Technology and Security

Our network is engineered around a secure hosting architecture to meet performance, scalability and availability requirements for PGBA clients. It's one of the largest in the country, with a proven level of security, compliance and interconnectivity.

Best industry standards form the basis of our network security, strengthened by a combination of NSA Router Security Configuration Guides, and the Department of Defense Security Technical Implementation Guides (STIGs). Our own proprietary systems, along with seamless interactivity with a number of governmental, private payer, and vendor-based platforms, generate the power behind our ability to serve the claims and customer service needs for clients of any size, anywhere.

NIST compliant

PGBA is compliant with National Institute of Standards and Technology (NIST) 800-171 and understands the impact of security procedures and documentation. We meet this ongoing compliance requirement by meeting regularly with the government to review system integration, implementation and testing concerns. We carefully monitor evolving information systems security requirements and policy references.

PGBA follows the DoD architecture framework used to support interoperating and interacting DoD components. We interface with government systems such as Defense Eligibility Enrollment Reporting System (DEERS) and TRICARE Encounter Data (TED) through government-tested and approved networks.

Interconnectivity

PGBA seamlessly connects to systems owned by the government, the Managed Care Support Contractors (MCSC), and other vendors across different platforms. PGBA systems are currently integrated with DEERS, TED, MCSC systems, and vendor-supplied packages such as DRG Grouper for eligibility, enrollment, catastrophic cap, deductible, financial data, authorizations and pricing.

PGBA was the first FI to connect with DEERS online in 1981, and we have maintained and enhanced DEERS connectivity and usage through the years. We implemented each change and version of the DEERS system since its inception.

Our systems actively use DEERS information as part of our eligibility, enrollment, catastrophic cap and deductible, OHI, PCM, and benefits logic for the TRICARE contracts. We understand how DEERS should be used to identify sponsors and family members, to recognize multiple entitlements and dual eligibility, and to determine the proper health benefits program.

We meet or exceed DHA's client server requirements for hardware platforms, operating systems, disk space, web-based applications, and encryption tools, to work with DEERS' client/server, web applications, and system-to-system interfaces. We have well established connectivity with DMDC through the B2B Gateway using the government-configured VPN, and formal procedures for resolving problems through DSO.

Additionally, PGBA generates TED records for every claim processed, along with TEPRV records for authorized providers. The records are then transmitted to DHA. Voucher header summary information is balanced to the check register, and benefit checks are released for print and payment once the voucher has been approved.

EDI gateway

PGBA currently processes millions of HIPAA Electronic Data Interchange X-12 transactions from covered entities. These X12 transactions are received through the corporate electronic data interchange gateway (EDIG). EDIG performs the appropriate implementation guide edits based on transaction type, enforces the trading partner agreement, and translates the transaction into proprietary formats as per the health plan. All HIPAA transactions are stored in data repositories with the original information.

Our direct data entry systems used by providers, including myTRICARE.com's XPressClaim, are data content compliant and employ HIPAA compliant code sets.

Personnel security

PGBA meets current DHA fingerprint and background check requirements for DoD adjudication at the ADP/IT-II level. The PGBA systems vice president and our information assurance manager are adjudicated as ADP/IT-I. We are in line with MAC III sensitive requirements, as well as other DHA personnel and security policies, and have processes in place to ensure compliance.

Data security

IBM's restricted access command facility (RACF) secures online access to PGBA data, coupled with formal internal security procedures. The RACF administration area assigns and monitors secure user IDs, initial passwords, and access rights as authorized by designated plan management. Data security staff regularly review and update account and password requirements.

PGBA has numerous controls to ensure we protect stored data from unauthorized use. Our data security administration staff closely monitors the RACF to safeguard system databases, libraries, programs, data, databases and other technologies.

Encryption software is used when transferring sensitive information from any device, whether it's the enterprise server, a laptop or desktop PC.

Physical security

All PGBA facilities have access control systems that require secure key card presentation for facility entrance and digital closed circuit televisions. Uniformed security guards monitor camera and access control card transactions.

Our data center is fully secure, and is also patrolled by guards. Bollard posts surround the outside of the data center facility to protect it from vehicle intrusion. Ballistic glass impedes entering through windows in sensitive areas. Security and operations staff members monitor closed circuit cameras that are located around the perimeter of the facility, at external and internal entrances, and in various locations throughout the data center. Card and biometric hand-reader devices control access to the data center. A computer monitoring system logs all entries to prevent any unauthorized person from entering. Sensors and double-door mantraps limit normal access to one person per card to prevent "piggybacking." Duress alarms are available for extreme emergencies.