Utilizing the SOC 2 Framework for HIPAA/HITECH Compliance

In today’s business environment, one of the hottest topics for service organizations is the subject of Health Insurance Portability and Accountability Act (HIPAA) compliance. An increasing number of vendor questionnaires are including questions inquiring if the service organization is HIPAA compliant; however many service organizations are unable to address this question, as a HIPAA compliant certification does not exist. This often leads to audit firms being engaged to conduct HIPAA attestation engagements and issuing an independent opinion on the design and operating effectiveness of an Organization’s internal controls against HIPAA requirements. Including the HIPAA requirements in a Service Organization Control 2 report, or SOC 2 report, will allow service providers to ensure their compliance with healthcare law. Many of these service providers are already obtaining SOC 2 reports, so this will create audit efficiencies in their compliance goals. Incorporating other regulatory requirements is often called a SOC 2 “Plus” report.

The AICPA Assurance Services Executive Committee (ASEC) has issued five Trust Service Principles (TSP) that define broad statements of objectives and list out specific criteria that should be achieved to meet each principle. In 2014, a major overhaul of the TSP was performed and updated the principles’ objectives:

• Security:  The system is protected against unauthorized access, use or modification
• Availability:  The system is available for operation and use as committed or agreed
• Processing Integrity:  System processing is complete, valid, accurate, timely, and authorized
• Confidentiality:  Information designated as confidential is protected as committed or agreed

The Privacy trust principle did not receive an update in 2014, but the June 2015 exposure draft of changes to be implemented in 2016 shows a significant modification of the Privacy objective and related criteria.

Since being signed into law in 1996, HIPAA has consistently undergone change, especially with the incorporation of the Health Information Technology for Economic and Clinical Health (HITECH) Act which was enacted under Title XIII of the American Recovery and Reinvestment Act (ARRA) in 2009. Some of the most significant changes to the final HITECH omnibus rule published by the U.S Department of Health and Human Services (HHS) on January 25, 2013, included several that significantly impacted business associates. Business associates are now under direct liability for the HIPAA Security, Privacy, and Breach Notification Rules. A Business Associate is defined by the US Department of Health and Human Services as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”

The most common SOC 2 report that service providers obtain is typically on the AICPA’s five Trust Service Principles (TSP), which include Security, Availability, Confidentiality, Processing Integrity, and Privacy. A SOC 2 “Plus” report allows an independent audit firm the flexibility to issue an opinion on the TSP framework criteria as well as other regulatory (HIPAA, FISMA, PCI, etc.) requirements. Incorporating HIPAA and HITECH requirements and criteria into a SOC 2 “Plus” is seamless for an audit firm and creates a significant amount of audit efficiency due to overlap between TSP criteria and HIPAA/HITECH criteria.

For Service Organizations that are considered to be Business Associates of a healthcare institution, incorporating HIPAA and HITECH requirements into the next SOC 2 report should be a priority.

For more information regarding SOC 2 “Plus,” contact a Marcum IT Risk and Assurance Service professional.