الامتثال

Compliance Built Into Every Layer

Healthcare providers in New Jersey operate under overlapping regulatory frameworks—HIPAA for patient data protection, NJ Medicaid rules for billing and service delivery, and industry standards like SOC 2 and NIST 800-53 for organizational security posture. Via Lucra does not bolt compliance onto finished systems. We architect compliance into the infrastructure, workflows, and operational procedures from the first design conversation.

Our Compliance Philosophy

Most compliance failures we see at NJ healthcare agencies aren't caused by willful negligence—they're caused by systems that make the wrong thing easy. A biller shouldn't need to remember to check authorization limits manually. A caregiver shouldn't need to remember to enable GPS before clocking in. An administrator shouldn't need to remember to review access logs monthly. Via Lucra builds systems where the compliant action is the default action: automated checks, proactive alerts, and audit trails that run without human intervention. When compliance is a byproduct of normal operations—not extra work—providers stay compliant consistently, not just during survey season.

HIPAA — Health Insurance Portability and Accountability Act

Every Via Lucra engagement that touches Protected Health Information follows HIPAA's Administrative, Physical, and Technical Safeguard requirements. We do not treat HIPAA as a checklist exercise—we design systems where the compliant path is the default path.

Technical Safeguards

AES-256 encryption at rest for all PHI storage using AWS KMS with customer-managed keys. The provider controls key rotation schedules and access policies—not Via Lucra, not AWS.
TLS 1.2+ enforced for all data in transit, including internal service-to-service communication within VPCs. Certificate pinning is applied for API integrations with external partners such as MCOs and clearinghouses.
Role-based access control (RBAC) implemented through AWS IAM Identity Center with MFA enforcement. Access to PHI systems requires both organizational identity verification and per-session MFA tokens.
Automated session timeouts and audit logging for all PHI access events. Every read, write, and delete operation is captured in immutable CloudTrail logs with tamper-detection enabled via log file validation.

Administrative Safeguards

Business Associate Agreements executed before any engagement involving PHI. Via Lucra maintains a BAA template aligned with 45 CFR §164.502(e) and §164.504(e) that clearly delineates responsibilities.
Workforce training documentation delivered as part of every engagement. We provide role-specific security awareness materials covering PHI handling, incident reporting, and acceptable use policies.
Risk assessments conducted at engagement start using the NIST Cybersecurity Framework as the evaluation baseline. Findings are documented in a risk register with severity ratings, remediation timelines, and responsible parties.

Physical Safeguards

All Via Lucra infrastructure runs in AWS regions with SOC 2 Type II and HIPAA-eligible designations. We do not use on-premise equipment for PHI processing.
Workstation security policies require full-disk encryption, automatic screen lock, and endpoint detection and response (EDR) software on any device used to access client environments.

SOC 2 — Service Organization Control

Via Lucra aligns its delivery practices to the SOC 2 Trust Services Criteria, focusing on Security, Availability, and Confidentiality. For clients pursuing their own SOC 2 attestation, we build infrastructure and operational controls that directly map to auditor evidence requirements.

Security (Common Criteria)

Infrastructure-as-code templates (Terraform) enforce security baselines across all environments. Every resource—from S3 bucket policies to security group rules—is version-controlled and peer-reviewed before deployment.
Continuous vulnerability scanning using Prisma Cloud for infrastructure posture and Checkmarx or Veracode for application code. Findings above medium severity trigger automated Jira tickets with SLA-based resolution timelines.
Change management follows a pull-request workflow with mandatory code review, automated test gates, and deployment approvals. No infrastructure change reaches production without passing policy-as-code checks (Open Policy Agent or AWS Config rules).

Availability

Service Level Objectives (SLOs) are defined during the design phase for every production system. We instrument custom Service Level Indicators (SLIs) using CloudWatch, Prometheus, or AppDynamics depending on the client's existing observability stack.
Automated backup and disaster recovery procedures are documented and tested quarterly. Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) are agreed upon with the client and validated through tabletop exercises.
Health check endpoints and synthetic monitoring ensure anomalies are detected before end users are impacted. PagerDuty or OpsGenie integration routes alerts to the appropriate on-call personnel based on severity.

Confidentiality

Data classification policies are established at project inception, categorizing information as Public, Internal, Confidential, or Restricted. Each classification level has corresponding controls for storage, transmission, and retention.
Secrets management uses AWS Secrets Manager or HashiCorp Vault—never environment variables, config files, or source code repositories. Secret rotation is automated on schedules aligned with the client's security policy.
Data retention and disposal procedures are documented for every data store. When an engagement concludes, Via Lucra executes a formal data disposal process with written confirmation that no client data remains in our systems.

