If you hold protected health information for your clients, either in electronic (ePHI) or hard copy form (PHI), you must comply with the Health Insurance Portability and Accountability Act (HIPAA). In some cases, a client may have asked that you sign a business associate agreement or BAA. When signing a BAA, you commit to follow the HIPAA requirements and protect your clients’ ePHI or PHI. Ok, so you’ve won the work with the prospective client, but now what? Are you really HIPAA compliant? How do you know?
Entities seeking to demonstrate HIPAA compliance to their customers and potential customers have several options available. The options in order of assurance range from; self-audits against the HIPAA requirements; to an independent HIPAA gap assessment; to an independent HIPAA compliance report (AT-C 315); to a HITRUST certification.
Options for Demonstrating HIPAA Compliance
Self-Audit – Is there a HIPAA Certification?
There is no HIPAA requirement that an independent audit be performed. There is also no such thing as a HIPAA certification. As a result, any entity can self-audit against the HIPAA requirements. An employee or contractor can review compliance against the HIPAA requirements, identify any gaps, and remediate them. Afterwards, an entity can hold itself out as being HIPAA compliant.
AT-C 315 – HIPAA Compliance Attestation
One of the most common options for demonstrating HIPAA compliance is an attestation report from an independent auditor. This type of report usually holds more weight than a self-audit because it’s from an independent firm. While the AICPA SOC 2 Security and SOC 2 Privacy reports offer significant assurance that security and privacy criteria in the underlying Trust Services Principles are met, SOC 2 reports do not include an opinion on HIPAA compliance.
Such an attestation is available. The AICPA recognized almost 15 years ago that CPAs could provide value to their clients by reporting on either (a) an entity’s compliance with requirements of specified laws, regulations, rules, contracts, or grants or (b) the effectiveness of an entity’s internal control over compliance with specified requirements. To facilitate this, the AICPA’s Statements on Standards for Attestation Engagements No. 10, Attest Engagements, established a framework for attest engagements and outlined general attestation standards, including examples of examination reports and review reports.
Among the types of examination reports established by SSAE 10 was the Compliance Attestation report—a report that a CPA could issue concerning compliance with laws and regulations. The professional standards regarding this report were codified into the AICPA’s Attestation Standard (AT) Section 601, Compliance Attestation and have since been codified into AT-C 315 within SSAE 18. Given that the HIPAA Security, Breach Notification, and Privacy rules constitutes auditable requirements, an AT-C 315 HIPAA report can be produced by CPAs in public practice covering one or more of these rules.
Linford & Company provides AT-C 315 HIPAA reports most commonly for the Security and Breach Notification rules. Such reports are usually a Type I report—meaning that the independent auditor’s opinion on the entity’s assertion about compliance with HIPAA is as of a point in time. A report issued in accordance with the provisions of AT-C Section 315 does not provide a legal determination of an entity’s compliance with specified requirements; although, such a report may be useful to legal counsel or others in making such determinations.
Most engagements are scoped to include the requirements of the HIPAA Security and Breach Notification Rules. Optionally, the engagement scope can be expanded to include the requirements of the HIPAA Privacy Rule, as well as state privacy and security laws and regulations. The HIPAA Compliance report may be distributed to clients and prospective clients. We also perform HIPAA Compliance Assessment reports for the internal use of management.
A typical audit for HIPAA Security and Breach Notification Rule compliance includes the evaluation of the administrative, physical, and technical safeguards as they relate to the electronic protected health information (ePHI) an organization creates, receives, processes, maintains, and/or transmits; as well as the evaluation of the organization’s policies, procedures, and overall readiness to manage a breach of protected health information (PHI) in accordance with the notification requirements.
Linford & Company’s AT-C 315 HIPAA Security and Breach Notification rule compliance reports include in the following sections:
- Report of Independent Auditors (opinion);
- Entity’s Assertion about HIPAA compliance;
- Entity’s Description of its Operations, Entity-Level Controls, and the Electronic Protected Health Information (ePHI) environment;
- Description of Control Activities Prepared by Entity’s Management;
- Independent Auditor’s Description of Tests of Controls and Results;
- HIPAA Security and Breach Notification Requirements and Controls—includes a cross-reference between HIPAA’s requirements and the entity’s controls.
The content of these report sections should provide an entity’s customers and potential customers with sufficient evidence that they are materially compliant with HIPAA’s requirements.
A HIPAA security compliance report is useful to any HIPAA covered entity or business associate that must demonstrate compliance with the HIPAA requirements. The following are examples of how audit reports are used:
- Service organizations or service providers (e.g., providers of colocation services, managed services, cloud services, software-as-a-service, outsourced transaction processing, etc.) may provide the report to potential or existing customers to satisfy them that the systems environment where they store ePHI is HIPAA-compliant. These organizations are known in HIPAA as “business associates” and are required to sign a business associate agreement with each HIPAA-covered entity for whom they provide such services.
- Healthcare provider and payer organizations may desire such a report to gauge the effectiveness of their privacy and security compliance programs and to make improvements.
- Healthcare provider and payer organizations may require the report for their most critical services providers (i.e., business associates) to ensure that such organizations are compliant with the HIPAA requirements and to increase the likelihood that the threats, vulnerabilities, and risks to ePHI have been identified and addressed.
As healthcare entities continue to hold sensitive data for their patients and clients, more and more entities are demanding greater assurance that business associates have security controls implemented that are commensurate with the sensitivity of the data held. For entities desiring even greater assurance than an AT-C 315 report, a HITRUST certification is gaining traction within the healthcare space. See recent blog posts about HITRUST certification, HITRUST vs. SOC 2, and the benefits of HITRUST certifications. Linford and Company is a Certified HITRUST Assessor and can provide Validated HITRUST assessments to clients. A completed validated assessment is required to become HITRUST certified.
In summary, there are several options for demonstrating HIPAA compliance. Listen to your customers and clients and identify the correct level of assurance for your needs. Also, contact Linford & Company if you have any questions or would like to discuss the HIPAA compliance process further.
Linford & Company performs each audit engagement using a proven phased approach to deliver the utmost value to each organization. Throughout all phases of the HIPAA audit, we will capture and share knowledge and best practices for use throughout the organization. For more information, please contact us.
For more information on HIPAA compliance, browse these articles:
- Top 5 HIPAA Compliance Gaps to Avoid
- HIPAA Security Rule Requirements & Implementation Specifications
- When is Consent Required to Disclose PHI Under the HIPAA Privacy Rule?
- The Security Risk Analysis and HIPAA Compliance
- What’s in Scope of a HIPAA Security Compliance Audit?
- The IT Risk Assessment and HIPAA Compliance
- Patch Management and HIPAA Compliance
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.