5 Healthcare IT HIPAA Compliance Options
May 11, 2021
Aprio is the only top 50 CPA firm with a specialization in healthcare IT and deep experience in HIPAA attestation reporting including SOC 2, ISO 27001, ISO 27701 and HITRUST CSF validated assessment and certification.
To identify and achieve the right compliance programs to meet your business needs, contact us today.
There are 5 ways to demonstrate compliance with HIPAA fundamentals:
- HIPAA attestation
- SOC 2 reporting
- SOC 2 + HIPAA
- SOC 2 + HITRUST
- HITRUST CSF
In this article, we will topline these 5 compliance reporting frameworks and their common applications in order of cost and complexity:
1. HIPAA attestation
A HIPAA attestation report is the easiest and most cost-effective assurance reporting to achieve. It is appropriate for small technology service providers with applications used in healthcare that have minimal interaction with electronic protected health information (ePHI). If you are a startup and a customer is requesting evidence of HIPAA compliance, this is often your best reporting option.
2. SOC 2 reporting
The next step up is a SOC 2 report. SOC reporting is based on the AICPA’s five Trust Services Principles, which include Security, Availability, Confidentiality, Processing Integrity and Privacy. If your business is classified as a true Business Associate (BA) and a customer or covered entity makes a general request for a “compliance report,” a SOC 2 report will usually meet their needs.
3. SOC 2 + HIPAA
SOC 2 reporting is highly adaptable, and auditors can incorporate objective criteria from other compliance reporting standards. These reports are referred to as SOC + (Plus) reports. SOC 2 + HIPAA should be considered by BAs who serve health insurance providers. Although there is significant overlap between the SOC 2 Trust Principles and the HIPAA/HITECH criteria, SOC 2 + HIPAA represents a step up in cost and complexity from a basic SOC 2 report.
4. SOC 2 + HITRUST
For many organizations, a HITRUST Common Security Framework (CSF) certification may be the goal; however, it may not be a practical solution at their current state of maturity. SOC 2 + HITRUST is considerably easier and more cost-effective to achieve than a HITRUST validated assessment and certification. This reporting structure is applicable when a customer requests SOC 2 reporting and evidence that the BA meets HITRUST requirements. It should be considered by BAs that have multiple and significant payers and/or providers as customers.
5. HITRUST CSF validated assessment and certification
The HITRUST CSF has become a widely adopted security and privacy framework across industries globally. The HITRUST CSF is a comprehensive and prescriptive set of controls that meet the requirements of multiple regulatory and compliance reporting standards, including ISO/IEC 27001 and HIPAA.
Due to the cost and complexity of the HITRUST CSF validated assessment and certification, organizations usually only undertake this option when specifically requested by a customer. BAs that serve multiple and significant payers and/or providers, such as hospitals and insurance companies, may be required to be HITRUST CSF certified.
The bottom line
If you’re a healthcare IT business, data privacy and security must be baked into your business model. As a BA, you are expected to maintain the same level of data security processes and controls as the customers you serve. Selecting a wrong compliance path will cost you extra time, money, and lost business.
Aprio is the only top 50 CPA firm with a specialization in healthcare IT and deep experience in HIPAA attestation reporting, SOC 2, ISO 27001, ISO 27701 and HITRUST CSF validated assessment and certification.
To learn more about how Aprio can help your business select, establish, and scale your security and compliance program, contact us today.
About the Author
Powell Jones, CISA, CCSFP, is a partner on Aprio’s Information Assurance Services team. Powell works with clients of all sizes, from startups to multinational companies. His experience in ISO certifications, SOC reporting, HITRUST CSF and third-party risk management helps clients select the right reporting options and gain efficiencies in managing multiple compliance frameworks and requirements. He uses his technical expertise and strong understanding of business processes, IT controls, and data security to help clients safeguard and grow their businesses.
Brett is the National Partner in Aprio’s IAS practice and a Certified CSF HITRUST Practitioner (CCSFP). He has 20+ years of focused business process and information technology control experience helping small to midsized companies protect their operations from cyber threats.