It’s easy to forget just how much sensitive data passes through a broker’s hands.

On any given day, you may send a census file, review benefits plan designs, discuss medical claims, and upload documents that reveal a client’s renewal strategy. You might even receive confidential data around compensation budgets or leadership restructuring—information that should never be made public.

Even if your internal processes are airtight, it doesn’t mean every partner holds the same standard. If one carrier or tech vendor makes a mistake, you’re looking at audits, potential lawsuits, and irreparably damaged client relationships.

All this to say, security and compliance can’t just be boxes to check in a vendor evaluation. But how do you know what to look for?

This guide breaks down three of the most critical security standards in the benefits ecosystem:

  • HIPAA: A federal law that requires healthcare entities (and their partners) to protect patient information.
  • SOC 2: An independent audit that measures how a company protects customer data across its tech stack.
  • HITRUST: Originally created for healthcare businesses, HITRUST is a certification that proves an organization meets key controls—not just across HIPAA and SOC 2, but NIST, ISO, and PCI frameworks as well.

Keep reading to understand how these frameworks intersect, what they do (and don’t) cover, and why they should shape every vendor decision you make. Or skip to a specific section:

Why does security matter for benefits placement?

Security is a major part of benefits placement, and brokers are on the hook for it. They sit at the center of a highly regulated industry and run data-intensive workflows that depend on large volumes of sensitive information, such as:

  • Corporate financial sand benefits plan designs
  • Personally identifiable information (PII): names, dates of birth, and contact details of employees
  • Protected health information (PHI) for medical coverages, including employee census and limited claims experience data

That data isn’t static. It’s pulled from internal systems, sent across platforms, reviewed by multiple stakeholders, and stored in environments that may or may not be equally secure. Every file—every touchpoint—is an opportunity for something to go wrong, and you’ll be the first person clients call when it does.

But tight security and compliance processes aren’t just about avoiding worst case scenarios (though that should be a chief concern). Getting the best deal for your client depends on fast, accurate exchange of data. Misformatted or incomplete files as a result of lax controls cost valuable time, particularly during open enrollment or renewal season.

To avoid security issues and deliver an excellent client experience, brokers (and the technology platforms they depend on) have to safeguard against three interlocking dimensions of risk:

Regulatory risk

Brokers handling PHI are subject to HIPAA Privacy and Security Rules, 45 CFR §160/164 (more on this in the next section).

Non-compliance can trigger:

  • Hefty fines
  • Corrective-action plans
  • Investigations by the Office for Civil Rights (OCR)

Dealing with these consequences diverts resources away from core operations and signals to current and prospective clients that your processes aren't reliable.

Operational risk

Benefits place mentis a massive coordination effort across clients, carriers, and internal teams. When data is improperly logged or stored, it creates extra work for every one involved. Teams end up spending more time double-checking files and fielding avoidable questions and less time offering strategic advice to clients.

Reputational risk

Trust is central to the broker-client relationship. Any breach, no matter how small, can cause lasting damage to a broker’s brand that may be impossible to bounce back from. Even if you take immediate corrective action, clients might think twice before working with you again.

That’s why understanding security guardrails (HIPAA, SOC 2, HITRUST) matters. If a vendor isn’t properly safeguarding data, you’re the one left exposed. Let’s start with the one you’re probably most familiar with: HIPAA.

What is HIPAA, really?

HIPAA, which stands for the Health Insurance Portability and Accountability Act, is a federal law that was passed in 1996. It has two primary goals:

  1. To make it easier  to securely exchange health data between providers, insurers, and other partners so patients can get the best care (and organizations don’t have to navigate a patchwork of state laws).
  2. To protect health data from being inappropriately accessed or misused when shared across providers and networks

When people talk about HIPAA, they’re usually referring to the set of rules that govern the use of protected health information (PHI).

Note: PHI includes anything that can identify a person and their health status. For instance, your name or birth date could be tied to a specific diagnosis or treatment record.

Here’s what you need to know about each HIPAA rule:

Rule What it covers Why it matters
The Privacy Rule Disclosure of PHI. It gives patients the right to access and amend their health records and to see who their data was shared with and why. If you’re sharing census or claims data with carriers, this applies to you. Read more here.
The Security Rule Administrative, physical, and technical safeguards for electronic PHI (ePHI)—think workforce training, controlling access to systems and devices, encrypting data, and maintaining audit logs. Any ePHI you send or receive must be properly protected at every step. Read more here.
The Breach Notification Rule Notification post-data breach. Organizations must notify affected individuals, the Office for Civil Rights (OCR), and—in some cases—the media, after a data breach. Your tech vendors and partners must have a breach response plan. Read more here.
The Enforcement Rule HIPAA violations. Details how they are investigated, the penalties organizations may face for violations, and procedures for hearings. HIPAA violations carry hefty fines. BayCare Health System violated multiple HIPAA Security Rule requirements earlier this year. Read more here.
The Omnibus Rule (2013 HITECH amendments) Expanded HIPAA protections to address electronic health records, such as “minimum necessary” standard for health data access and stricter penalties for non-compliance. You and your vendors must follow these new provisions to comply with federal law. Read more here.

