I'm interested in learning more on how Service Organization Control evaluations can benefit organizations that...
are HIPAA business associates. Are SOC 2 evaluations enough to meet HIPAA requirements if your organization is a HIPAA business associate?
Service Organization Control, or SOC, evaluations are not intended to demonstrate compliance with HIPAA and should not be relied upon exclusively to evaluate the HIPAA compliance of business associates. That said, SOC 2 reports can be an important tool for organizations evaluating the security controls of their vendors and other business partners.
The SOC program is administered by the American Institute of Certified Public Accountants, and it is designed to provide independent assessments of the security controls in place at a service provider. It includes three types of assessments: SOC 1, SOC 2 and SOC 3 assessments. Of these, SOC 2 assessments are of most interest to security professionals. These assessments provide a description of a service provider's systems and an evaluation of the design of the security controls in place.
Just to make things a little more confusing, there are two types of SOC 2 reports an auditor may issue after completing a SOC 2 assessment. In a type 1 SOC 2 report, the auditor comments only on the sufficiency of the design of the security controls. Only in a type 2 SOC 2 report does the auditor provide test results designed to demonstrate the operational effectiveness of those controls.
If a service provider presents your organization with a SOC 2 report as evidence of HIPAA compliance, there is still a little work to do. First, compare the controls described in the report to the HIPAA security and privacy rules to determine whether they would be compliant if they worked properly. Second, verify the report is a type 2 SOC 2 report, and then ensure the auditor provided a favorable opinion of the effectiveness of the organization's security controls.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Learn more about healthcare clearinghouse security risks
Find out what rights HIPAA gives medical identity theft victims
Discover how important security gap analysis is for HIPAA compliance
Dig Deeper on HIPAA
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ...continue reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ...continue reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.