Blog

DMW prides itself on delivering health insurance marketing that’s “measurably better.” We also take pride in going above and beyond to protect our clients’ data, which is one of their most valuable assets.

There are several ways in which we do that. One starts with a distinct blue badge you’ll see displayed on our website.

SOC 2 Type II certification

SOC 2 Type II is an industry-standard attestation (often informally called a certification) that’s earned when a company demonstrates its ability to safeguard customer data and maintain a secure and reliable IT infrastructure. It shows a company has implemented comprehensive controls and procedures to ensure the security, availability, and confidentiality of its customers’ data. SOC 2 Type II is one of the most widely recognized standards for demonstrating a company’s commitment to data security, availability, and confidentiality.

The SOC 2 Type II certification process involves a rigorous audit of security controls and procedures by the American Institute of Certified Public Accountants (AICPA). The auditor evaluates systems and processes to ensure they meet the standards set forth in the SOC 2 Type II framework.

DMW’s first SOC 2 report was issued in 2012 as a Type I report. In 2013, we received our current and more comprehensive SOC 2 Type II certification, amounting to 13 consecutive years of SOC certifications to date.

In addition to DMW’s system controls, the SOC 2 standard has implications for the selection and management of any service providers we use that may handle member data.

To ensure all client work is executed accurately, consistently, and in compliance with the comprehensive controls and procedures we follow internally, we have a stringent Vendor Qualification Process and Quality Control Program. Additionally, all business-critical vendors are required to possess either a SOC or HITRUST Common Security Framework (HITRUST) certification.

Role-based access controls

We grant access to client systems and data based on role and business need, following the principle of “least privilege.” We review user access periodically and adjust them as responsibilities change to help reduce unnecessary exposure to sensitive information. These controls support accountability while helping ensure that only authorized personnel can access the client data required to perform their work.

Incident response and escalation

DMW maintains documented incident response and escalation procedures designed to support the timely identification, investigation, and management of potential security events. These procedures outline internal roles, communication protocols, and coordination with clients, where applicable, to help ensure appropriate and consistent handling of incidents. We regularly review these procedures to ensure we’re always prepared.

Staying safe in the cloud

When an organization “moves to the cloud,” it essentially moves data from on-site servers to a cloud-based infrastructure. There are many reasons for doing this, including cost savings, scalability, and flexibility.

Another reason to choose the cloud is the potential for increased data security. With proper configuration and oversight, modern cloud platforms are able to provide powerful security features that go beyond on-site systems, including encryption, access control, security intelligence, and more.

In addition, housing data in the cloud can offer better disaster recovery and business continuity. Cloud-based systems can be configured to ensure your data is safe and can be restored quickly, even in the event of a fire, earthquake, flood, etc.

As an agency that works closely with many health insurers, we’re obligated to adhere to the specific protocols set in place by the Health Insurance Portability and Accountability Act (HIPAA), the Centers for Medicare & Medicaid Services (CMS), and other regulatory frameworks.

We have Business Associate Agreements (BAAs) in place as required with providers that handle protected information. When a platform or technology doesn’t offer a BAA, DMW limits the type of data shared, restricts the use of protected health information (PHI), and aligns data handling practices with client requirements and applicable regulations.

When considering a move to the cloud, it’s important to thoroughly evaluate a cloud provider based on factors such as reliability, security standards, compliance, and cost.

Data retention and secure disposal

DMW follows data retention and secure disposal practices that align with client requirements, contractual obligations, and applicable regulations. We retain data to support business and compliance needs, then secure disposal methods are used when data is no longer needed. These practices help reduce unnecessary data exposure while supporting responsible information lifecycle management.

There’s no such thing as too much data security

When it comes to protecting sensitive data, “good enough” is not good at all. With so much at stake, my colleagues at DMW and I are driven by the idea that only the utmost adherence to security protocol — day in and day out — will do. This is an organization-wide attitude, and in fact, all employees are required to demonstrate their data security knowledge on an annual basis through a series of training modules and testing.

To learn more about our security standards and how DMW can inspire your Health Insurance marketing, give us a call.