As you might guess, there are several entities that must comply with HIPAA. They are:

Covered entities

This group includes health plans, health care clearinghouses, and certain health care providers that conduct standard electronic transactions.

For example, ThreeFlow health carriers are classified as covered entities.

Read more about covered entities here.

Business associates

This group consists of vendors or partners (including SaaS platforms) that handle PHI on behalf of covered entities. They must sign business associate agreements(BAAs)—which detail what they they’ve been engaged to do on behalf of covered entities—and they must adhere to HIPAA rules.

For example, the ThreeFlow platform and our brokers are classified as business associates.

Read more about business associates here.

HIPAA Compliance

So, what does it mean when a vendor says they’re “HIPAA compliant”?

Not much.

Though HIPAA is a legal requirement, it doesn’t guarantee rigorous security controls. The law spells out what protections need to be in place, not how those protections must be implemented.

Even the Department of Health and Human Service’s (HHS) advisory committee expressly recognizes “some flexibility in exactly how security measures are adopted,” provided they meet the“ reasonable and appropriate standard.” That leaves a lot of room for interpretation.

There’s no official certification for HIPAA compliance. Neither HHS nor OCR endorses training programs, products, or services as “HIPAA compliant.” Really, the only time HIPAA compliance is formally evaluated is when OCR steps in through an investigation or breach-related audit. And that’s a risk most brokers can’t afford to take.

HIPAA Compliance

To demonstrate our commitment to the highest standards for data security, we didn’t just say we were HIPAA compliant at ThreeFlow. We acquired an independently audited HITRUST certification (more on what that entails later). That way, when we say we’re HIPAA compliant, our partners can be confident that we actually are.

What is SOC 2, and where does it fit into benefits placement?

SOC 2 is a compliance framework developed by the American Institute of Certified Public Accountants(AICPA) to evaluate how well an organization protects customer data.

Though it’s not specifically designed for the healthcare industry, SOC 2 plays a critical role in the world of benefits placement because of how much sensitive information is transmitted and stored across technology platforms.

What SOC 2 evaluates

The SOC 2 framework outlines best practices across five “Trust Services Criteria”:

  1. Security - defending systems from unauthorized users
  2. Availability - ensuring systems are up and running when users need them and that data is accessible
  3. Processing integrity - making sure data is processed accurately and reliably
  4. Confidentiality - limiting access and use of sensitive information
  5. Privacy - protecting personally identifiable information

Companies that feel they are meeting these standards can request a SOC 2 audit from an independent third party. Audits come in two forms:

  1. Type 1, which determines whether a company has the right controls in place at a single point in time; or
  2. Type 2, which determines whether those controls operated effectively over a sustained period (typically a year). ThreeFlow is SOC 2 Type 2 certified.

Skimming? Here’s a quick look at how SOC 2 and HIPAA compare

SOC 2 HIPAA
Purpose To ensure proper security, privacy, and operational controls are in place, and to protect consumer data. To create a consistent framework for sharing health data and to protect that data from misuse or inappropriate access
Specificity Industry-agnostic Exclusively applies to privacy and security standards related to ePHI
Requirement Voluntary Legally required for covered entities and business associates
Oversight Audits performed by third-party auditors (no federal oversight) Enforced by HHS and OCR
Certification Yes, via formal reports issued by auditors NA - self attested

What SOC 2 doesn’t cover

You may have noticed that many of the Trust Services Criteria overlap with HIPAA rules, making SOC 2 a strong indicator of a company’s overall security posture in a benefits placement context.

That being said, there are a number of specialized rules that a covered entity or business associate must follow to be HIPAA compliant that SOC 2 does not cover. For instance, SOC 2 does not address:

  • How PHI is stored, transmitted, or protected
  • Vendor data-sharing practices and sub-processor vetting (unless explicitly included in the audit scope)
  • Requirements for breach response, audit readiness, or patient rights under HIPAA
HIPAA Compliance

This means a company can pass a SOC 2 audit and still fall short of what’s needed to securely support benefits workflows involving PHI.

