System and Organization Controls for Healthcare Organizations

System and Organization Controls for Healthcare Organizations

Posted on

SOC COMPLIANCE

Internal Controls for Healthcare Organizations

For healthcare companies, choosing a third-party service provider that you can trust is critical. In many cases, the healthcare company is entrusting the service provider with its customers’ protected health information (PHI), which is protected by the Health Insurance Portability and Accountability Act (HIPAA). Under HIPPA, penalties for a single violation can reach $50,000 and cap out at $1.5 million annually.

Thus, it is essential that a healthcare company use service providers that have strong internal controls to protect their customers’ PHI. But how can a healthcare company perform due diligence and gain assurance over their service providers’ security?


Healthcare System and Organization Controls: manual audits vs SOC 2 Reports

One option is to include specific security requirements within its contracts with the service provider. Some healthcare companies go as far as to manually audit the security of their higher risk providers. In doing so, the healthcare company gains assurances through the manual review and the service provider’s contractual representations that certain security controls are in place. However, this is labor intensive, especially for organizations that have a large number of vendors.

A second option is to request and review a service provider’s System and Organization Controls (SOC) 2 Report. SOC 2 Reports are widely accepted and provide assurances relating to the service provider’s controls surrounding Security, Availability, Confidentiality, Processing Integrity, and Privacy. SOC 2 Reports therefore replace the laborious manual audit with a simple report review process. Service providers benefit by undergoing a single examination by a CPA firm rather than continuous customer audits. Because of the reduced overall effort, increased rigor of the audit, and the broad acceptance across industries, it is no surprise the SOC 2 reports are popular.

As a best practice, when evaluating third-party service providers, a healthcare company should determine if the provider obtains a SOC 2 report annually. If so, the healthcare company should obtain and review the SOC 2 report to confirm the service provider has adequate data security controls. If the prospective service provider does not have a SOC report, the healthcare company should determine if the service provider obtains another industry recognized certification such as HITRUST.

Source: Becker’s Hospital Review


Are you a healthcare company that uses third-party service providers and want to learn more about SOC reports? Or are you a third-party service provider whose clients include healthcare companies and want to learn more about the SOC reporting process? Keiter’s Risk Advisory Services team can help you.

Additional Resources:


About the Author

Scott leads the Firm’s Risk Advisory Services practice, which focuses on providing cybersecurity services, internal audits, information technology audits, Service Organization Control (SOC) audits, and Sarbanes-Oxley assistance. Scott focuses on providing his clients with cost effective solutions to build strong, efficient internal control systems/practices that support their strategic objectives. Read more of Scott’s insights on our blog.

More Insights from Scott M. McAuliffe, CPA, CISA, CFE


The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.

Contact

How Can We Help You and Your Business?

Innsbrook Corporate Center
4401 Dominion Boulevard
Glen Allen, Virginia 23060

804.747.0000 or 804.273.6200

Directions