System and Organization Controls for Healthcare Organizations

By Scott M. McAuliffe, CPA, CISA, CFE, Risk Advisory Services Partner

System and Organization Controls for Healthcare Organizations

Internal Controls for Healthcare Organizations

For healthcare companies, choosing a third-party service provider that you can trust is critical. In many cases, the healthcare company is entrusting the service provider with its customers’ protected health information (PHI), which is protected by the Health Insurance Portability and Accountability Act (HIPAA). Under HIPPA, penalties for a single violation can reach $50,000 and cap out at $1.5 million annually.

Thus, it is essential that a healthcare company use service providers that have strong internal controls to protect their customers’ PHI. But how can a healthcare company perform due diligence and gain assurance over their service providers’ security?

Healthcare system and organization controls: manual audits vs SOC 2 reports

One option is to include specific security requirements within its contracts with the service provider. Some healthcare companies go as far as to manually audit the security of their higher risk providers. In doing so, the healthcare company gains assurances through the manual review and the service provider’s contractual representations that certain security controls are in place. However, this is labor intensive, especially for organizations that have a large number of vendors.

A second option is to request and review a service provider’s System and Organization Controls (SOC) 2 Report. SOC 2 Reports are widely accepted and provide assurances relating to the service provider’s controls surrounding Security, Availability, Confidentiality, Processing Integrity, and Privacy. SOC 2 Reports therefore replace the laborious manual audit with a simple report review process. Service providers benefit by undergoing a single examination by a CPA firm rather than continuous customer audits. Because of the reduced overall effort, increased rigor of the audit, and the broad acceptance across industries, it is no surprise the SOC 2 reports are popular.

As a best practice, when evaluating third-party service providers, a healthcare company should determine if the provider obtains a SOC 2 report annually. If so, the healthcare company should obtain and review the SOC 2 report to confirm the service provider has adequate data security controls. If the prospective service provider does not have a SOC report, the healthcare company should determine if the service provider obtains another industry recognized certification such as HITRUST.

Source: Becker’s Hospital Review

Are you a healthcare company that uses third-party service providers and want to learn more about SOC reports? Or are you a third-party service provider whose clients include healthcare companies and want to learn more about the SOC reporting process? Keiter’s Risk Advisory Services team can help you.

Additional Resources:

Share this Insight:

About the Author

Scott M. McAuliffe

Scott M. McAuliffe, CPA, CISA, CFE, Risk Advisory Services Partner

Scott leads the Firm’s Risk Advisory Services practice, which focuses on providing internal audits, cybersecurity and information technology consulting, Sarbanes-Oxley assistance and System and Organization Controls (SOC) Exams. Scott focuses on providing his clients with cost effective solutions to build strong, efficient internal control systems/practices that support their strategic objectives. In 2021, Scott achieved the Cybersecurity Maturity Model Certification (CMMC) Registered Practitioner (RP) status in order to provide CMMC services to Department of Defense prime and subcontractors.

More Insights from Scott M. McAuliffe

The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.


Contact Us