A HITRUST CSF Audit Can Take the Guesswork out of HIPAA Compliance Assessments
by Sarah Harvey / May 9th, 2016
Are you looking for a healthcare compliance audit solution? Has someone asked your organization to demonstrate that you are HIPAA certified? Are you confused by what “HIPAA certified” even means?
KirkpatrickPrice offers SOC 2 audits with a HITRUST CSF (common security framework) component designed to take the confusion and guesswork out of HIPAA compliance assessments.
The difference between SOC 2 vs. HIPAA is that they are audits over two different areas. A SOC 2 audit tests service organizations’ controls as they relate to the security, confidentiality, availability, processing integrity, and privacy. A HIPAA audit evaluates business associates’ and covered entities’ controls for safeguarding protected health information (PHI).
What is HITRUST?
The HITRUST framework is a healthcare industry-created compliance protocol designed to resolve the complexities of HIPAA’s Security Rule, variations in business practices, and third-party assurance expectations. Specifically, the HITRUST CSF addresses compliance and risk expectations under two key components:
- Information Security Manual
- Standards and Regulations Mapping
The Information Security Manual provides a framework for evaluating HIPAA’s Security Rule requirements for technical, administrative and physical controls related to topics like access control, asset management, business continuity and physical and environmental security.
The Standards and Regulations Mapping portion of the HITRUST framework is a tool HITRUST uses to “normalize” HIPAA Security Rule requirements with other information security standards and regulations like PCI DSS 3.1, ISO 27001, NIST, IRS Pub. 1075, 201 CMR 17.00, and FTC Red Flags. So, in addition to addressing HIPAA compliance with a SOC 2 with HITRUST, you can use the same audit to evaluate your organization’s risk and compliance with other critical information security and regulatory standards which saves you time, stress, and money.
Finally, while the federal government and HIPAA assessors cannot offer an official “HIPAA certification” to demonstrate HIPAA compliance, the HITRUST Alliance does provide a certification for organizations that successfully undergo HITRUST assessments. The HITRUST certification can be a powerful marketing tool to demonstrate your organization’s HIPAA compliance activities.
How does the SOC 2 work with HITRUST?
The Service Organization Control (SOC) report complements the HITRUST framework exceptionally well because the SOC 2 audit is designed to address an organization’s security, availability, processing integrity, confidentiality, and privacy of information – concepts inherent within HIPAA’s Security Rule requirements and HITRUST framework.
The SOC 2 report is an effective report because it’s an independent attestation by a CPA. Further, the SOC 2 report is an incredibly common and well-understood audit report type which means your organization will get significant internal and external value when providing the report for business and marketing purposes.
Contact us today to find out how we can assist your organization resolve your HIPAA compliance concerns with a SOC 2 HITRUST audit.