HITRUST: The new benchmark for health data protection

If HIPAA is the legal floor and SOC 2 is the industry baseline, HITRUST is the gold standard for organizations operating in or adjacent to healthcare.

The HITRUST CSF (Common Security Framework) combines dozens of global security and compliance standards into one unified, prescriptive set of requirements. The CSF draws from:

  • HIPAA
  • SOC 2
  • ISO/IEC 27001 and 27002
  • NIST 800-53 revision 5
  • PCI
  • GDPR

Earning a HITRUST certification is a rigorous, multi-step process. First, a HITRUST-certified assessor evaluates an organization’s performance across 19 domains and over 300controls. Then, HITRUST’s internal QA team independently reviews and validates those findings before issuing a formal certification.

Given the depth of this evaluation, it’s no surprise that less than 1% of HITRUST-certified organizations report breaches. And it’s why many large health plans, carriers, and enterprise  employers now view HITRUST as a requirement.

HIPAA Compliance

At ThreeFlow, we’re proud to be the only benefits placement system with HITRUST E1 certification . It builds on our SOC 2 Type 2 compliance and reflects our ongoing commitment to data security for our brokers, our carriers, and the clients they serve.

4 burdens of working with non-HITRUST certified tech partners

Choosing a tech partner without HITRUST certification is a regulatory gamble and increases your workload. Here’s what you might be signing up for:

  • Cumbersome vendor reviews. Without third-party validation to lean on, you have to run your own security checks (or risk picking a vendor not adequately prepared to manage healthcare data).
  • Greater vulnerability. Without HITRUST’s prescriptive control set, gaps in PHI safeguards increase the chance of breaches and violations, adding to your legal liability.
  • Heavier compliance lift. You’ll be responsible for getting BAAs signed, conducting custom risk assessments, and implementing ad hoc security requirements for each vendor you work with.
  • Delays. Without baseline compliance, routine steps like onboarding or data sharing require extra approvals, making it harder to get quotes and renewals out the door.

3 advantages of working with a HITRUST-certified partner

When compliance is accounted for, you can focus your time and energy on delivering value to your clients. With a HITRUST-certified vendor, you gain:

  • Speed. HITRUST certification signals enterprise readiness. And as we mentioned, large employers and health plans are starting to require it. Besides opening yourself up to high-value opportunities, certified partners move through upfront diligence faster, so you can get big contracts signed and underway sooner.
  • Simplicity. Because HITRUST certification satisfies a broad range of compliance needs (HIPAA, SOC 2, PCI, NIST, and more), you don’t have to chase down piecemeal attestations. It’s all there.
  • Trust. Working with vetted partners strengthens your credibility and sets the stage for strong, long-term relationships with your clients.

What to ask prospective vendors

If we haven’t made it clear by now, you must understand your vendors’ approach to security and compliance—your reputation depends on it. These questions can help you pressure test a company’s policies and catch red flags early:

Certification scope & validity

  • Which systems are in scope for your certification?
  • What is the assessment level (self-attestation or independent certification)?
  • What’s the expiration date?

Assessment evidence

  • Can you share your HITRUST CSF Certification Report and assessor’s letter?
  • Can you share your SOC2 Type 2 Report?

PHI data flows

  • What PHI types do you process?
  • How are these safeguarded?
  • Is PHI encrypted at rest and in transit?

Third-party risk management:

  • How do you vet and monitor your sub-processors and vendors?
  • Have all of them signed BAAs?

Audit & remediation

  • How often do you conduct internal/external audits?
  • What’s your process for identifying and addressing security gaps?

Access controls

  • Who has access to PHI and under what conditions?
  • How is access logged and monitored?

Incident response

  • Can we see a copy of your incident response plan?
  • Have you conducted recent simulations? Can we see the results?

Compliance is non-negotiable. That’s why it’s built into everything we do.

We’re not just talking the talk at ThreeFlow, we’re walking the walk.

From day one, we’ve embedded security and compliance into our product and internal operations, and we’ve got the credentials to prove it: SOC 2 Type 2 compliance and HITRUST E1 certification.

We’re committed to enabling secure, seamless collaboration between brokers and carriers; if you’re looking for a partner who sees security as more than a formality, let’s chat.

No items found.

Related articles

Company news

Inspiring stories from clients and partners

Company news

ThreeFlow raises $45 million, as broker partnerships increase 3x and premiums near $1 billion

Industry insights

3 tips for a successful client strategy meeting

Industry insights

How to manage implementation errors

Industry insights

5 tips to strengthen broker and carrier partnerships

ThreeFlow
Our Company
Contact Us
Copyright ©
ThreeFlow. All rights reserved. Privacy
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
DenyAccept
Preferences