Find Your Industry

TPA Healthcare Software in Today's Regulatory Compliance Arena

Years ago, a large part of the core claims administration activities conducted by Third Party Administrators (TPA) were done manually, without any type of real TPA healthcare software. However, much has changed recently with the exponential growth of information systems being utilized within the benefits industry. Many TPA organizations are still utilizing legacy, "green screen" AS 400 claims software, with others moving to highly sophisticated application modules, capable of handling an array of activities. What's important to note is that regardless of the system used, auditor are now spending a considerable amount of time auditing these applications and their supporting systems. And why? Because TPA healthcare software falls under one of the main guises and premises of auditing, that is; testing for assurances that information is input accurately, completely, and in a timely manner. Moreover, any updates to code changes for these very systems are also an important component of today’s regulatory compliance auditing world.

Here's what all sides need to know about these systems and their impact on regulatory compliance.

Plan Sponsors and Benefit Managers outsourcing to a TPA

Quite often, plan sponsors and other parties who outsource to a TPA require certain claims administration activities to be tested for assurances they are working as stated in service agreements. Many times, these claims activities are tested within the TPA healthcare software applications being used by the TPA. With that said, it's a good idea to gain a in-depth understanding of the systems used by the TPA and to also require certain tests be conducted by external auditors, such as when a SAS 70 Type I or SAS 70 Type II audit is being undertaken. Some examples of requirements for the TPA healthcare software should be the following:

System access is only granted to authorized individuals within the TPA organization System changes or code changes to the software could potentially impact data integrity when sending information to the TPA. Therefore, require tests to be conducted for ensuring software code changes and/or updates do not affect data integrity.

Be specific on your requirements for claims administration. Many entities outsourcing to a TPA ask for only high-level, boiler plate, general requirements for claims activities, such making sure "information is updated in a timely manner for new plans" or "participant information" is accurately recorded. Instead, be more descriptive; require your TPA to conduct tests that ensure TPA healthcare software is working properly. Require tests for confirming input, process, and output activities are complete, accurate, and processed in a timely manner.

TPA Recommendations

As the regulatory pulse starts to strengthen, expect more direct questions and discussions regarding your TPA healthcare software. Be prepared to have your software applications fully examined by auditors for a number of tests of controls. Along with client demands, I.T. auditors, such as those who conduct SAS 70 audits will be looking at the following internal control safeguards within your systems:

• System Access
• Change Management and Change Control
• Data Integrity fields and checks
• Input, processing, and output controls
• System scalability and robustness

Being proactive will greatly mitigate any regulatory compliance headaches you possibly encounter with SAS 70 auditors or even your client's auditors. Effective communication and pre-planning is essential for understanding the scope when testing TPA healthcare software and for better preparing for the audit overall. Any deficiencies or concerns that arise out of a SAS 70 audit should not be looked upon in a negative light, rather, it’s an opportunity to improve upon your control environment, specifically the controls around your TPA healthcare software platform. The auditing requirements are just going to become more rigorous and in-depth as information systems continue to expand into other areas of your organization. Take the time to constructively understand your systems and be optimistic about any findings during the SAS 70 Type I or Type II audit.

Interested parties can download a sample SAS 70 audit geared towards a TPA and can also learn more about the history and overview along with important facts on Statement on Auditing Standards No. 70