New Jersey Medicaid Program Compliance

Via Lucra specializes in technology for NJ Medicaid providers participating in MLTSS, DDD, and HCBS waiver programs. We understand the specific regulatory requirements, billing workflows, and state systems that providers must navigate—knowledge that comes from working directly with agencies across the state.

Electronic Visit Verification (EVV)

Systems designed to integrate with HHAExchange and other state-designated EVV aggregators. We build pre-submission validation that checks visit records against authorization windows, GPS boundaries, and member eligibility before claims are batched.
Exception management workflows that flag visits with time discrepancies, missing GPS coordinates, or member ID mismatches for biller review—catching problems before they become denials.
EVV compliance dashboards showing real-time visit capture rates, exception trends, and caregiver compliance metrics. Agency administrators can identify training needs and operational gaps without waiting for monthly reports.

DDD Authorization Tracking

Structured tracking of Individual Service Plan (ISP) authorizations with monthly unit caps, service categories, and effective date ranges. Real-time utilization monitoring with threshold alerts at configurable percentages (typically 75% and 90%).
Amendment request tracking that links utilization trends to authorization change requests, ensuring program coordinators have documentation ready when requesting unit increases from DDD case managers.
Historical utilization reports by member, service category, and program site—supporting budget forecasting, staffing decisions, and quality assurance reviews.

MLTSS Billing and Claims

Visit-to-claim lifecycle mapping that traces every service encounter from caregiver check-in through EVV aggregation, authorization validation, claim submission, and remittance reconciliation.
Denial analytics that categorize rejection reasons, identify recurring patterns, and calculate the financial impact of each denial type. Agencies use these reports to prioritize operational improvements with the highest revenue recovery potential.
Integration with Conduent and MCO portals for claim status tracking, reducing the manual effort required to follow up on pending or rejected claims.

NIST 800-53 and ISO 27001 Governance

For clients with federal contract requirements or international operations, Via Lucra maps controls to NIST 800-53 (Revision 5) and ISO 27001:2022. We focus on practical implementation—not just policy documents—ensuring that every documented control has a corresponding technical enforcement mechanism.

Control Implementation

Control families mapped to specific infrastructure and operational evidence. For example, AC (Access Control) maps to IAM policies, MFA enforcement, and session management configurations—all deployed via Terraform and auditable through CloudTrail.
Continuous monitoring implemented through AWS Config rules, Security Hub standards (CIS Benchmarks, AWS Foundational Security Best Practices), and custom compliance checks that evaluate the environment daily.
Evidence collection automated through scheduled Lambda functions that pull configuration snapshots, access logs, and compliance scan results into a centralized evidence repository—reducing the labor required for annual audits.

Risk Management

Risk registers maintained in structured format with likelihood, impact, and residual risk scores. Reviews are conducted quarterly or triggered by significant system changes.
Incident response plans developed collaboratively with the client's security and operations teams, then validated through tabletop exercises that simulate realistic breach scenarios.
Third-party risk assessments for vendors and service providers in the data flow, ensuring that upstream and downstream partners meet the same security standards applied to the provider's own systems.

Continuous Compliance, Not Point-in-Time Audits

Traditional compliance approaches treat audits as annual events—organizations scramble to collect evidence, remediate findings, and document controls in the weeks before an assessor arrives. This creates a cycle of reactive effort that consumes significant staff time and still leaves gaps between audit periods.

Via Lucra implements continuous compliance monitoring that generates audit evidence as a byproduct of daily operations. Key elements include:

Automated Evidence Collection

Scheduled processes capture configuration snapshots, access logs, change records, and scan results into a centralized evidence repository. When audit time arrives, the evidence is already organized by control family and date range—no scrambling required.

Drift Detection

Infrastructure-as-code baselines are compared against running configurations daily. Any deviation—whether from a manual console change, a failed deployment, or an unauthorized modification—triggers an alert and creates a remediation ticket automatically.

Compliance Dashboards

Real-time visibility into compliance posture across all monitored controls. Dashboards show current status, historical trends, and open remediation items—giving leadership confidence in the organization's security posture without requiring deep technical knowledge.

Incident Response Readiness

Documented incident response plans with defined escalation paths, communication templates, and containment procedures. We conduct tabletop exercises with the provider's team to validate the plan against realistic scenarios—ensuring the team can respond effectively under pressure, not just on paper.