Using the SOC 2 or AT 601 Reports to Demonstrate Compliance with HIPAA

The modifications to HIPAA known as the “HIPAA Omnibus Rule” became effective March 26, 2013, and covered entities and business associates were give about 6 months to get in compliance. That compliance deadline is fast approaching — September 23, 2013 — and, increasingly, healthcare providers and payers are requiring that their business associates demonstrate compliance. Linford & Company offers two options to business associates:

SOC 2 Report: This report may cover a set of pre-developed Trust Services Principles and Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. A SOC 2 Report on Security and Privacy align fairly nicely with the HIPAA Security and Privacy Rules. This report can then be supplemented with additional criteria to cover the gap between the Security and Privacy Trust Services Principles and the HIPAA Security and Privacy Rules.

HIPAA Compliance Audit Report: This report is issued under AICPA attestation standards, and is designed to allow a CPA firm to express an opinion on an organization’s compliance with the requirements of specified laws and regulations; in this case, the HIPAA Security and/or Privacy Rules.

The SOC 2 and HIPAA Compliance Audit reports go a long way towards convincing your current and potential clients that you are HIPAA-compliant. Contact us for more information.