What’s the Difference Between the SOC 2 Security and AT 601 HIPAA Security Requirements?

Linford & Company offers two types of reports that address security, the SOC 2 Security report and the AT 601 HIPAA Security report. Both are CPA firm attest-level reports on security requirements, but which one best fits your needs?

  • The SOC 2 Security report is used by organizations to demonstrate good security practices. The criteria for the SOC 2 Security report sources from the AICPA’s Trust Services Principles and Criteria for Security. An AICPA task force consisting of CPAs from public accounting firms, industry, and academia created and vetted the criteria, and sought to create requirements that would be generally applicable to all types of organizations.
  • Contrast that to the AT 601 HIPAA Security report used by organizations to demonstrate compliance with the HIPAA Security Rule’s requirements. The criteria for the AT 601 HIPAA Security report sources from federal legislation as implemented by the U.S. Department of Health and Human Services (HHS). Legislators and HHS created the criteria after consideration of healthcare industry feedback.

The SOC 2 Security requirements are a “good security practices” baseline. On top of this baseline, the HIPAA Security Rule will require the following additional controls:

  • Establish and implement formal, HIPAA-compliant security policies and procedures that address the following areas:
    • Appropriate sanctions applied against workforce members who fail to comply with the security policies and procedures
    • Workforce authorization and supervision for personnel who work with electronic protected health information (ePHI) or might be able to access it
    • Password management (creating, changing and safeguarding passwords)
    • Workstation use standards where ePHI may be accessed, including the physical attributes of the surroundings and the function of the workstation
    • Device and media receipt and removal into and out of a facility, and the movement of these items within the facility, if ePHI is present
    • Device and media reuse and the removal of ePHI as well as device and media disposal where ePHI is or was present
  • Conduct security awareness training for personnel initially upon hire and annually thereafter for at least those personnel with access to ePHI.
  • Protect the systems environment from malicious software using tools such as antivirus software, workstation firewalls, regular patch management, intrusion detection/prevention systems, etc.
  • Restrict access to ePHI at the application and database levels in accordance with HIPAA’s “minimum necessary” guidelines (i.e., need to know).
  • Establish a data backup plan and demonstrate annually that backups and the disaster recovery procedure are viable.
  • Ensure the disaster recovery plan addresses HIPAA-specific requirements such as emergency mode operations, applications and data criticality analysis, contingency operations, access to ePHI in an emergency, etc.
  • Maintain records of facility maintenance to physical security safeguards.
  • Secure workstations which host or have access to ePHI.
  • Maintain records of the movements of devices and media containing ePHI.
  • Ensure networks, applications, workstations, etc. logoff automatically after a period of inactivity.
  • Encrypt stored ePHI unless the security risk analysis supports storage of ePHI unencrypted.
  • Maintain a log of all individual accesses to ePHI and perform monitoring procedures to discourage unauthorized accesses.
  • Maintain HIPAA-required records of actions, activities, and assessments for 6 years.

The list above is not meant to be exhaustive and does not address HIPAA’s Breach Notification Rule and Privacy Rule requirements. It is meant to illustrate the extra effort involved in complying with security requirements in HIPAA over and above the SOC 2 Security.

Leave a Reply

Your email address will not be published. Required fields are marked *