In a press release dated December 17, 2015, the AICPA announced that it had collaborated with the Health Information Trust Alliance (HITRUST) to develop an illustrative SOC 2 report useful to health care industry service organizations that must demonstrate compliance with HIPAA’s security requirements.
CPAs are now able to report on the suitability of the design and operating effectiveness of controls relevant to meet applicable trust services criteria and the HITRUST Common Security Framework (CSF) requirements. The CSF incorporates security requirements that health care organizations must comply with including HIPAA, HITECH and PCI, among many others, and has been voluntarily adopted by some health care payers, providers and state exchanges as their security framework.
The SOC 2 + HITRUST CSF report may provide value to users of a health care industry service organization by providing relevant descriptive information about controls related to safeguarding of protected health information (PHI) and an opinion on the design and operating effectiveness of the service organization’s controls based on both the applicable trust services criteria and the HITRUST CSF requirements.
According to the AICPA, health care industry service organizations can more easily expand their SOC 2 reports to include controls relevant to a wide array of regulations, standards, best practices and other information protection requirements for those service organizations desiring a report that includes an independent auditor’s opinion on HIPAA compliance, Linford & Company offers the AT 601 HIPAA compliance report.