5 Healthcare IT HIPAA Compliance Options

May 9, 2024

At a glance:

  • The main takeaway: Health tech businesses have several avenues for demonstrating compliance with HIPAA, but some are more appropriate and attainable for certain businesses than others.
  • The impact on your business: It’s important to choose the right compliance path, as the wrong ones can cost you extra time, money and business.
  • Next steps: Think about your options for attaining and demonstrating HIPAA compliance, then reach out to Aprio for help identifying and navigating the compliance avenue of your choice. 
To identify and achieve the right compliance programs to meet your business needs, contact us today.

The full story:

Aprio is the only top 25 CPA firm with a specialization in health tech and deep experience in HIPAA attestation reporting including SOC 2, ISO 27001, ISO 27701 and HITRUST CSF validated assessment and certification.

There are 5 ways to demonstrate compliance with HIPAA fundamentals:

  • HIPAA attestation/HITRUST CSF e1
  • SOC 2 reporting/HITRUST CSF i1
  • SOC 2 + HIPAA
  • SOC 2 + HITRUST (e1/i1)
  • HITRUST CSF r2

In this article, we will topline these compliance reporting frameworks and their common applications in order of cost and complexity:

1. HIPAA attestation/HITRUST CSF e1

A HIPAA attestation report is the easiest and most cost-effective assurance reporting to achieve. It is appropriate for small technology service providers with applications used in healthcare that have minimal interaction with electronic protected health information (ePHI). If you are a startup and a customer is requesting evidence of HIPAA compliance, this is often your best reporting option.

Another option to consider is the HITRUST CSF e1 certification. The e1 certification provides an entry level of assurance related to the HITRUST CSF based on a fixed scope of 44 requirement statements.

2. SOC 2 reporting/HITRUST CSF i1

The next step up is a SOC 2 report. SOC reporting is based on the AICPA’s five Trust Services Principles, which include Security, Availability, Confidentiality, Processing Integrity and Privacy. If your business is classified as a true Business Associate (BA) and a customer or covered entity makes a general request for a “compliance report,” a SOC 2 report will usually meet their needs.

Companies at this stage may also consider a HITRUST CSF i1 certification. The i1 certification provides a moderate level of assurance related to the HITRUST CSF based on a fixed scope of 182 requirement statements.

3. SOC 2 + HIPAA

SOC 2 reporting is highly adaptable, and auditors can incorporate objective criteria from other compliance reporting standards. These reports are referred to as SOC + (Plus) reports. SOC 2 + HIPAA should be considered by BAs who serve health insurance providers. Although there is significant overlap between the SOC 2 Trust Principles and the HIPAA/HITECH criteria, SOC 2 + HIPAA represents a step up in cost and complexity from a basic SOC 2 report.

4. SOC 2 + HITRUST (e1/i1)

For many organizations, a HITRUST Common Security Framework (CSF) certification may be the goal; however, it may not be a practical solution at their current state of maturity. SOC 2 + HITRUST is considerably easier and more cost-effective to achieve than a HITRUST validated assessment and certification. A SOC 2 + HITRUST report’s scope can be expanded to include the e1 or i1 HITRUST scope, given that these are fixed scope certifications. This reporting structure is applicable when a customer requests SOC 2 reporting and evidence that the BA meets HITRUST requirements. It should be considered by BAs that have multiple and significant payers and/or providers as customers.

5. HITRUST CSF r2 validated assessment and certification

The HITRUST CSF has become a widely adopted security and privacy framework across industries globally. The HITRUST CSF is a comprehensive and prescriptive set of controls that meet the requirements of multiple regulatory and compliance reporting standards, including ISO/IEC 27001 and HIPAA.

Due to the cost and complexity of the HITRUST CSF r2 validated assessment and certification, organizations usually only undertake this option when specifically requested by a customer. BAs that serve multiple and significant payers and/or providers, such as hospitals and insurance companies, may be required to be HITRUST CSF certified.

The HITRUST CSF r2 certification is based on a custom scope for each certification and provides a high level of assurance related to the HITRUST CSF. On average, there are about 375 requirement statements in scope; however the number of requirement statements will vary based on responses to the HITRUST MyCSF scoping questions and any compliance requirements included in scope.

The bottom line

If you’re a health tech business, data privacy and security must be baked into your business model. As a BA, you are expected to maintain the same level of data security processes and controls as the customers you serve. Selecting the wrong compliance path will cost you extra time, money and lost business.

Aprio is the only top 25 CPA firm with a specialization in health tech and deep experience in HIPAA attestation reporting, SOC 2, ISO 27001, ISO 27701 and HITRUST CSF validated assessment and certification. To learn more about how Aprio can help your business select, establish, and scale your security and compliance program, contact us today.

Related Resources:

6 Healthcare Insights from Q4 2023 and What They Mean for You

The Opportunities and Tax Implications of Self-Rental Grouping Election

6 Important Provisions of the SECURE 2.0 Act

Recent Articles

About the Author

Powell Jones

Powell Jones, CISA, CCSFP, is a partner on Aprio’s Information Assurance Services team. Powell works with clients of all sizes, from startups to multinational companies. His experience in ISO certifications, SOC reporting, HITRUST CSF and third-party risk management helps clients select the right reporting options and gain efficiencies in managing multiple compliance frameworks and requirements. He uses his technical knowledge and strong understanding of business processes, IT controls, and data security to help clients safeguard and grow their businesses.

(770) 353-3157


Stay informed with Aprio.

Get industry news and leading insights delivered straight to your inbox.

Stay informed with Aprio. Subscribe now.