While additional controls need to be considered, a SOC audit can provide a check for Affordable Care Act (ACA) regulations and achieving Health Insurance Portability and Accountability Act (HIPAA) compliance.

ACA Requirements

The ACA’s 2010 implementation added a host of regulatory and compliance requirements, including measures to ensure the privacy of patient data. Health care organizations are required to maintain stringent controls on privacy and confidentiality, considering the type of information they maintain. This, in turn, has increased the demand for SOC audits on the part of health care organizations.

HIPAA Compliance

Similarly, HIPAA drives a rapid increase in demand for SOC reports. HIPAA mandates the security and privacy of personal medical information. Most of this data is now stored in an electronic format, so the importance of an assessment performed by an objective SOC audit resource is greater than ever.

SOC Compliance According to HIPAA Standards

HIPPA expansions have extended SOC compliance requirements to include business associates and entities that handle electronic protected health information (ePHI). If your organization has any interaction with the health care industry, it will need to have adequate protections in place to reduce the risk of unintended disclosure of ePHI.

Compliance issues for technology related to HIPAA are powerful drivers when it comes to trust criteria within security, confidentiality, and privacy of information. SOC security criteria related to data protection provides a strong baseline for compliance with the HIPAA frameworks and mapping can provide users with an understanding of how a company protects ePHI.

A SOC audit covers criteria that enable companies to lessen the risks of a breach. The SOC 2 compliance baseline security criteria focuses on security policies and procedures and the effectiveness of a company’s internal controls to mitigate the risk of a breach. 

Many health and wellness programs and procedures are now available on mobile devices. Hospitals and clinical practices must be aware of the threat of security breaches.

Potential Health Care Cybersecurity Breaches

• Health data hacking
• Insider or employee fraud
• Unintentional actions, for example, when a hospital employee accidentally falls prey to system-user fraud or a phishing scam
• Supply chain attacks or breaches, such as when information a hospital shares with a third-party vendor is hacked through the vendor’s platform

There are many drivers and benefits for conducting a SOC audit:

• Improve compliance of business audit requirements, including HIPAA, Health Information Trust Alliance (HITRUST), Payment Card Industry Data Security Standard (PCI-DSS), the ISO 27002 Standard, and Section 404 of the Sarbanes-Oxley Act (SOX 404)
• Provide due diligence to evaluate service provider controls
• Reduce time auditors and customers need to evaluate an organization
• Stay competitive when entering a new market or gaining or retaining customers
• Develop internal controls to boost confidence for a start-up’s management and credibility by validating its control environment
• Monitor and maintain tighter oversight of third-party vendors
• Help mitigate security breaches
• Potentially lower insurance coverage rates

SOC reports also help health care organizations focus on controls over privacy, which is especially relevant for environments that deal with personally identifiable information (PII) or protected health information (PHI).

Privacy Criteria Topics in SOC Audits

• Privacy policies
• Personal identifiable information (PII) classification
• Risk assessment
• Incident and breach management
• Provision of notice
• Choice and consent
• Collection
• Use and retention
• Disposal
• Access
• Disclosure to third parties
• Security for privacy
• Quality
• Monitoring and enforcement