Are you HIPAA Compliant?

The Health Insurance Portability and Accountability Act (HIPAA) affects far more organizations than just hospitals and doctor’s offices. In recent years, the adoption of electronic health records coupled with the continuing cloud revolution has made compliance with key elements of HIPAA a growing and evolving business requirement for many companies and service organizations – not just medical providers.

HIPAA was expanded with the Health Information Technology for Economic and Clinical Health (HITECH). HITECH requires HHS to perform periodic audits of covered entities and business associates to ensure compliance with the HIPAA Privacy, Security, and Breach Notification Rules.

With the expansion of both HIPAA compliance requirements and the companies that are affected, many entities have received requests from stakeholders, particularly their customers in the health care industry regarding compliance with HIPAA.

Demonstrating Compliance

There is not a requirement under HIPAA / HITECH for a “certification” of compliance. As such, some companies will opt to manage compliance internally.  This may involve a self-assessment of potential gaps; a compliance structure and some sort of monitoring function to maintain compliance. While internal programs may enhance compliance, they cannot offer the third party assurance that many businesses now require.

Additionally, managing compliance may require specialized knowledge, skills, objectivity and bandwidth that create a challenging compliance environment.  Outsourcing some or all of the compliance function is often seen as the solution. Many companies look to consultants and experts in HIPAA to guide them. Often this type of engagement will manifest itself as a gap analysis with a deliverable being a letter documenting the noted gaps and a report with recommendations for improvement.

How Sensiba San Filippo Can Help

At Sensiba San Filippo we adhere to AICPA standards of quality controls and independence. Unlike many other independent consultants, we can offer

third party

assurance as well as reporting options to fit specific needs. Our HIPAA engagement options and the assurance they provide include:

Readiness assessments – We perform procedures to evaluate the current state of compliance against a checklist or protocol / standard that identifies consistency and /or any gaps with the requirements.  This is usually performed at a specific point in time as opposed to a period.  These engagements are generally performed on a non-attest, or a no-assurance basis similar to hiring a consultant or third party expert.  The advantage of having a CPA do this work is that it is often used to lay the groundwork for follow on attestation engagements.

HIPAA Compliance Agreed Upon Procedures Engagements – This report is issued under AICPA attestation standards, and is designed to allow a CPA firm to express an opinion on an organization’s compliance with the requirements of the HIPAA Security, Privacy and/or Breach Notification Rules.  Management may also use our service to perform internal testing and thus, these types of engagements can also be done on a non-attest basis, which usually includes our report of our procedures without an opinion and a detailed listing of our testing results.

SOC 2 engagements and reports adapted for HIPAASOC 2 reports allow for reporting on the internal controls related to a broad range of users that need to understand internal control at a service organization as it relates to security, availability, processing integrity, confidentiality and privacy.  These reports are intended for use by stakeholders (e.g., customers, regulators, business partners, suppliers, directors) of the service organization whereby the engagement will provide those stakeholders assurance in the form of a CPA signed report over management’s description of controls, and the operating effectiveness of controls. A SOC 2 report on Security and Privacy maps closely to HIPAA security and privacy rules and can be supplemented with incremental criteria to cover gaps as needed for the service organization entity.  A significant advantage of the SOC 2 report is that it is based on the standards of the AICPA and is well understood with ever growing acceptance in the market place.

Sensiba San Filippo’s Business Process Assurance Group can help you evaluate your needs and determine which HIPAA option will best serve your business and your clients.

Practice Leadership

Jeffrey R. Stark
Jeffrey R. StarkAudit Partner
jstark@ssfllp.com
(408) 286-7780