Skip to main content

Compliance, Privacy and Security

Our clients have peace of mind knowing that their clinical data is secure with MRO.

Accuracy and Multi-Layered QA

Improper disclosure of Protected Health Information (PHI) is costly to an organization’s bottom line as well as its reputation. MRO’s approach to Quality Assurance (QA) solves this problem by reviewing every request processed multiple times before it is released. The multi-layered QA process helps healthcare organizations enforce consistent policies, standardize processes and maintain best practices for PHI disclosure in multiple departments and outpatient facilities, ensuring compliance and limiting risk throughout their organization.

MRO’s first QA stage checks the request to ensure the authorization is valid and that all HIPAA requirements are met, which boosts the accuracy of MRO releases. Accuracy is then driven to 99.99% by applying proprietary optical character recognition (OCR) technology, IdentiScan®, to the process. Before release, every patient record has a barcode scanned to validate that there are no comingled patient records. Any detected errors are quickly corrected and documented by MRO’s QA experts.


In order to further drive compliance throughout the organization, MRO’s privacy and compliance team spearheads a variety of programs, working groups and trainings for the entire organization. If there is an incident, it is evaluated, the risk is analyzed, and as a result the person responsible is then reassigned training based on MRO’s accountability matrix. This matrix was designed and approved by MRO’s Data Protection Steering Committee (DPSC) and compliance group. Should there be a major incident that requires immediate action, MRO’s Incident Response Team will be initiated. Regardless of the severity of any possible incident, MRO reports the incident to the Covered Entity within five business days or less.


As one of the first release of information platforms to achieve HITRUST CSF Certified status for information security, MRO strives to continually exceed the complex compliance and security requirements. The certified status demonstrates that ROI Online has met specific regulations and industry-defined requirements and is appropriately managing risk. By including federal and state regulations, standards and frameworks, and incorporating a risk-based approach, the HITRUST CSF helps organizations address challenges through a comprehensive and flexible framework of prescriptive and scalable security controls.

AICPA Service Organization Control 2 (SOC 2) Type II

MRO completed the AICPA Service Organization Control 2, also known as SOC 2 Type II audit, demonstrating compliance with strict information privacy and security standards. The audit report covers MRO’s production facilities, business processes and flagship ROI Online PHI disclosure management platform. Results verify that MRO’s policies and strategies satisfactorily protect client data and fully meet stringent SOC 2 standards.

The SOC 2 framework includes five sections, forming a set of criteria called the trust services principles: security, integrity, availability, privacy and confidentiality. The rigorous SOC 2 audit process, combined with achieving the HITRUST CSF certification, showcases MRO’s commitment to the core mission—to disclose the correct PHI to the proper requester, each and every time.


Subscribe to our newsletter