A HITRUST CSF Audit Can Take the Guesswork out of HIPAA Compliance Assessments

by Sarah Harvey / May 9th, 2016

Are you looking for a healthcare compliance audit solution?  Has someone asked your organization to demonstrate that you are HIPAA certified? Are you confused by what ‚ÄúHIPAA certified‚ÄĚ even means?

KirkpatrickPrice offers SOC 2 audits with a HITRUST CSF (common security framework) component designed to take the confusion and guesswork out of HIPAA compliance assessments.

The difference between SOC 2 vs. HIPAA is that they are audits over two different areas. A SOC 2 audit tests service organizations‚Äô  controls as they relate to the security, confidentiality, availability, processing integrity, and privacy. A HIPAA audit evaluates business associates‚Äô and covered entities‚Äô controls for safeguarding protected health information (PHI).

What is HITRUST?  

The HITRUST framework is a healthcare industry-created compliance protocol designed to resolve the complexities of HIPAA‚Äôs Security Rule, variations in business practices, and third-party assurance expectations.  Specifically, the HITRUST CSF addresses compliance and risk expectations under two key components:

  1. Information Security Manual
  2. Standards and Regulations Mapping

The Information Security Manual provides a framework for evaluating HIPAA’s Security Rule requirements for technical, administrative and physical controls related to topics like access control, asset management, business continuity and physical and environmental security.

The Standards and Regulations Mapping portion of the HITRUST framework is a tool HITRUST uses to ‚Äúnormalize‚ÄĚ HIPAA Security Rule requirements with other information security standards and regulations like PCI DSS 3.1, ISO 27001, NIST, IRS Pub. 1075, 201 CMR 17.00, and FTC Red Flags.  So, in addition to addressing HIPAA compliance with a SOC 2 with HITRUST, you can use the same audit to evaluate your organization‚Äôs risk and compliance with other critical information security and regulatory standards which saves you time, stress, and money.

Finally, while the federal government and HIPAA assessors cannot offer an official ‚ÄúHIPAA certification‚ÄĚ to demonstrate HIPAA compliance, the HITRUST Alliance does provide a certification for organizations that successfully undergo HITRUST assessments.  The HITRUST certification can be a powerful marketing tool to demonstrate your organization‚Äôs HIPAA compliance activities.

How does the SOC 2 work with HITRUST?

The Service Organization Control (SOC) report complements the HITRUST framework exceptionally well because the SOC 2 audit is designed to address an organization‚Äôs security, availability, processing integrity, confidentiality, and privacy of information ‚Äď concepts inherent within HIPAA‚Äôs Security Rule requirements and HITRUST framework.

The SOC 2 report is an effective report because it’s an independent attestation by a CPA. Further, the SOC 2 report is an incredibly common and well-understood audit report type which means your organization will get significant internal and external value when providing the report for business and marketing purposes.

Contact us today to find out how we can assist your organization resolve your HIPAA compliance concerns with a SOC 2 HITRUST audit.

More Compliance Resources