An audit is intended to build trust, decrease risk and encourage efficiency in business practices. While these traits are important for all businesses, they are critical for entities within the healthcare industry. No company is immune to risk, but those in the healthcare industry have a higher inherent risk based on the types of data being collected, stored, and transmitted. The question is, with higher risk, should entities in healthcare be in compliance with SOC 2?
Healthcare Compliance: A History
With the importance of compliance in the healthcare industry, some may assume it has been around for a long time. So before we discuss compliance in healthcare let’s look at when it began:
- “August 1996 – HIPAA Signed into Law”
- “April 2003 – Effective Date of the HIPAA Privacy Rule”
- “April 2005 – Effective Date of the HIPAA Security Rule”
- “March 2006 – Effective Date of the HIPAA Breach Enforcement Rule”
- “September 2009 – Effective date of HITECH and the Breach Notification Rule”
- “March 2013 – Effective Date of the Final Omnibus Rule”
What Are the Different Types of Audits in Healthcare?
Let’s first begin by defining the “SOC” we are referencing in this article. In the healthcare industry “SOC” can be the abbreviation for the standard of care. In this article, we are using SOC as an abbreviation for the system and organization controls.
Audits can be performed from many angles within the healthcare industry. Individuals in the medical profession, e.g. nurses, perform internal audits on topics such as death rates and patient transfers using guidance from the Institute for Healthcare Improvement. Additionally, external audits/examinations such as HIPAA were developed to provide guidance on protecting Protected Health Information (PHI), along with HITRUST, which was developed to address security, privacy, and regulatory challenges, and SOC 2 with the purpose of providing assurance that a particular service is being provided securely. Read here to learn more about HITRUST vs HIPAA and the HITRUST certification process.
How Are SOC Examinations Performed in Healthcare?
The beginning phase of any audit, even for those in the healthcare industry, is to establish the scope of the audit by determining what questions the users of your services are asking and what type(s) of services are provided. The common (and required) Trust Services Criteria (TSC) for SOC 2 is the security criteria. In healthcare, where the risk around data is heightened, the confidentiality and privacy of data are relevant. This means that the confidentiality and privacy TSCs would most likely become relevant for the SOC 2 scope as well.
The confidentiality criteria has focus points on addressing how information, which is designated as confidential, is protected within the system. The privacy criteria is focused on personal information and how it is collected, used, retained, disclosed, and disposed of. Although confidentiality includes sensitive information, only privacy applies to personal information. Personal information is data that can be used to identify a person.
The types of healthcare organizations that can benefit from SOC 2 audits include, but are not limited to, hosting platforms, payment processors, and SaaS companies that manage customer data.
How Do You Monitor Compliance in Healthcare?
Monitoring compliance looks different between organizations. This is because the structure, geographic locations, involvement of management, and services provided all impact how compliance is monitored. Widespread geographic locations can impact how the company shares ideas, detects risks, and discusses emerging threats as a company-wide meeting may not be possible across many time zones. The responsibility of discussions may be delegated based on regions. Regardless, lessons learned from these discussions need to be communicated properly so that risks, which could impact compliance, are assessed, tracked, and resolved properly.
Based on the services provided, risks will need to be monitored by a team of individuals who are close to the source of the risks. If services are reliant on third parties, monitoring may require reviewing third-party SOC reports or having third parties complete surveys covering the topics of security, confidentiality, and/or privacy to obtain comfort.
What Are the Seven Elements of Compliance?
Another way to monitor your compliance program in healthcare is to consider the seven (7) elements of an effective compliance program, as stated by the Office of the Inspector General (OIG) within the U.S. Department of Health and Human Services. This is a foundation of controls, but not a complete list:
- Implement written policies, procedures, and code of conduct that state the expectation to comply with the documents
- Communicate the designation of a compliance officer to the entire organization
- Facilitate continued education in the form of cyclical training to bring awareness of risks in the industry and how to detect and mitigate them
- Establish a process of how to communicate effectively internally and externally
- Perform monitoring and auditing
- Communicate the consequences and disciplinary actions if standards are not followed
- Establish procedures for management to take corrective action in relation to detected offenses
Is SOC 2 HIPAA Compliant?
A SOC 2 report is not a substitute for a HIPAA report. SOC 2, which is developed by the AICPA, and HIPAA, which is developed by Health Insurance Portability and Accountability Act, do have an element of overlap. However, the period of coverage, scoping, objectives and focus differ. Because of the differing focus points, many clients choose to have SOC 2 and HIPAA audits performed. When this occurs, the service auditor will issue two separate reports, one for SOC 2 and one for HIPAA.
Is SOC 2 Required for Healthcare & What Are the Benefits?
While covered entities and business associates are required to be in compliance with HIPAA, there is no legal requirement for healthcare companies to be in compliance with SOC 2. However, service organizations and vendors may be contractually required to undergo SOC 2 examination and be in compliance. Even though a SOC 2 may not be required, there are benefits to undergoing the examination:
- It will build patient and customer trust by evidencing the investment in data security.
- A SOC 2 report can be used as a marketing tool to give the company a competitive edge over competitors.
- It can assist the sales and marketing departments in answering technical questions in relation to the environment.
- The SOC 2 examination can unearth vulnerabilities that, when remediated, could lower your risk of being a victim of cybercrime.
Conclusion
As the frequency of cyber-attacks occurs, those in the healthcare industry should be looking to minimize the risk of it happening to them. A SOC 2 report can assist in decreasing risk and detecting gaps. Hiring a knowledgeable audit firm, such as Linford & Co, is important to provide a quality audit, gain efficiency if multiple audits (such as HIPAA and SOC 2) are performed, and provide guidance if gaps in the environment are detected. For further information about SOC 2 reporting please request a consultation.
Hilary has eight years of IT audit and assurance experience. Prior to starting at Linford & Co, Hilary worked for Deloitte managing audit readiness assessments, Sarbanes-Oxley 404 and SOC examinations, and complex remediation procedures. Hilary is a certified information systems auditor (CISA), holds a Master’s Degree in Accounting from the University of Colorado-Denver and a Bachelor’s in Business Administration from Colorado State University.