The Health Insurance Portability and Accountability Act (HIPAA) affects far more organizations than just hospitals and doctor’s offices. In recent years, the adoption of electronic health records coupled with the continuing cloud revolution has made compliance with key elements of HIPAA a growing and evolving business requirement for many companies and service organizations – not just medical providers.
HIPAA was expanded with the Health Information Technology for Economic and Clinical Health (HITECH) Act. The U.S. Department of Health and Human Services now performs periodic audits of covered entities and business associates to ensure compliance with the HIPAA Privacy, Security, and Breach Notification Rules.
With the expansion of both HIPAA compliance requirements and the companies that are affected, many entities have received requests from stakeholders, particularly their customers in the health care industry, regarding compliance with HIPAA.
There is not a requirement under HIPAA / HITECH for a “certification” of compliance. As such, some companies will opt to manage compliance internally. This may involve a self-assessment of potential gaps; a compliance structure and some sort of monitoring function to maintain compliance. While internal programs may enhance compliance, they cannot offer the third party assurance that many businesses associates may need to satisfy the requirements of their customers.
Additionally, managing compliance may require specialized knowledge, skills, objectivity and bandwidth that create a challenging compliance environment. Outsourcing some or all of the compliance function is often seen as the solution. Many companies look to consultants and experts in HIPAA to guide them. Often this type of engagement will manifest itself as a gap analysis with a deliverable being a letter documenting the noted gaps and a report with recommendations for improvement.
How SSF can help
At Sensiba San Filippo we adhere to AICPA standards of quality controls and independence. Unlike many other independent consultants, we can offer third party assurance as well as reporting options to fit specific needs. Our HIPAA engagement options and the assurance they provide include:
We perform procedures to evaluate the current state of compliance against a checklist or protocol/standard that identifies consistency and/or any gaps with the requirements. This is usually performed at a specific point in time as opposed to a period. These engagements are generally performed on a non-attest, or a no-assurance basis similar to hiring a consultant or third party expert. The advantage of having a CPA do this work is that it is often used to lay the groundwork for follow on attestation engagements.
HIPAA Compliance Agreed Upon Procedures Engagements
This report is issued under AICPA attestation standards, and is designed to allow a CPA firm to express an opinion on an organization’s compliance with the requirements of the HIPAA Security, Privacy and/or Breach Notification Rules. Management may also use our service to perform internal testing and thus, these types of engagements can also be done on a non-attest basis, which usually includes our report of our procedures without an opinion and a detailed listing of our testing results.
SOC 2 engagements and reports adapted for HIPAA
SOC 2 reports allow for reporting on the internal controls related to a broad range of users that need to understand internal control at a service organization as it relates to security, availability, processing integrity, confidentiality and privacy. These reports are intended for use by stakeholders (e.g., customers, regulators, business partners, suppliers, directors) of the service organization whereby the engagement will provide those stakeholders assurance in the form of a CPA signed report over management’s description of controls, and the operating effectiveness of controls. A SOC 2 report on Security and Privacy maps closely to HIPAA security and privacy rules and can be supplemented with incremental criteria to cover gaps as needed for the service organization entity. A significant advantage of the SOC 2 report is that it is based on the standards of the AICPA and is well understood with ever growing acceptance in the marketplace.
SSF’s Risk Assurance Services Group can help you evaluate your needs and determine which HIPAA option will be the best choice for your business and customers.