SOC 2 HIPAA compliance seems to be a hot topic these days as covered entities, business associates, and other applicable organizations seek to become compliant with the ever-growing HIPAA standards, particularly that of the HIPAA Security and Privacy Rules. A growing trend is to use the SOC 2 reporting option under the AICPA Service Organization Control framework – and the supporting Trust Services Principles – for reporting on HIPAA compliance. It’s therefore fundamentally important to take note of the following 5 critical points regarding SOC 2 HIPAA compliance.
1. HIPAA Scope is critical. The Health Insurance Portability and Accountability Act (HIPAA) is an incredibly large and complex piece of legislation signed into law by President Clinton in 1996, with many changes, modifications, and updates since then. With that said, it’s important to ask yourself “what specific provisions within HIPAA would a SOC 2 assessment cover”? Generally speaking, it’s about including Part 164, Subpart C for the following safeguards:
- 164.308: Administrative Safeguards
- 164.310: Physical Safeguards
- 164.312: Technical Safeguards
These three (3) safeguards are often the main emphasis for the large and growing number of HIPAA compliance assessments being undertaken today by service organizations deemed as business associates or covered entities.
2. Determining which TSP’s to validate against. Another issue with SOC 2 HIPAA reporting is determining which of the Trust Services Principles (TSP) to use for validating compliance with the HIPAA mandates, particularly – as stated earlier – with Part 164, Subpart. After all, different auditors have different opinions on the TSP’s, all the more reason to use a proven and trusted CPA firm with years of healthcare experience and HIPAA expertise, such as NDNB. In reality, all of the five (5) TSP’s could potentially have a credible nexus with HIPAA reporting, but the relevant scope for SOC 2 HIPAA reporting has to be identified first and foremost.
3. There are other options for HIPAA reporting. When the SOC 2 framework was introduced, many practitioners from the Big Four accounting firms – one in particular – felt it was a natural fit for reporting on HIPAA. While SOC 2 can be a viable reporting option for HIPAA, many accounting firms and consultants favor issuing HIPAA specific reports, those that define the scope in terms of HIPAA and not SOC 2, and these types of reports are actually gaining recognition. HIPAA does not have to use the SOC 2 framework – not at all – for purposes of reporting, as there are numerous other assessments that are equally just as good or even superior than SOC 2 HIPAA reporting.
4. Policies and Procedures are Paramount. Probably the biggest obstacle for SOC 2 HIPAA compliance is putting in place comprehensive, well-written information security and healthcare specific policies and procedures. From a scope perspective for HIPAA, both the Privacy and Security Rules require copious amounts of policies and procedures, documentation that “can” take an incredibly long time to develop if service organizations aren’t familiar with policy writing. The key to success for SOC 2 HIPAA – if you’re even considering using the AICPA SOC framework, or the other reporting options discussed – is finding a competent firm with years of real-world HIPAA experience, such as NDNB. Learn more about NDNB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.
NDNB offers comprehensive regulatory compliance services, such as SOC 1, SOC 2 and SOC 3 reporting, HIPAA, FISMA, NIST, ISO, and PCI DSS compliance, along with many other specialized services. Visit ndbcpa.com to learn more.