The pMD Blog

Welcome to the
pMD Blog...

where we cover interesting and relevant news, insights, events, and more related to the health care industry and pMD. Most importantly, this blog is a fun, engaging way to learn about developments in an ever-changing field that is heavily influenced by technology.

We’re Serious About Security. But, You No Longer Have To Take Our Word For It.

In the health care landscape these days, security and data protection concerns are as common as thermometers and stethoscopes. As a health care technology company, data protection can’t just be on our “to do” list. It has to be in our company DNA. If it wasn’t, we’d never close a deal, and our potential clients - medical practices of all sizes - would run screaming in the opposite direction. And, we wouldn’t blame them!

At pMD, security has always been at the core of what we do. In fact, our original infrastructure was prefaced on the highest security standards established at the time - those of the financial industry. In our daily work lives, we understand the privilege of handling a person’s Protected Health Information (PHI) and demand a high level of respect and care from every team member. I often find myself hypothesizing, “What if this were my mother’s health information? How would I want it to be handled?” So, when a large potential customer asked us to perform an annual third party audit by an AICPA accredited firm, I gave an enthusiastic “yes!” To be completely honest, I had no idea what an audit really entailed. But, I knew doing so meant an unbiased third party would come in and gut check each of our decisions, while considering our specific business, goals, and culture. Yes, please!

So, here we are, almost two years after that initial audit request, with our first audit successfully completed, and our second one not far in the distance. What did we learn? Well, in a word ... lots. But here are a few big takeaways.

Audit standards vary.

Not all audits are the same, and the differences are largely driven by the standards used by the auditors. One of the most common groups of standards is the SOC standards. A SOC report provides an analysis of a service organization’s internal controls so that users can better understand the risks associated with sharing sensitive information with this external organization. There are three SOC reports - SOC 1, SOC 2 and SOC 3. Each one makes sense for different industries and company types. Then, within the reports themselves, there are different criteria. For example, within a SOC 2 report, there are criteria related to security, availability, processing integrity, confidentiality and privacy. At pMD, security was our top priority, and a SOC 2 audit made the most sense. So, we started with a SOC 2 covering the Security Trust Services Criteria, and will consider folding in new subject areas as we move forward.

There are also two different types of SOC reports, Type 1 and Type 2. That means a company could complete a Type 1 or Type 2 SOC 1, SOC 2, or SOC 3 audit. A Type 1 report assesses controls as of a point in time, whereas a Type 2 report assesses controls over a period of time, usually six to twelve months. For our first audit, we decided to complete a Type 1 and will build that effort into a Type 2 for our second audit.

In planning our audit, we also knew how important HIPAA compliance is to each and every one of our users. So, we also completed a HIPAA audit, where our auditor used the HIPAA requirements to assess whether our security controls are adequate to meet our HIPAA obligations. Knowing that security and HIPAA would be of the utmost importance to our customers, we prioritized both those sets of standards and hope to expand them in the future.

Be open, be honest, be organized.

In the months leading up to our audit, our team had quite a bit of jitters. It felt like someone was coming into our home, looking for dirt as they wiped their finger along each of our shelves. We knew we wanted the auditors to have a full view of what we were doing, but we were still nervous that our processes weren’t “good enough.” We handled these nerves by ensuring that we were as prepared as possible before our auditors arrived onsite, sending them all requested information well before they arrived to our office. We also made the conscious decision that this audit would only be helpful if we were up front and open about what our security processes really are. So, we were open and honest with our auditors, which brings me to our next point…

Let your auditors be collaborators.

Of course, an auditor inherently has to be objective and can’t advise a company on how to meet it’s security standards. But, at the same time, auditors have a wealth of experience and knowledge, and have seen hundreds of companies’ security configurations. So, if you’re working with a good audit firm, they’ll point out areas in which you could improve, and then offer various ways they’ve seen this security control addressed, including industry best practice. Auditors can offer invaluable insights, and this perspective really helped pMD maximize the value we received from completing our audit.

There’s no silver bullet.

Of course, completing an audit doesn’t mean that a company will never have a security problem - though I certainly wish it did! But, what it does mean, is that you can sleep better at night knowing that an objective third person finds your security systems reasonable. And, from a customer standpoint, it means you don’t have to simply trust us when we tell you that we prioritize your data’s security. The proof is in the pudding - the audit reports not only clearly outline our security protocols but, more importantly, the audit indicates a culture of security awareness. It’s proof that pMD is willing to invest a great deal of time and money to ensure that our security protocols are up to par. And that means that when you engage with pMD - a responsibility we don’t take lightly - you can sleep better at night, too.

