Compliance for Healthcare Companies

Healthcare companies which include, health care providers, insurers and their business associates have received some considerable and definitive guidance over the requirements on how they should handle and communicate patient information. Under HIPAA in 1996 and revisions to HIPAA made in 2009’s HITECH Act, healthcare companies are limited in the types of PHI (personal health information) they can collect from individuals, share with other organizations or use in marketing communications.

Increased demand for security, privacy and regulatory compliance has escalated the need for healthcare companies to obtain a third-party assurance over the controls that are in place to protect PHI. Compliance attestations and reviews play an important role for healthcare companies by establishing credibility and trust with their customers and have been used as a marketing tool to enter new markets or expand existing market share.

There are many compliance attestations or reviews available to the healthcare industry today. Some of the options that are governed by the AICPA are: the System and Organization Controls (SOC) for Service Organizations (SOC 2®) Attestation, Agreed-Upon Procedures Review or Compliance Attestation. If a healthcare company is in the market for an attestation that provides customers and other relevant parties with assurance about controls relevant to security, availability, processing integrity, confidentiality and/or privacy that do not affect their customers’ internal controls over financial reporting, a SOC 2® report is the logical choice for examining internal controls. Whereas the Agreed-Upon Procedures Review and Compliance Attestation are usually driven by a specific customer or customers that require the healthcare company abide by a defined set of requirements or standards.

Healthcare Company’s SOC 2® attestation involves the following critical areas:

  1. Security: the system is protected against unauthorized access (both physical and logical).
  2. Availability: the system is available for operation and use as committed or agreed.
  3. Processing Integrity: system processing is complete, accurate, timely and authorized.
  4. Confidentiality: information designated as confidential is protected as committed or agreed.
  5. Privacy: personal information is collected, used, retained, disclosed and destroyed in conformity with commitments in the organization’s privacy notice and with criteria set forth in generally accepted privacy principle issued by the AICPA and CICA.

Healthcare company’s Agreed-Upon Procedures Review is a specific set of controls that are defined by a customer. The Compliance Attestation’s scope is defined by the complete set of controls in a specific standard or regulation (such as HIPAA, HITECH or DEA 1311.120 Electronic Prescriptions for Controlled Substances Act).

The scope of these attestations and reviews are determined by the healthcare company and their customers. Accordingly, a well scoped attestation can clearly demonstrate your organization’s quality of service and ensure that sufficient information is provided to your user organizations to communicate your stringent controls over physical security, environmental security, authorized access and continuous availability of services.

Compliance Process

We tailor every attestation engagement to our client’s requirements. However, we have a fundamental four phase process that normally meets our clients’ needs and creates an efficient, unobtrusive attestation that enables you to focus on your business while we focus on your compliance.

Scope (Phase 1): Not every SOC 2<sup>®</sup> attestation engagement has the same requirements. Each company can vary depending on the type of services they perform for their customers. We have years of experience working with just about every industry and work with our clients to ensure that we cover the appropriate scope to ensure your customers’ needs are satisfied. While the scoping phase of our attestation is normally covered during our initial quoting process, we offer a formal meeting with our clients to ensure we have a mutual understanding of the attestation goals.
<p> <h2 style="display:inline;">Plan</h2> (Phase 2): We offer two options for the planning phase of your attestation:</p><!-- [et_pb_line_break_holder] --><ol><!-- [et_pb_line_break_holder] --> <li>We provide our in-house developed questionnaires and request list that are based on industry leading compliance frameworks such as CobiT, ISO 27000, PCI and HIPAA. Customers benefit from this approach by getting to work at their own pace with just a deadline in mind.</li><!-- [et_pb_line_break_holder] --> <li>The other option is an onsite visit to perform walkthroughs of the relevant service offerings. We then customize our attestation plan and deliver a detailed document request list to prepare our clients for phase three (fieldwork).</li><!-- [et_pb_line_break_holder] --> </ol>
<p><h2 style="display:inline;">Fieldwork</h2> (Phase 3): Our service auditors have a minimum of five years of experience with the Big 4 global CPA firms, large consulting firms and smaller boutique firms that specialize in SOC 2<sup>®</sup> attestation. Due to this, we are efficient and understand what is required for each attestation.</p>
Report & Market (Phase 4): Your SOC 2<sup>®</sup> service auditor’s report is essentially the product for which you pay. We provide well defined and quality written reports that focus on providing your customers with everything they need from a third-party assurance perspective. We take pride in delivering professional quality reports in a timely manner; we stand behind everything we issue. Publicizing or marketing your service auditor’s report is the opportunity for your attestation to pay for itself. A major benefit from completing the SOC 2<sup>®</sup> attestation is the tangible return on investment that is created from having your company examined under the SOC 2<sup>®</sup> standard. We provide customized press release information and a SOC for Service Organizations logo to place on your web site, all included in our fixed fee pricing.

Project Timeline: Four Phase Audit

For More Information Speak to a Service Auditor at Roosa CPA, LLC (877) 410-8516

Back to Industries