PHI never moves before the paperwork does
Every safeguard is in place, in writing, before a single claim line is shared.
Always in place first
Signed BAA
Meets 45 CFR 164.314 and 164.504(e), executed before any PHI is shared.
Letter of authorization
Names Soro the plan's authorized vendor with the TPA. Nothing more.
Defined audit scope
Minimum necessary access to the data required for the audit, and nothing else.
Four layers, documented
Administrative
A named security officer, workforce training, role-based access, an incident response plan, and an annual review.
Technical
Multi-factor authentication, TLS 1.2 or higher in transit, AES-256 at rest, session timeouts, and audit logging.
Physical
Access-controlled cloud infrastructure only. Never portable media, and disk encryption throughout.
Organizational
A signed BAA with every subcontractor that touches PHI, plus a maintained system inventory.
Use and disclosure
Soro uses PHI for exactly one purpose: the audit. We do not sell PHI, use it for marketing, or aggregate it into other products.
Data lifecycle
Data arrives over SFTP or TLS, stays encrypted at rest, and is reported back in de-identified form. On termination, we return or destroy it with written certification.
Breach notification
If a breach of unsecured PHI occurs, we notify the plan promptly and cooperate on the required reporting.
Member privacy
Plan members are never contacted by Soro. We work with the plan and the TPA, not with patients.
Security questions go to maximus@soro.health. Privacy questions go to maximus@soro.health.

