In finance and in industries where healthcare is not the primary focus, the trend is to use the SOC 2 reporting option (and the supporting Trust Services Principles) for reporting on HIPAA compliance. Fundamentally, it’s important to take note of the following five critical points regarding SOC 2 HIPAA compliance.

1. HIPAA SCOPE IS CRITICAL.

The Health Insurance Portability and Accountability Act (HIPAA) is an incredibly large and complex piece of legislation which is still evolving, with many changes, modifications, and updates since its inception in 1996. With that said, it’s important to ask yourself

“WHAT SPECIFIC PROVISIONS WITHIN HIPAA WOULD A SOC 2 ASSESSMENT COVER?”

You need to include Part 164, Subpart C for the following safeguards:

• Administrative Safeguards

• Physical Safeguards

• Technical Safeguards

Service organizations deemed business associates or covered entities perform these three safeguards as the main emphasis for the large and growing number of HIPAA compliance assessments. In other words, the legal department is watching!

2. DETERMINING THE VALIDATION CRITERIA.

Another issue with SOC 2 HIPAA reporting is determining which of the Trust Services Principles (TSP) to use for validating compliance with the HIPAA mandates. All five TSP’s could potentially have a credible connection with HIPAA reporting, and organizations must first identify the relevant scope for SOC 2 HIPAA reporting.

The Trust Services Principles (TSP) are comprised of the following five sections:

• Security: The system is protected against unauthorized access, use, or modification;

• Availability: The system is available for operation and use as committed or agreed;

• Processing Integrity: System processing is complete, valid, accurate, timely, and authorized;

• Confidentiality: Information designated as confidential is protected as committed or agreed; and,

• Privacy: The system’s collection, use, retention, disclosure, and disposal of personal information are in conformity with the commitments in the service organization’s privacy notice and with criteria set forth in the Generally Accepted Privacy Principles (GAPP) issued by the AICPA and CPA Canada.

3. THERE ARE OTHER OPTIONS FOR HIPAA REPORTING. 

When the SOC 2 framework was introduced, many practitioners from the Big Four accounting firms – one in particular – felt it was a natural fit for reporting on HIPAA.

The problem? You can’t perform a SOC 2 review and expect it to be HIPAA compliant. In other words, SOC 2 and HIPAA are not interchangeable and you cannot replace SOC 2 with HIPAA.

Even though SOC 2 can be a viable reporting option for HIPAA, many accounting firms favor issuing HIPAA specific reports. You can save your organization money if you only need to be HIPAA compliant and do not use a SOC 2 framework. 

4. POLICIES AND PROCEDURES ARE PARAMOUNT.

Probably the biggest obstacle for SOC 2 HIPAA compliance is putting in place comprehensive, well-written information security and healthcare specific policies and procedures. From a scope perspective for HIPAA, both the Privacy and Security Rules require copious amounts of policies and procedures, including documentation that can – and will – take an incredibly long time to develop if service organizations aren’t familiar with policy writing. 

The key to success for SOC 2 HIPAA? Strict use of the AICPA SOC framework.

5. SCOPE DRIVES DECISIONS.

It’s a changing world for healthcare regulatory compliance, one that’s largely driven by scope, along with client demands, expectations, and other essential issues.

For the audit geeks out there, remember:

• Part 164, Subpart C (the HIPAA Security standards), is what most organizations strive for regarding HIPAA compliance and yet, service organizations are now considering Subpart D – Breach Notifications – and Subpart E – the Privacy Rules – in scope. 

• SSAE-16, SOC-2, or SOC-3 compliance does not necessarily mean you are HIPAA compliant. There are different compliance requirements, from different organizations and agencies, and are non-interchangeable.

Certainly SOC 2 brings a somewhat better level of objectivity to data center audits than SSAE 16 (SOC 1), but it is not a substitute for a HIPAA audit. HIPAA requires specific policy, personnel training and breach remediation processes that are not covered in SOC 2 audits. In addition, the HIPAA security rules are very different than SOC 2 standards. 

Most of the forward thinker’s conduct several comprehensive audits as part of data center validation: SSAE 16, SOC 2, HIPAA and PCI. Each audit has its own specific purpose and requirements. While SOC 2 helps data centers move towards a more objective audit, it’s not a substitute for HIPAA or a PCI audit. 

N.B. Beware, SOC 2 is not a substitute for HIPAA compliance, especially when it comes to penalties associated with PHI breaches.