Many clients ask us if a SOC 2 report’s scope is sufficient for demonstrating HIPAA compliance. Typically, no, they are not but it all depends on the scope of the audit. A SOC 2 report focusing on security is typically a great baseline for the controls that need to be in place to demonstrate HIPAA Security Rule compliance but there are additional controls that should be considered when looking at HIPAA compliance. In this post, we will discuss the purpose of these two types of reports, how they overlap, and how they differ.
What is a SOC 2 Report?
Let’s start off by discussing the basics. A SOC 2 report, or Service and Organization Controls report, is used by service organizations to demonstrate to their clients and stakeholders the IT general and organizational controls that they have in place which secure the services they provide. The AICPA issues the guidance used to perform SOC 2 audits and SOC 2 reports fall under the SSAE 18 standard, sections AT-C 105 and AT-C 205. There are five Trust Services Criteria (TSCs) that can be included in a SOC 2 report based on the services provided by the service organization. The five criteria are:
The only criteria that must be included in the SOC 2 report are the Security, or Common Criteria. All other criteria are added at the discretion of the service organization, with help from their auditor, when determining the scope of audit based on the services provided to their customers.
What is the HIPAA Security Rule and Why is it Important?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), was created to provide national standards for maintaining the security and privacy of electronic health information. Before HIPAA, there were no generally accepted standards or requirements for how health information should be protected, especially electronic health information. HIPAA Compliance audits typically include the requirements of the HIPAA Security and Breach Notification Rules and are used by organizations to demonstrate compliance with these requirements. These requirements source from federal legislation as implemented by the U.S. Department of Health and Human Services (HHS). Legislators and HHS created the criteria after consideration of healthcare industry feedback. In this post, we will be focusing specifically on the HIPAA Security Rule.
The HIPAA Security rule is important because it provides guidance to an organization on how to protect users’ personal health information. Per the HHS, “The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”
Who Must Comply with the HIPAA Security Rule?
Though the organizations that must comply with the HIPAA Security Rule may also benefit from obtaining a SOC 2 report, the guidance on who must comply with the HIPAA Security Rule is much more prescriptive than who should obtain a SOC 2. The HHS states that “the Security Rule applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”) and to their business associates.” If an organization is having a hard time determining whether they are a covered entity, there is a tool provided by the Centers for Medicare and Medicaid Services (CMS) that provides additional guidance.
In contrast, the AICPA states that SOC reports are meant for service organizations that provide services to other entities and they address the needs of a broad range of users. SOC 2 reports provide details around the systems used by the service organization to process and store user data and assurance around the controls in place at the service organization, relevant to the five TSCs.
Is a SOC 2 Report HIPAA Compliant?
The short answer is no, but it all depends on the scope of the audit. Typically at Linford & Co., we will perform the fieldwork for both a SOC 2 and HIPAA Compliance report in tandem as there is a significant amount of overlap in the two reports, but we issue two separate reports; one to address the SOC 2 criteria and another for HIPAA compliance.
There are several areas that are required by the HIPAA Security Rule that are not covered by a SOC 2. To keep things simple, in this scenario we will compare a SOC 2 that covers the Security criteria only to a report covering HIPAA Security Rule compliance. The SOC 2 Security criteria are a good baseline for security practices. On top of this baseline, the HIPAA Security Rule will require the following additional controls:
- Establish and implement formal, HIPAA-compliant security policies and procedures that address the following areas:
- Appropriate sanctions applied against workforce members who fail to comply with the security policies and procedures
- Workforce authorization and supervision for personnel who work with electronically protected health information (ePHI) or might be able to access it
- Password management (creating, changing and safeguarding passwords)
- Workstation use standards where ePHI may be accessed, including the physical attributes of the surroundings and the function of the workstation
- Device and media receipt and removal into and out of a facility, and the movement of these items within the facility, if ePHI is present
- Device and media reuse and the removal of ePHI as well as device and media disposal where ePHI is or was present
- Conduct security awareness training for personnel initially upon hire and annually thereafter for at least those personnel with access to ePHI.
- Protect the systems environment from malicious software using tools such as antivirus software, workstation firewalls, regular patch management, intrusion detection/prevention systems, etc.
- Restrict access to ePHI at the application and database levels in accordance with HIPAA’s “minimum necessary” guidelines (i.e., need to know).
- Establish a data backup plan and demonstrate annually that backups and the disaster recovery procedure are viable.
- Ensure the disaster recovery plan addresses HIPAA-specific requirements such as emergency mode operations, applications and data criticality analysis, contingency operations, access to ePHI in an emergency, etc.
- Maintain records of facility maintenance to physical security safeguards.
- Secure workstations that host or have access to ePHI.
- Maintain records of the movements of devices and media containing ePHI.
- Ensure networks, applications, workstations, etc. log off automatically after a period of inactivity.
- Encrypt stored ePHI unless the security risk analysis supports the storage of ePHI unencrypted.
- Maintain a log of all individual accesses to ePHI and perform monitoring procedures to discourage unauthorized accesses.
- Maintain HIPAA-required records of actions, activities, and assessments for 6 years.
The list above is not meant to be exhaustive and does not address HIPAA’s Breach Notification Rule and Privacy Rule requirements. It is meant to illustrate the extra effort involved in complying with security requirements in HIPAA over and above a SOC 2 report covering Security. Additionally, depending on the scope of the SOC 2 report, some of the controls listed above could be covered by the SOC 2 report.
What is the First Step Towards HIPAA Compliance?
I would say the first step towards HIPAA Compliance is doing your research to determine if you are a covered entity. Once you determine that the HIPAA Security Rule applies to your organization, finding a reputable firm to assist in performing a readiness assessment is a great next step. A readiness assessment will help identify gaps that need to be addressed prior to undergoing the HIPAA compliance audit and will assist you in creating a strong control environment.
In summary, we discussed the main objectives for undergoing a SOC 2 audit and a HIPAA Security Rule Compliance audit. There is overlap between the two reports, but their objectives and users are different. A SOC 2 provides a baseline for data security practices but a HIPAA report has additional requirements that need to be met. A SOC 2 report alone will not typically be enough to demonstrate that an organization is in compliance with the HIPAA Security Rule. In order to tackle undergoing either of these audits for the first time, engaging a reputable CPA firm is a great first step.
Megan Kovash works primarily on SOC audits with experience in financial audit and internal audit as well. Megan started her career in January 2012 after completing her Masters of Accountancy with the University of Denver. She worked in the Risk Assurance group at Ernst & Young, then moved to the Internal Audit Data Analytics group at Charles Schwab. She is now a Partner at Linford & Co., LLP. Megan enjoys working with clients and coworkers to find and implement solutions to better her client’s business.