(855) Marcum1 | FOLLOW US           
Marcum LLP
  • EVENTS
  • OFFICES
  • CAREERS
  • SUBSCRIBE  
  • 中文
Marcum LLP
Newsletters

Cybersecurity and Risk Management - Issue 1: February 2016

 

Utilizing the SOC 2 Framework for HIPAA/HITECH Compliance

:

Share:

In today's business environment, one of the hottest topics for service organizations is the subject of Health Insurance Portability and Accountability Act (HIPAA) compliance. An increasing number of vendor questionnaires are including questions inquiring if the service organization is HIPAA compliant; however many service organizations are unable to address this question, as a HIPAA compliant certification does not exist. This often leads to audit firms being engaged to conduct HIPAA attestation engagements and issuing an independent opinion on the design and operating effectiveness of an Organization's internal controls against HIPAA requirements. Including the HIPAA requirements in a Service Organization Control 2 report, or SOC 2 report, will allow service providers to ensure their compliance with healthcare law. Many of these service providers are already obtaining SOC 2 reports, so this will create audit efficiencies in their compliance goals. Incorporating other regulatory requirements is often called a SOC 2 "Plus" report.

The AICPA Assurance Services Executive Committee (ASEC) has issued five Trust Service Principles (TSP) that define broad statements of objectives and list out specific criteria that should be achieved to meet each principle. In 2014, a major overhaul of the TSP was performed and updated the principles' objectives:

  • Security:  The system is protected against unauthorized access, use or modification
  • Availability:  The system is available for operation and use as committed or agreed
  • Processing Integrity:  System processing is complete, valid, accurate, timely, and authorized
  • Confidentiality:  Information designated as confidential is protected as committed or agreed

The Privacy trust principle did not receive an update in 2014, but the June 2015 exposure draft of changes to be implemented in 2016 shows a significant modification of the Privacy objective and related criteria.

Since being signed into law in 1996, HIPAA has consistently undergone change, especially with the incorporation of the Health Information Technology for Economic and Clinical Health (HITECH) Act which was enacted under Title XIII of the American Recovery and Reinvestment Act (ARRA) in 2009. Some of the most significant changes to the final HITECH omnibus rule published by the U.S Department of Health and Human Services (HHS) on January 25, 2013, included several that significantly impacted business associates. Business associates are now under direct liability for the HIPAA Security, Privacy, and Breach Notification Rules. A Business Associate is defined by the US Department of Health and Human Services as "a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity."

The most common SOC 2 report that service providers obtain is typically on the AICPA's five Trust Service Principles (TSP), which include Security, Availability, Confidentiality, Processing Integrity, and Privacy. A SOC 2 "Plus" report allows an independent audit firm the flexibility to issue an opinion on the TSP framework criteria as well as other regulatory (HIPAA, FISMA, PCI, etc.) requirements. Incorporating HIPAA and HITECH requirements and criteria into a SOC 2 "Plus" is seamless for an audit firm and creates a significant amount of audit efficiency due to overlap between TSP criteria and HIPAA/HITECH criteria.

For Service Organizations that are considered to be Business Associates of a healthcare institution, incorporating HIPAA and HITECH requirements into the next SOC 2 report should be a priority.

For more information regarding SOC 2 "Plus," contact a Marcum IT Risk and Assurance Service professional.

 
 
 
HAVE A QUESTION? ASK MARCUM
 
STAY IN TOUCH.

SIGN UP TODAY FOR MARCUM'S NEWSLETTERS.

ABOUT MARCUM LLP

Marcum LLP is one of the largest independent public accounting and advisory services firms in the nation, with offices in major business markets throughout the U.S., as well as Grand Cayman, China and Ireland.

Learn More

CONNECT WITH US
               
OFFICES

Headquarters
750 3rd Avenue, 11th Floor
New York, NY 10017

Find an Office

(855) MARCUM1
info@marcumllp.com

FOUNDATION

Marcum Foundation

AFFILIATIONS

Leading Edge Alliance

DOWNLOAD THE MARCUM ON THE GO APP

© 2016 Marcum LLP. All Rights Reserved.
Privacy | Legal | Sitemap