Vita Companies’ Surprisingly Seamless Journey to HITRUST Compliance
Vita Insurance Associates is our technical name, but we are often referred to as Vita Benefits Group. We are an employee benefits brokerage and consulting firm.
Something that makes us different in our industry is that we don’t have any sales staff, but 95% of our business is from referrals. Instead of putting all of that money into advertising, sales, and so forth, we put it back into service to do a good job for our clients. Our clients then refer us to family and friends, and that’s been our model.
In addition, what makes us really different is that no one in our office gets paid a commission, which is unusual in our industry. The owners of our firm have committed to a 6% return on profit and put the rest back into the company, which is unheard of. So we are an employee benefits brokerage firm that really does it differently, by focusing on service, not sales. We’ve been in business now for 46 years. I’ve been here for 25 of those years.
I’m currently the Vice President of Operations. I am responsible for many aspects of the company, including different departments like finance, accounting, HR, facilities, IT, and marketing. However, I mainly make sure that we are executing on an excellent level, operating efficiently, and achieving our strategic goals.
We’ve been doing HITRUST certifications for about four years now. We’ve gone through the process, the full two years certification process twice now. We began with the R2 certification and started there. Quite frankly, we just shot for the moon.
One of the reasons that we got into HITRUST is that we’ve filled out–or we used to fill out security questionnaires for our clients. And because we are not only a consulting brokerage firm, but we also outsource administration, we wanted to be able to have a certification that really differentiated us from the rest of the industry.
No other brokerage firm that does what we do has this type of HITRUST certification. Because we put our money back into our service, we wanted to back up our security. We thought HITRUST was one of the best ways to achieve this, better than SOC or ISO. We are also related to the healthcare industry, not as a health insurance carrier, but we deal with carriers, so this felt like the appropriate certification.
I can’t say it wasn’t a rough start. It was rough until we found the proper partners, quite frankly. How we originally started the process was much more difficult than what we’ve been doing for the last four years. What we realized is that we really need custom documentation. When you start HITRUST, it’s a daunting prospect, especially if you’ve never been exposed to what HITRUST is and what they want a verification for.
So we had to start writing our policies and procedures. We found that the initial people we started working with were kind of pushing us templates and not giving us anything specific. They left it to us to figure things out, which wasn’t working for us.
So we had to find another partner. Then, that partner eventually was purchased by another larger corporation, which ended up gutting the people they had. There was a lack of relationship and a lack of responsiveness. It just wasn’t the right fit. And so that’s when we kind of reevaluated and said we need some help.
Well, we had been working with Privaxi to get us ready for HITRUST. We were introduced to them early on in the process, when we expressed that our readiness vendor just wasn’t cutting it for us. They then said, “We’ve met someone that we think is very interesting that you might like that can do the job.” So we met with them to make sure that there was a connection, and they weren’t just another vendor.
We wanted to ensure they understood how we operate.
That relationship with Privaxi led us to SecurityMetrics.
I have to admit, it was easy. I was expecting it to be more arduous because when we started the HITRUST process with our past assessor, it was harder. So, I was expecting more work. But partnering with Privaxi, and then working with SecurityMetrics made it a smooth process. Our SecurityMetrics HITRUST assessor had conversations with us and seemed to be experienced, and had more of an understanding of what we needed. The relationship worked very well.
For sure, we got away from the templated, no-direction type of HITRUST experience and moved towards a more direct and accountable approach. Once we got our policies and procedures tuned up, we addressed documentation, so we can prove around assessment time we’ve been doing things all year.
We did and Privaxi was a big help with that. With the pandemic, everyone went virtual and worked from home so we ended up closing down our office. We moved everything to the cloud, and a lot of our IT support was used to an on-premise infrastructure. So when we moved to the Cloud, there were a lot of questions that we had about functionality and configurations that we weren’t used to in our environment. Privaxi helped us through that, and that was documented.
It was even easier, which blew my mind. Because when I look back at the first assessment that we did, we achieved nowhere near that. We’re in a cycle of collecting documentation every year, but other than that, it wasn’t much of an interruption, which was amazing.
The first thing I would say is that I know exactly who you can partner with, and you need to call them. I never thought that it could be this seamless. I’m satisfied with our partners Privaxi and SecurityMetrics.
It’s been great from the beginning to work with responsive companies that take ownership. And that’s what I really appreciate, is the ownership of the HITRUST process.
.svg)
