SOC 2 compliance is compliance with the Service Organization Control 2 standards for managing and securing data developed by the American Institute of Certified Public Accountants (AICPA). In the healthcare industry, SOC 2 compliance certification can help demonstrate adherence to a recognized security framework in the event of a data breach or security incident. This article explains:
- What is SOC 2?
- SOC 2 Type 1 vs SOC 2 Type 2 Compliance
- SOC 2 Type 2 Compliance Requirements
- Compliance with SOC 2 vs HIPAA Compliance
- The Benefits of SOC 2 Compliance in Healthcare
- Conclusion: Why You Should Consider SOC 2 Compliance
What is SOC 2?
SOC 2 is a voluntary compliance standard for organizations that wish to demonstrate compliance with a recognized security framework. Originally developed in 2010, SOC 2 is regularly updated to address the evolving cybersecurity landscape and can be a valuable certification for organizations in healthcare due to its focus on security, availability, processing integrity, confidentiality, and privacy.
To become SOC 2 compliant, organizations must prepare for and undergo an audit conducted by an AICPA-certified public accountant or by an AICPA-commissioned audit firm. When an organization passes the audit, the resulting report can assure potential clients, stakeholders, and regulatory authorities that the organization has controls in place to protect the privacy and security of data.
SOC 2 Type 1 vs SOC 2 Type 2 Compliance
There are two “Types” of SOC 2 compliance audits – an SOC 2 Type 1 audit and an SOC 2 Type 2 audit. The Type 1 audit is a description of the organization’s system and the existence of controls to support data security, availability, processing integrity, confidentiality, and privacy, whereas a Type 2 audit reports on the effectiveness of the controls over a period of time.
For most organizations, it is only worthwhile obtaining a pass in a SOC 2 Type 2 audit because a Type 2 audit proves the required controls are being applied. An SOC 2 Type 1 audit is the equivalent of permanently parking a new car by your house and never using it. Type 1 SOC 2 compliance says, “we have the controls”. Type 2 SOC 2 compliance says, “we use the controls”.
SOC 2 Type 2 Compliance Requirements
There are no one-size-fits-all SOC 2 Type 2 compliance requirements because some “Trust Services Criteria” and “Points of Focus” will apply to some organizations, but not others. For example, the controls for processing integrity would be a point of focus for an organization analyzing PHI, but not for an organization that provides “no view” cloud storage services to healthcare providers.
There are five “Trust Services Criteria”; and, other than the data security controls, organizations have the discretion to select which other controls and points of focus they wish to include in an SOC 2 compliance audit. Generally, which SOC 2 Type 2 compliance requirements to include in an audit will be determined by the purpose of the audit (i.e., to provide assurance to a Covered Entity).
Compliance with SOC 2 vs HIPAA Compliance
There are many similarities between SOC 2 compliance and HIPAA compliance, and it should not take a lot of effort for an organization that is already HIPAA compliant to achieve SOC 2 compliance. For example, to comply with the SOC 2 security controls, a healthcare provider may only need to install web application firewalls (if applicable), integrate a network intrusion detection solution with an SIEM, and protect sensitive accounts with two-factor authentication.
With regards to the other SOC 2 controls, many points of focus would already be included in a HIPAA risk assessment. For example, under the confidentiality controls, healthcare providers would be required to map how PHI is managed when it is created, stored, used, or transmitted via a personal device; while, under the privacy controls, the nine components of AICPA’s Privacy Management Framework bear a strong resemblance to the HIPAA Privacy Rule.
The Benefits of SOC 2 Compliance in Healthcare
The benefits of SOC 2 compliance in healthcare can more than justify any effort required to bring systems into line with AICPA’s Trust Services Criteria. For example, a healthcare organization that can demonstrate SOC 2 compliance to HHS’ Office for Civil Rights may qualify for a mitigated penalty, audit, or corrected action plan under the Safe Harbor amendment to the HITECH Act in the event of a data breach or security incident.
Additionally, if a business associate is able to demonstrate SOC 2 compliance to a HIPAA covered entity, it reduces the amount of due diligence the covered entity is required to conduct on the business associate before engaging them to provide goods or services. In all cases, an SOC 2 audit can help healthcare organizations with internal governance, risk management, and the development of policies and procedures to support HIPAA compliance.
Conclusion: Why You Should Consider a SOC 2 Compliance Audit
If you are a healthcare provider, or an organization aiming to provide goods or service for a HIPAA covered entity, there are a number of reasons why you should consider a SOC 2 compliance audit. Not only might the preparation work for an audit expose compliance gaps that might not have otherwise been identified, but you may also identify better, more efficient ways of complying with the HIPAA Administrative Simplification Requirements.