PGBA

Governmental security compliance, interconnectivity across multiple platforms, and HIPAA compliant data exchange form the foundation of our technological strength:

• DIACAP
• Interconnectivity
• EDI gateway

PGBA has invested in advanced security systems and applications to ensure compliance with privacy regulations on every level:

• Personnel security
• Data security
• Physical security

Technology and Security

Our network is engineered around a secure hosting architecture to meet performance, scalability and availability requirements for PGBA clients. It's one of the largest in the country, with a proven level of security, compliance and interconnectivity.

Best industry standards form the basis of our network security, strengthened by a combination of NSA Router Security Configuration Guides, and the Department of Defense Security Technical Implementation Guides (STIGs). Our own proprietary systems, along with seamless interactivity with a number of governmental, private payer, and vendor-based platforms, generate the power behind our ability to serve the claims and customer service needs for clients of any size, anywhere.

DIACAP certification
PGBA is DIACAP certified and understands the impact of DIACAP security procedures and documentation. We meet this ongoing compliance requirement by meeting regularly with the government to review system integration, implementation and testing concerns.  We carefully monitor evolving Department of Defense (DoD) information assurance requirements and policy references.

PGBA follows the DoD architecture framework used to support interoperating and interacting DoD components.  We interface with government systems such as DEERS and TED through government-tested and approved networks.

Interconnectivity 
PGBA seamlessly connects to systems owned by the government, the Managed Care Contractors (MCSC), and other vendors across different platforms.  PGBA systems are currently integrated with DEERS, TED, MCSC systems, and vendor-supplied packages such as DRG Grouper for eligibility, enrollment, catastrophic cap, deductible, financial data, authorizations and pricing.

PGBA was the first FI to connect with DEERS online in 1981, and we have maintained and enhanced DEERS connectivity and usage through the years.  We implemented TNEX New DEERS in 2004, and, in August 2007, ran over 15 million queries through our online and batch systems.

Our systems actively use DEERS information as part of our eligibility, enrollment, catastrophic cap and deductible, OHI, PCM, and benefits logic for the TNEX contracts.  We understand how DEERS should be used to identify sponsors and family members, to recognize multiple entitlements and dual eligibility, and to determine the proper health benefits program.  

We meet or exceed TMA's client server requirements for hardware platforms, operating systems, disk space, web-based applications, and encryption tools, to work with DEERS' client/server, web applications, and system-to-system interfaces.  We have well established connectivity with DMDC through the B2B Gateway using the government-configured VPN, and formal procedures for resolving problems through DSO.

Additionally, PGBA generates TED records for every claim processed, along with TEPRV records for authorized providers.  The records are then transmitted to TMA.  Voucher header summary information is balanced to the check register, and benefit checks are released for print and payment once the voucher has been approved.

EDI gateway
PGBA currently processes a number of HIPAA Electronic Data Interchange X-12 transactions from covered entities. These X12 transactions are received through the corporate electronic data interchange gateway (EDIG). EDIG performs the appropriate implementation guide edits based on transaction type, enforces the trading partner agreement, and translates the transaction into proprietary formats as per the health plan. All HIPAA transactions are stored in data repositories with the original information.

Our direct data entry systems used by providers, including myTRICARE.com's XPressClaim, are data content compliant and employ HIPAA compliant code sets.

Personnel security
PGBA meets current TMA fingerprint and background check requirements for DoD adjudication at the ADP/IT-II level.  The PGBA systems vice president and our information assurance manager are adjudicated as ADP/IT-I.  We are in line with MAC III sensitive requirements, as well as other TMA personnel and security policies, and have processes in place to ensure compliance.

Data security
IBM's restricted access command facility (RACF) secures online access to PGBA data, coupled with formal internal security procedures. The RACF administration area assigns and monitors secure user IDs, initial passwords, and access rights as authorized by designated plan management. Data security staff regularly review and update account and password requirements.

PGBA has numerous controls to ensure we protect stored data from unauthorized use. Our data security administration staff closely monitors the RACF facility to safeguard system databases, libraries, programs, data, databases and other technologies.

Corporate policy dictates the use of encryption software when transferring sensitive information from any device, whether it's the enterprise server, a laptop, desktop PC, or flash drive.

Physical security
All PGBA facilities have installed access control systems and digital closed circuit televisions. Uniformed security guards monitor camera and access control card transactions. 

Our data center is fully secure, and is also patrolled by guards. Bollard posts surround the outside of the data center facility to protect it from vehicle intrusion. Ballistic glass impedes entering through windows in sensitive areas. Security and operations staff members monitor closed circuit cameras that are located around the perimeter of the facility, at external and internal entrances, and in various locations throughout the data center. Card and biometric hand-reader devices control access to the data center. A computer monitoring system logs all entries to prevent any unauthorized person from entering. Sensors and double-door mantraps limit normal access to one person per card to prevent "piggybacking." Duress alarms are available for extreme emergencies.