Find out more about pMD's suite of products, which includes our MIPS registry, charge capture, secure messaging, clinical communication, care navigation, and clinically integrated network software and services, please contact pMD.

5G ACA Account Management accurate coding ACI adoption Advancing Care Information Advice AHCA AHRQ AI Alternative Payment Model Amazon S3 Android API Apple appointment reminders Artificial Intelligence arts Audit Award Bay Area BCRA Benefits Best Place to Work Best Practices Big Data Billing Billing & Collections Billing Service Billing Services bootcamp BPCI BPTW Bundled Payment Model Bundled Payments Business relationships Care Communities care coordination Care Navigation Care Team Career Fair CDC Charge Capture Charge Capture App Charge Capture Software Charge Capture Solution Charge Capture Statistics Charge codes Charge Lag Charge Reconciliation CHIP CIO Claims Clinical Communication clinical data Clinical Data Registry Clinically integrated network Cloud CMS cms regulations Coding Collaboration Communication Company Culture Conferences Connected Health Record contact practice Coronavirus COVID COVID-19 COVID19 Cross-functional culture custom reports Customer Interaction customer relations customer service customer success customer support Customers Cyber Security cybersecurity Developer DHHS Diagnosis codes Dialysis discharge instructions Doctor EHR elderly Electronic Charge Capture Eligibility EMR Encryption End-to-End Platform epidemic Expansion FDA FHIR Flu fundamentals gamification Gen Z GI GI Outlook Goals group messaging Health Care Health Care Technology Health Care Web Health Care. Health Care IT health data Health Information Exchange Health Record Healthcare Healthcare Data healthcare interface healthcare interface integration healthcare software HIE HIPAA HIPAA Compliance hipaa compliant communication hipaa compliant communication platform HIPAA-Compliant Hiring HL7 Holidays Home dialysis Home Health Hospital Census Hospital Communication humanity IA ICD-10 ICD-11 Immunizations Implementation Improvement Activities in-app calling inclusive software incorrect billing increase revenue injury rehabilitation innacurate coding Instant capture Integration interface interoperability iOS iOS 8 iOS7 iPad iPhone iPhone 6 IT Lead Generation length of stay LGBTQIA Long Term Care LTC Machine learning MACRA Medaxiom Medical Billers Medical Billing Medical Billing & Collections medical billing denials and solutions Medical claims Medical Coding medical coding accuracy medical coding quality Medical Errors medical practice revenue Medical Record Medical Software Medicare Mental Health Mentorship Messaging Messaging with Patients MGMA MIPS MIPS Registry mobile Mobile App Mobile Charge Capture Mobile EHR Mobile Health Mobile Messaging Mobile Payments Mobile security Mobile Software Mobile Technology Mobile telehealth Modern Healthcare Native App natural language processing Network new feature new features news NIH nlp OCM onboarding Oncology Care Model operations opioid crisis Pandemic Parenting Partnership partnerships Patient Patient access Patient Adherence Patient App Patient Care Patient Chat Patient chat routers Patient Communication patient data Patient Engagement patient experience patient experience cycle Patient Generated Health Data Patient Handoff Software Patient Information Patient Messaging patient outcomes Patient payments patient portal Patient Record Patient Safety Patient satisfaction Patient Simulators patient support Patient Visits Patient-Centric PCP Performance bonus PHI Phishing Scams Physician Physician burnout pmd pMD Pro pMD Team population health Population Health Management Post-COVID PQRS Practice Management Pregnancy Press Release Product Development Productivity products Promoting Interoperability Protected Health Information QCDR QPP Quality Data quality reporting Quality Scoring Ransomware RCM Recruiting Recruitment Reimbursement remote jobs Remote Work Reporting reports Residents Responsibility revenue cycle management ROI Rural communities Ryuk Sales Secure Communication Secure Data Secure Messaging Secure Messaging Video Secure Text Messaging Secure Video Secure Video Chat Security Audit self care seniors sexual orientation and gender identity SF Biz Times SMB SNF SNOMED-CT SOC 2 software vendor SOGI Spear Phishing Specialty Care success support TCM TDM Team Team culture Teamwork technology telehealth telehealth reporting Telemedicine telemedicine in long term care Telemedicine skilled nursing facilities Teletherapy Text Messaging texting Thanksgiving Therapeutic Drug Monitoring time-based billing training transgender Travel Upgrades UX Design VA vaccination records vaccinations Vaccine Value-based care Video Calling Video chat video communication video conferencing Virtual Care Virtual Visit voice calling voice memos WannaCry Wearable Device wearing many hats Web App wellness wfh Wireless Work From Home Work Life Balance Workflow optimization Workplace Culture