Why exclusion monitoring?
In accordance with Sections 1128 and 1156 of the Social Security Act, HHS OIG mandates that healthcare organizations do not hire or do business with "excluded or sanctioned" individuals or entities. Providers who participate in federal healthcare programs must monitor federal and state exclusion sources to avoid fines and penalties.
Why do we need your employee’s Social Security Number (SSN) when conducting monitoring services?
ProviderTrust uses its proprietary software to help companies, such as hospitals, long-term care facilities, physician practices and staffing agencies, across the nation stay compliant with state and federal healthcare compliance monitoring services.
In order to provide these services, ProviderTrust relies on unique IDs to produce verified matches. The primary unique ID for individuals is the SSN. Without an SSN, caregivers are more than twice as likely to produce unverified potentials. When an SSN is not provided, we rely on other data elements such as Name, Date of Birth, Address, or License Number. Even with our smarter monitoring, none of these elements are unique to an individual, and as a result, it can lead to a higher volume of inconclusive matches for your organization to review.
Do we need to execute a Business Associate Agreement because of PHI?
No, ProviderTrust does not utilize, create, or receive Protected Health Information so therefore does not meet the definition of a Business Associate as defined in the Health Insurance Portability and Accountability Act (HIPAA).
The type of information we receive is expressly excluded in the definition of Protected Health Information. 45 C.F.R § 160.103 PHI Definition expressly excludes: “individually identifiable health information in employment records held by a covered entity in its role as employer.”
ProviderTrust uses the minimum information required from a person’s employment record to ensure they are correctly identified for the purpose of running provider monitoring services.
How do you protect my employee sensitive information?
- Data Security: Our datacenter (AWS) is PCI, HIPAA, and ISO 27001 certified. It is FedRAMP compliant and has received a SOC 1 and SOC 2 audit. All data is secured through proper encryption methods.
- Password Protected: Our website is securely controlled by username/password access. We will never sell or publish your information to anyone outside of our company.
- User Access: Only users with the highest access privilege are allowed to access sensitive information. User permissions in Passport allow you to determine if your user should have visibility into the employee’s DOB or SSN.
- We ask clients to NEVER send PII via unsecured email correspondence. Our Client Success team will either provide a secure ShareFile link or request files to be uploaded directly in the secure monitoring system. In the case that a user sends this information via email correspondence, your Client Success Leader will first REMOVE the attachment, delete the email, and will respond with an email reminding users of sensitive data protocols.