Healthcare BPO based in Bangalore & Florida-US

Florida US based parent, Indian BPO subsidiary based in Bangalore

First time SOC 2 certification – 4 Trust Services Criteria in scope

• SOC 2 Type II certification
• Florida-based parent company gets the contract, fulfilled by the Indian subsidiary
• Main work is assistance in claims processing – but no data transferred / moved out of US (view only work and processing output stored in US based systems with access & data storage-related controls in place)
• Like most HIPAA-impacted BPOs – staff only access data & systems located in the US through systems based in India. HIPAA compliance not in scope
• Access controls, Data Loss prevention, Confidentiality, Security & Availability main concerns
• Was an attest engagement for us, with a partner having completed SOC Readiness assessment and Gap identification and remediation
• Attestation work completed in approx. 7 weeks