Catamaran, the fourth largest pharmacy benefits manager in the country, also provides mail-order and specialty pharmacy services. In this dual role, the company functions as both a HIPAA covered entity and business associate. When faced with a potential HIPAA incident, Catamaran must comply with a plethora of changing state and federal laws, as well as meet the terms of its numerous business associate agreements.
To help Catamaran better manage the complexity of managing its incident response process, compliance administrator Betsy Madeira turned to RADAR.
RADAR helps Catamaran:
As a provider of mail-order and specialty pharmacy services, Catamaran works directly with patients, which classifies the company as a HIPAA covered entity. As a pharmacy benefits manager, the company is a business associate. “We have clients who have members in all 50 states,” said Ms. Madeira. “We have patients under our pharmacies in all 50 states as well as the U.S. territories. For any particular state, I’m looking at requirements to report to the attorney general’s office and to a credit-reporting agency in the state. Depending on an organization’s issues, you may be looking at media notification.”
In addition, the manual process for tracking and managing incidents was time consuming, error-prone, and lacked consistency. An internally developed database tool was considered. However, a database lacked much-needed flexibility, and would have taken time and in-house expertise that Catamaran didn’t have. “We have a tremendous IT department, but it takes a special skillset to develop and design a database,” Ms. Madeira said. “These are the types of challenges that really drove our need and desire for a better way to do things.
RADAR has been tremendously helpful to assist us in our dual role as a business associate and a covered entity.
- Betsy Madeira
Compliance Administrator | Catamaran
For every potential HIPAA incident, Ms. Madeira and her team have to consider federal and state laws, as well as client obligations. "That’s where we rely pretty heavily on RADAR,” Ms. Madeira said. “RADAR has been very scalable to our organization in terms of size and capabilities, as well as in our role both as a business associate and covered entity,” she added. “We can process a potential HIPAA incident, run a risk assessment, and perform a breach determination as a covered entity or as a business associate. RADAR factors in the different legal federal and state obligations. It’s tremendous.”
While team members address each incident on a case-by-case basis, RADAR supports these efforts and is considered part of Catamaran’s strategy for HIPAA compliance, Ms. Madeira said. Consistency is critical, she added, “with not only our intake but our assessment capabilities. RADAR gives us a common baseline that we use and rely upon.”
I can tell you I sleep a lot better at night knowing RADAR has a team of professionals that are researching and monitoring state laws and proposed changes.
— Betsy Madeira
Compliance Administrator | Catamaran
RADAR operationalizes your incident response management process by applying automation and best practices to privacy and security incident intake, risk assessment, breach decisioning, and notification.
Every employee across the Catamaran organization has access to RADAR for potential incident reporting. “Having one primary, easy-to-use mechanism for escalating or reporting any type of potential HIPAA incident is key for us,” Ms. Madeira said. “It has really helped us to help our employees meet their obligations, which in turn helps us to meet our legal obligations for reporting and processing these incidents.”
RADAR saves time every step of the way, including the intake process. “The difference between getting an incident reported in RADAR and having to take facts and findings from a variety of other intake methods, save me lots of time,” Ms. Madeira said. Ms. Madeira also appreciates RADAR’s centralized repository—particularly the ability to make changes and store background documents, such as e-mails or spreadsheets. “RADAR lets us store the data in one place: the incident is reported, all the background information is there, all the facts are contained in the incident report,” she added.
RADAR’s search capability lets Ms. Madeira generate custom reports to identify trends as well as address potential issues or areas needing improvement. “In this way, RADAR has been a tremendous asset,” she said. “It’s been fantastic.”
“RADAR is always evolving the product and adding new functionality,” Ms. Madeira said. “RADAR is not static; it’s always changing to meet our needs. Whenever we have a suggestion or a question about an improvement, the people at RADAR have been wonderful about addressing our concerns and helping us improve the tool for our use—and for others as well. It has made my job a lot easier.”