Ensuring Data Security at BASIC

Published December 2009

Here at BASIC, we want you to know that your data is safe and secure, so we put together a list of some of the precautions we take. The following are measures we are taking with regards to data security:

HIPAA Compliance

  • Each of our administration software vendors offer encrypted and secured web sessions, data storage and data transmission for full protection of personal health information, personally identifiable information and when applicable debit card account information.
  • Our payroll service provider offers bank-level encryptions, making it the more secure than industry standard payroll service security.
  • Our ongoing security and privacy awareness training program provides all our employees with clear and concise instructions for accessing, storing, transmitting and safeguarding PHI.
  • We have an attorney on retainer to work with us to ensure we are meeting all legal requirements regarding security and privacy.
  • We are currently working with our legal council to finalize revisions to our Business Associates Agreement (BAA) to reflect the HIPAA changes put into effect through ARRA/HITECH, specifically to state our responsibilities with regards to a PHI breach.

Commitment to Data Security and Continuity Measures

  • In addition to supporting encrypted FTP and secure FTP for data exchange, recently we implemented a secure transfer website to allow our clients and business partners to securely submit data to BASIC and for BASIC to securely send files to our clients and business partners.
  • We are currently testing and planning to implement a third party software solution (fideAS Enterprise) to enhance our encryption capabilities on our network and to guard against unauthorized access to PHI that is being transmitted through email.
  • A thorough data security assessment of the potential risks and vulnerabilities of our systems are tested annually by a third party security assessment firm.
  • We operate a full data backup and redundancy and have 100% emergency power generator backup to enable continuation of critical business functions.
  • We utilize a secure data destruction program for all paper documents containing personally identifiable information.

Red Flag Rules Compliance

  • We are working with National Association of Professional Benefit Administrators (NAPBA – www.napba.org) to establish policies and procedures to comply with the Red Flag Rules that take effect in June 2010.
  • We have processes in place with our administration software vendors, where data is hosted externally, to be notified in case of any data breach in compliance with upcoming Red Flag Rules.