When considering HIPAA compliance, it’s a bit of the wild west out there right now. The Office of Civil Rights (OCR), enforces fines and sanctions for HIPAA violations, but it is mostly on a reactionary basis. You can review the HIPAA cases currently under investigation and get a sense of the type of incidents and […]
Our firm has been a HITRUST CSF assessor for nearly a year and we have numerous lessons learned. We have seen common pitfalls as well as identified what is needed to make HITRUST compliance achievable, even for a small company. This article will summarize what we have learned about HITRUST and the process for HITRUST […]
So you have built a Software-as-a-Service (SaaS) application on top of AWS or another infrastructure-as-a-service provider. It’s likely one of the reasons you did so was to leverage the AWS SOC 2 compliant infrastructure. Service organizations like AWS receive SOC 2 reports to demonstrate to stakeholders such as investors and clients that the AWS infrastructure […]
If you hold protected health information for your clients, either in electronic (ePHI) or hard copy form (PHI), you must comply with the Health Insurance Portability and Accountability Act (HIPAA). In some cases, a client may have asked that you sign a business associate agreement or BAA. When signing a BAA, you commit to follow […]
The concept of user control considerations within SOC reports has been around since SOC reports were referred to as SAS 70s, although the AICPA’s term used to describe user control considerations has changed over time. These controls are now known as complementary user entity controls (CUEC). You may also hear these controls referred to as […]
Qualified opinions mean that either the internal controls were not designed (Type I or II) or operating (Type II only) effectively for one or more control objectives included within a SOC 1 report or Trust Services Criteria included within a SOC 2 report. In a SOC report, management asserts that certain controls are in place. […]
This article is a follow-up to a previous article, “What is a Soc 1 Report?” Below I will cover some common questions that come up related to SOC 2 reports. SOC 2 compliance does not have to be difficult although with some of the terminology it can initially be confusing. So what are SOC 2 […]
Health care related organizations who wish to demonstrate their compliance with HIPAA and other regulations are choosing more and more to become HITRUST compliant or certified. We know…another information security framework…great! In the past, health care organizations have either signed business associate agreements or verbally committed to their partners that they were HIPAA compliant and […]
One of the areas we are required to evaluate on every HIPAA audit or compliance assessment is whether our client is compliant with HIPAA’s record retention requirements.
Recently, a client asked if we could provide them some insight on the similarities, differences, advantages, and disadvantages of getting a SOC 2 Security versus an ISO 27001 certification.