We get a lot of questions about SOC 2 and HIPAA audits. Should your company do both? Are you able to consolidate multiple audits into one project? KirkpatrickPrice has developed the Online Audit Manager to make it easier to combine multiple audits into one project. Let’s talk through why and how you would take on the project of a combined SOC 2 and HIPAA audit.
What are SOC 2 and HIPAA Audits?
Before we discuss how to go through a combined SOC 2 and HIPAA audit, let’s review what each of these types of audits are.
A SOC 2 audit is an assessment of the internal controls at a service organization that protect client data. The SOC 2 audit was designed to determine if service organizations are compliant with the principles of security, availability, processing integrity, confidentiality, and privacy (also known as the Trust Services Criteria). A SOC 2 audit must be conducted by a CPA firm.
The integrity of the healthcare industry relies on keeping data secure and patients safe. This, in part, was why HIPAA was created. HIPAA sets a national standard for the protection of consumers’ PHI and ePHI by mandating risk management best practices and physical, administrative, and technical safeguards. HIPAA was established to provide greater transparency for individuals whose information may be at risk, and the OCR enforces compliance with the HIPAA Security, Privacy, and Breach Notification Rules.
Why a Combined SOC 2 and HIPAA Audit?
Why would a company pursue a combined SOC 2 and HIPAA audit? Depending on your services, both could be valuable for your organization. HIPAA compliance may not be an option for you – rather, it’s a requirement. But, we do have clients like MSPs, cloud hosting providers, and SaaS providers who serve the healthcare industry and go after both SOC 2 and HIPAA compliance. These clients know that healthcare is one of the most at-risk industry for data breaches, and the most expensive. In 2019, IBM reported that the average cost of a data breach in healthcare is $6.45 million, totaling out at $429 per record. Plus, once you’ve had a data breach, you’re more likely to have abnormal customer turnover – 8% in healthcare. Don’t you want to do every test and assessment possible to keep your organization from becoming this statistic?
Our clients who undergo a combined SOC 2 and HIPAA audit are also, in many cases, specifically asked for a SOC 2 report from their key accounts and stakeholders. Yes, a HIPAA report is valuable, but a SOC 2 attestation can add even greater assurance that PHI is secure. Whenever your clients (especially key accounts) or stakeholders have specific compliance requirements, it’s always a wise decision to do your due diligence and know what your options are for meeting their requirements and industry standards. To effectively ensure that your controls meet the demands of the variety of clients and stakeholders that you serve, you should know that a combined SOC 2 and HIPAA audit is an option.
Using the Online Audit Manager
Our goal is to make SOC 2 and HIPAA reports more accessible to organizations who are being asked for them, so in order to complete a combined SOC 2 and HIPAA audit, we utilize the Online Audit Manager. The Online Audit Manager is an online audit delivery tool that maps the requirements of each framework to one another so that you can capitalize on your resources instead of answering the same question over and over again on separate audits – all with the goal of saving your organization’s time, effort, and money. Completing a combined SOC 2 and HIPAA audit with KirkpatrickPrice will be a more efficient, accessible process for your organization. Interested in more specifics on how this works? Let’s set up a demo of the Online Audit Manager.