“Physical, technical, administrative processes and, ultimately, controls need to be assessed and reported on for security procedures to work effectively.”
The requirement to meet HIPAA standards applies to two types of organizations — healthcare covered entities and business associates (organizations that perform services for healthcare providers and thus have access to medical records).
Those records contain a variety of protected health information (PHI), ranging from the patient’s name, address and social security number to fingerprints, photos and license plate numbers to dates of health services rendered.
In order to protect the privacy of those records, organizations need four safeguards. Ruzalski explained, “Physical, technical, administrative processes and, ultimately, controls need to be assessed and reported on for security procedures to work effectively.” Barrett added that most organizations do well in the physical and technical aspects, which give a measure of internal assurance. For example, if an organization uses encrypted messages and a security breach happens anyway, it can defend itself by showing it did its part by using encryption.
Barrett also noted that many organizations don’t go far enough in the way they administer their data security programs.
To demonstrate HIPAA compliance, an organization must show regulators that it meets certain requirements. The first move is to hire a security officer and a privacy officer, give them authority to set policies and procedures, and make sure everyone is following the rules.
Ruzalski identified a four-step process to establish those policy and procedure controls:
- Conduct a risk analysis that examines the organization’s environment, vulnerabilities and the potential risk to patients’ electronic health records.
- Determine the specific controls needed to address those security risks and vulnerabilities.
- Put the security measures in place and manage them properly.
- Adopt a continuous cycle of testing, reviewing and reporting on the effectiveness of the security program.
Two of the ways organizations can demonstrate their commitment to protect their data are by using the SOC 2 + HIPAA reporting framework or by implementing the HITRUST framework and applying for HITRUST certification. Both provide a template and a standardized approach for analysis and reporting. Both also provide a third-party’s assurance that your organization is complying with HIPAA rules.
Role of SOC 2 reports in risk management
SOC 2 reports are internal control reports that tell users how their outsourced service providers analyze the security risks associated with the service and what controls they have in place to mitigate those risks.
SOC 2 examinations, conducted by CPA firms, assess the controls an organization has instituted for trust services criteria defined by the AICPA. “Security is always going to be required in a SOC 2,” Ruzalski said. The other trust services criteria that can be added to the scope of a SOC 2 examination are availability, processing integrity, confidentiality and privacy related to the in-scope services provided and their associated system commitments and system requirements.
- Security — The system describes how the organization’s data is protected against unauthorized access, use or modification through logical and physical access control measures.
- Availability — The system is available for operation and use.
- Processing integrity — System processing is complete, valid, accurate, timely and authorized.
- Confidentiality — Information designated as confidential is protected.
- Privacy — Personal information is collected, used, retained, disclosed and disposed of properly.
The actual SOC 2 report consists of five components:
- Independent auditor’s report
- Management’s assertion
- Service organization’s description of its system and controls
- Information provided by the auditor
- Other information provided by the service organization
The auditor’s report delivers an opinion on the fairness of the presentation describing the system, the suitability of the design and, for a SOC 2 Type 2 examination, the operating effectiveness of the controls over a specified time period.
Other information contained within Section V of the SOC 2 report can lay out how the security and privacy controls, in particular, overlap with HIPAA requirements in those two areas, Ruzalski said. This mapping can be an effective method for organizations to demonstrate how their internal controls line up with the defined HIPAA standards.
It should be noted that while the trust services criteria addressed in the SOC 2 can include many of the same controls used to comply with HIPAA, a SOC 2 report alone is not usually sufficient for HIPAA compliance. Because HIPAA rules have their own specific requirements, it is common to perform a SOC 2 + HIPAA audit, which will add the HIPAA standards to the scope of the engagement. The auditor’s opinion will address both the trust services criteria and the HIPAA standards.
Other similar alternatives include a HIPAA compliance audit or a HIPAA gap assessment, both of which can be performed in tandem with a SOC 2 examination to save cost and time, using a “test once, report many” methodology.
HITRUST’s contribution and certification
HITRUST helps organizations manage their security risks — both internal and external — more efficiently and effectively.
HITRUST Vice President of Business Development and Adoption Michael Parisi explained: “You have to tell the story of your overall program to manage risk through the lens of that regulator and the enforcement arm of OCR (the U.S. Department of Health and Human Services Office of Civil Rights) in order to be successful in helping them understand that you are appropriately addressing the requirements.”
HITRUST is known for three things:
- Its framework is a combination of risk management and controls-based options designed to address specific requirements for HIPAA and other government regulations so organizations can “assess once, report many.”
- HITRUST is an independent certifying body that depends on its partners to conduct audits. HITRUST then reviews the audits and determines if the appropriate controls are in place and are strong enough so that a HITRUST certification can be issued.
- The HITRUST approach is a modular, integrated set of programs. Organizations can choose which elements to adopt, ranging from frameworks to methodologies to software solutions.
HITRUST’s assessor organizations, including Grant Thornton, qualify as independent auditors through a rigorous process, Parisi said. HITRUST’s compliance pack consolidates relevant documents showing controls an organization has implemented and reports on their effectiveness, so that conversations with regulators can be “more seamless.”
According to Parisi, regulators have high expectations: “Gone are the days of just saying ‘I’ve got a business associate agreement in place.’ The OCR and the regulators are expecting you to have very high levels of diligence and procedures that you’re performing, not only in vetting third parties but also in ongoing monitoring of those third parties to ensure compliance.”
HIPAA is all about policies, procedures and showing that your organization’s controls are effective, Grant Thornton’s Ruzalski said. “A framework to implement these types of controls,” he said, “is an essential way to demonstrate to authorities that your operation meets HIPAA’s tough standards.”