Many times when we give an initial presentation to an agency, someone (usually from the legal or business office) asks if we have a “SAS70”. In reality the SAS70 does not exist any more. In its place is the SOC2 process. This means that we have been evaluated by an external body who have looked at our policies and processes. You can read much more ab oout it on the AICPA website or our press release below:
WATERBURY, Conn., March 3, 2014 /PRNewswire/ – Therap Services, the leader in Intellectual and Developmental Disabilities electronic health record and data management, has announced receipt of the SOC 2 Report on Security, Availability, Processing Integrity, Confidentiality and Privacy Practices.
Richard Robbins, CEO of Therap Services, states, “Undergoing the SOC 2 audit and receipt of this report validates Therap’s level of commitment to maintaining security of protected health information for all provider agencies, organizations, county and state systems utilizing Therap Services as the electronic health record and documentation software solution.”
SOC 2 compliance is part of the American Institute of Certified Public Accountants (AICPA) Service Organization Control reporting platform. AICPA.org states: “These reports are performed using the AICPA Guide: Reporting on Controls at a Service Organizations Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy and are intended for use by stakeholders (e.g., customers, regulators, business partners, suppliers, directors) of the service organization that have a thorough understanding of the service organization and its internal controls. These reports can form an important part of stakeholders:
- Oversight of the organization
- Vendor management program
- Internal corporate governance and risk management processes
- Regulatory oversight”
The SOC 2 for Therap’s Developmental Disability software solution covers the AICPA Trust principles. AICPA.org states: “Trust Services are defined as a set of professional attestation and advisory services based on a core set of principles and criteria that addresses the risks and opportunities of IT-enabled systems and privacy programs. Trust Services Principles and Criteria are issued by the Assurance Services Executive Committee of the AICPA.”
“The following principles and related criteria have been developed by the AICPA:
- Availability. The system is available for operation and use as committed or agreed.
- Processing integrity. System processing is complete, accurate, timely, and authorized.
- Confidentiality. Information designated as confidential is protected as committed or agreed.
- Privacy. Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA.”
“The trust services principles and criteria of security, availability, processing integrity, and confidentiality are organized in four broad areas:
- Policies. The entity has defined and documented its policies relevant to the particular principle.
- Communications. The entity has communicated its defined policies to responsible parties and authorized users of the system.
- Procedures. The entity placed in operation procedures to achieve its objectives in accordance with its defined policies.
- Monitoring. The entity monitors the system and takes action to maintain compliance with its defined policies.”
About Therap Services, LLC
Therap Services patented developmental disabilities software solution supports compliance with standards as required for funding through Centers for Medicaid & Medicare Services at both state system and agency levels. Therap’s electronic documentation software solution is used by over 1,200 I/DD agency, county and state entities with over 200,000 users documenting services to more than 200,000 individuals with intellectual and developmental disabilities. Therap is widely used in case management, home and community-based services (HCBS), intermediate care facilities for the developmentally disabled (ICF-DD), day treatment programs, developmental centers and other settings.
Secure applications offered by Therap include individual support modules such as incident reporting, medication error reporting, behavior tracking, individual service plans, goal tracking, health records, medication administration records and case management notes, among others. Therap offers solutions for employee training management and employee scheduling. It also covers billing with service authorizations, attendance and professional claim tracking modules. Therap’s HIPAA, HITECH and ARRA compliant software applications are suitable for day programs, residential services, supported living, case management and community support programs.