Using SOC Reports to Comply with HIPAA

4 min read
October 24, 2016 at 9:22 AM


This is a guest post that was written by April Arruda, CPA from DiSanto, Priest, & Co. in Warwick, RI. DiSanto, Priest, & Co. is a professional advisory firm that has been in business for over 50 years providing a range of services to their clients. These services include Accounting and Assurance, Tax Planning and Compliance, Management Consulting, and Business Advisory services. For more information, please visit the DiSanto, Priest, & Co. website at or by calling them at (401) 921-2000. 

I remember the first time I saw the term “HIPAA.” I had just walked into my doctor’s office and was heading towards the reception desk, anticipating the pile of tedious forms that relentlessly need updating each visit. As I reached the desk, I noticed on the sliding glass window a paper sign that had been taped up stating “Due to HIPAA, this window is to be kept closed.” I vividly remember wondering, ‘what sort of disease is HIPAA.  It must be really contagious for them to have to keep the window closed.’  So I took my forms to one of the waiting room chairs and took out what was then my brand new, and very first, smart phone to find out. Well as it turns out, HIPAA is not a disease at all, although I could make an argument that it is highly contagious.

If you are any less naive than me, and I’m guessing you are, you probably already know what HIPAA is, but for those of you who don’t, allow me to elaborate. “HIPAA” stands for the Health Insurance Portability and Accountability Act of 1996. It is a ruling that sets guidelines for proper interaction with Protected Health Information (PHI) or any patient’s medical records. The ruling expanded the liabilities of companies that are subject to oversight, increased fines for non-compliance, and allowed more stringent enforcement. Most importantly, due to increased cybersecurity risks, the law places a high emphasis on protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI).

Download the Compass IT Compliance Critical Security Controls eBook

So why might that matter to you? Well if your company is handling any form of PHI, you need to be in compliance with HIPAA.  Now this obviously applies to any health care provider, but it doesn’t stop there.  This law also applies to any data center that is storing ePHI. Simply by having PHI in your company’s possession, your company needs to demonstrate its compliance. This typically requires an audit performed by an independent Certified Public Accountant (CPA), which will provide you with a documented report stating whether your company has the proper policies and procedures in place to comply with HIPAA.

Now there are a few different reporting formats that can be used to document your company’s compliance, but my personal favorite is a service organization controls (SOC) type 2 report, simply for all of the benefits that it provides. Allow me to explain just a few those benefits.

Convergence with the HITRUST Common Security Framework (CSF) – The Health Information Trust Alliance (HITRUST) CSF is a certifiable framework that provides organizations with the needed structure and detail related to information security particularly designed towards securing PHI. It is one of the most widely-adopted security frameworks in the health care industry. Due to the wide overlap between the HITRUST CSF controls and the SOC 2 trust principles, a SOC 2 report can be used to document the controls over both standards, reducing the inconvenience of multiple reporting requirements.

Save on time and costs – A SOC 2 report provides a broad framework that encompasses or shares similarities with many other frameworks, such as the HITRUST CSF listed above. A SOC 2 report can be used to meet the reporting requirements of those various frameworks within one report.  Naturally, if you are preparing only one report, instead of a variety of different reports, you are saving time by requiring fewer audits and fewer internal resources to meet those reporting requests. Saving time means saving money.

Improved customer relationships – With a SOC 2 report you can provide your customers with a variety of internal control information, including information specific to controls over PHI, in a well-known American Institute of Certified Public Accountants (AICPA) reporting format. Additionally, information can be provided to customers quickly as you will already have one report to answer their questions and meet their needs. By having the information your customers need readily available in a format that they recognize, you are building customer satisfaction.

SOC Reports, the difference between SOC Reports, and the different types of SOC Reports are the biggest questions that we get asked. For that reason, we are holding our 4th webinar in October for Cybersecurity Awareness Month titled "Demystifying SOC Reports and the Five Trust Service Principles." This webinar is going to be co-sponsored and co-presented by Mike Mellor, CPA, from DiSanto, Priest, & Co. and will give you the opportunity to clear up the confusion and answer any questions that you might have. Details and the link to register are below:

What: Demystifying SOC Reports and the Five Trust Service Principles Webinar

When: Thursday October 27, 2016 @ 1:00 PM EST

SOC Report Webinar Registration

Contact Us

Get Email Notifications

No Comments Yet

Let us know what you think