global regulations,” said Bimal Sheth, EVP of Standards Development and Assurance Operations for HITRUST. “The tools and methodologies used by organizations to complete HITRUST certification allow them to assess and report against multiple sets of requirements – assess once, report many, as we say – making our certification assurances efficient, transparent, and thorough.”
Honing in on HITRUST
In navigating CMS requirements for their EVV solution, Sandata knew they had a trusted compliance partner they could turn to for guidance. A-LIGN had been providing compliance services to Sandata since late 2014 and the two organizations had built a rapport around designing efficient compliance strategies.
“Our relationship with A-LIGN has always been very strong — when I came onboard and started working on the EVV project, I quickly got the sense they would be the go-to firm for helping us navigate the intricacies of CMS certification,” said Michael.
Sandata first explored the possibility of using the HITRUST CSF in 2014. Although they recognized it as a comprehensive option that could be used to meet multiple compliance standards at once, they weren’t sure if they should go all in. Fast forward to 2018, and the business benefits of HITRUST had become clear.
“Our customers provide us with a great deal of data that we process and host,” said Michael. “In addition to seeking out a compliance certification that is valid in the state government space, we wanted something that could also be leveraged in the private payer world, where the safeguarding of protected health information (PHI) is of utmost importance,” said Michael.
To address Sandata’s unique business and compliance needs, A-LIGN reintroduced HITRUST as a versatile security framework that could potentially be used for CMS certification — and more. In addition to showing compliance with HIPAA, Sandata would be able to leverage the HITRUST CSF to comply with other industry-accepted and internationally recognized standards such as NIST 800-53, FedRAMP, ISO 27001, and over 20 others.
“Sandata’s impression was that the state of Ohio understood why HITRUST would be an ideal fit, so we put forth a proposal to the CMS and they agreed that the HITRUST CSF suitably meets the security and privacy assessment requirement,” said Michael. “HITRUST certification has been really great for us because it allows us to meet state requirements while also going to market with a top-tier security posture. Even though we do not directly contract with the federal government, if there’s an inquiry about FedRAMP authorization, I can map our HITRUST controls to various FedRAMP requirements and prove that we have the necessary processes and mechanisms in place.”
At the time of this publication, ten Sandata state customers are fully CMS certified; with three more having completed the process and pending final approval from CMS. Five additional states are in the process of seeking certification. No one else in the industry can claim such an impact on the national market. By working with the most trusted partner in the industry, state program implementations will be on time and most importantly, taken to the finish line of achieving full CMS certification.
Working with a Trustworthy Compliance Partner
Having made the decision to pursue HITRUST certification, Sandata began the readiness assessment process with A-LIGN in February 2018 and finished by early May. This allowed Michael’s team to effectively identify gaps and receive recommendations needed to pass the validated assessment and receive certification.
It only took Michael and his team a few months to complete the necessary remediations. In fact, they began the first round of the validated assessment in July 2018 and received their HITRUST report with certification in September. His team found that A-LIGN’s end-to-end compliance management platform, A-SCEND, was useful for streamlining the assessment process, keeping all evidence centralized.
“A-LIGN isn’t just an assessor firm, they are a trustworthy compliance partner,” said Michael. “Their guidance throughout the entire process was invaluable. They helped us understand the small nuances and specific requirements that are always changing. HITRUST demonstrates that our organization takes privacy and security very seriously, and it really resonates with our customer base of state payers and healthcare providers. Today, we work together with A-LIGN to provide HITRUST across our payer and provider suite of products.”
The HITRUST CSF has established itself as a gold standard for organizations to prove they have the necessary controls in place for comprehensive data protection, and Sandata has found it advantageous in both building trust with customers and serving as a north star for their internal security controls.
“Maintaining HITRUST certification has been very beneficial all around. With states, we’ve had success using it as a continually-assessed overarching security and privacy framework for EVV contracts and to meet CMS certification. Internally, it promotes a culture of continuous improvement by helping us understand where our security can be fortified,” said Vincent. “HITRUST is certainly something we will continue to use moving forward.”