Entities seeking to demonstrate Health Insurance Portability and Accountability Act (HIPAA) compliance to their customers and potential customers have several options available. The most persuasive among these options is an attestation report from an independent auditor. While the AICPA SOC 2 Security and SOC 2 Privacy reports offer significant assurance that security and privacy criteria in the underlying Trust Services Principles are met, SOC 2 reports do not include an opinion on HIPAA compliance.
Such an attestation is available. The AICPA recognized almost 15 years ago that CPAs could provide value to their clients by reporting on either (a) an entity’s compliance with requirements of specified laws, regulations, rules, contracts, or grants or (b) the effectiveness of an entity’s internal control over compliance with specified requirements. To facilitate this, the AICPA’s Statements on Standards for Attestation Engagements No. 10, Attest Engagements, established a framework for attest engagements and outlined general attestation standards, including examples of examination reports and review reports.
Among the types of examination reports established by SSAE 10 was the Compliance Attestation report—a report that a CPA could issue concerning compliance with laws and regulations. The professional standards regarding this report were codified into the AICPA’s Attestation Standard (AT) Section 601, Compliance Attestation. Given that the Health Insurance Portability and Accountability Act’s (HIPAA) Security, Breach Notification, and Privacy rules constitutes auditable requirements, an AT 601 HIPAA report can be produced by CPAs in public practice covering one or more of these rules.
Linford & Company provides AT 601 HIPAA reports most commonly for the Security and Breach Notification rules. Such reports can be a Type I or Type II report—meaning that the independent auditor’s opinion on the entity’s assertion about compliance with HIPAA can be as of a point in time (Type I) or for a period of time (Type II). Common practice at the present time is to provide a Type I report.
Linford & Company’s AT 601 HIPAA Security and Breach Notification rule compliance reports are included in the following sections:
- Report of Independent Auditors (opinion);
- Entity’s Assertion about HIPAA compliance;
- Entity’s Description of its Operations, Entity-Level Controls, and the Electronic Protected Health Information (ePHI) environment;
- Description of Control Activities Prepared by Entity’s Management;
- Independent Auditor’s Description of Tests of Controls and Results;
- HIPAA Security and Breach Notification Requirements and Controls—includes a cross-reference between HIPAA’s requirements and the entity’s controls.
The content of these report sections should provide an entity’s customers and potential customers with sufficient evidence that they are materially compliant with HIPAA’s requirements. For more information on the AT 601 HIPAA compliance attestation report, contact Kerry Shackelford, Healthcare Practice Leader, at Linford & Company LLP.