When Choosing an ACA Vendor, Make Sure They’re SOC II Compliant
2 minute read:
Who do you trust with your data?
The large-scale data breaches of the 2010s saw companies ask the question of whether their network security was sufficient to protect their sensitive data. As we enter the 2020s with ever expanding data privacy regulations, many companies are asking the question of from whom, how and why they are collecting sensitive data.
These are important questions to ask, and every company should have a good system in place as data security issues and data collection laws are likely to increase in the new decade.
An equally important question that many companies appear to overlook is, who am I sharing my data with?
Many companies that are not in the business of selling the data they collect, still share that data with a variety of third parties as part of their regular business processes, whether to meet regulatory compliance or general business obligations.
This is particularly true of Applicable Large Employers (ALEs) (organizations with 50 or more full-time employees and full-time equivalent employees) that are required to offer Minimum Essential Coverage (MEC) to at least 95% of their full-time workforce (and their dependents) whereby such coverage meets Minimum Value (MV) and is Affordable for the employee or be subject to Internal Revenue Code (IRC) Section 4980H penalties.
The complexity and details of the ACA often necessitate that ALEs outsource the compliance work to an ACA service provider; which means providing large amounts of very sensitive employee data to a third party.
This raises a very important follow up question, how do you know that your ACA service provider is taking data security as seriously as you are?
That is where System and Organization Controls (“SOC”) compliance comes into play. Developed by the American Institute of Certified Public Accountants (“AICPA”), SOC type reports are a roadmap of a company’s internal controls. Essentially, it is a rigorous audit of a service providers systems and security protocols to determine the controls they have in place to protect your data, and how well those controls are implemented and managed. Specifically, a SOC II report details the controls relevant to Security, Availability, Processing Integrity, Confidentiality, and/or Privacy in the audited companies network system.
While managing your regulatory compliance needs can be stressful, especially when it comes to ACA compliance, knowing that your ACA service provider is SOC II compliant can go a long way to alleviating any concerns you have regarding their ability to protect your sensitive employee data.
You can trust that Trusaic always has and always will take data security and privacy seriously. We have willingly undergone the SOC II report process in the past and will continue to do so into the future. Contact us to learn about our ACA CompleteSM can help your organization while keeping your data secure.
We’re committed to helping companies reduce risk, avoid penalties, and achieve 100% ACA compliance. For questions about the ACA contact us here.
