Request a Free Consultation

Health Insurance Portability and Accountability Act (HIPPA) Assessments

HIPAA was updated with the Health Information Technology for Economic and Clinical Health (HITECH) Act which provided rules for better defining protected healthcare data, affected parties, breach disclosure, penalties, and enforcement of penalties against Covered Entities and Business Associates. In 2013, the HIPPA “Omnibus Rule” was passed, solidifying numerous changes, including a review and modification of security measures to ensure the continued provision of “reasonable and appropriate” protection of Electronic Protected Health Information (e-PHI).

A large and growing number of covered entities such as healthcare providers and payers continue to use cloud services to process, store, and transmit e-PHI. The law and regulations extend the requirement to protect PHI to cloud service providers as “Business Associates” under certain business associate agreements (BAA).

As an option for your healthcare customers that need compliance reporting specific to HIPAA beyond the HIPAA/HITRUST mappings that can be provided in an enhanced SOC 2 report, BARR can provide a HIPAA attestation delivered as an AT 601 Compliance Attestation report. The AT 601 Compliance Attestation Report is a report that includes an opinion over management’s assertion that it complied with HIPAA requirements. The report draws an opinion about the controls in place and includes a list of the in scope HIPAA Security Rule. The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164. Further details of the Security Rule include:

  • Administrative Procedures – security management process, assigned security responsibility, workforce security, information access management, security awareness and training, security incident procedures, contingency plan, evaluation, business associate contract and other arrangements
  • Physical Safeguards – facility access controls, workstation use, workstation security, device and media controls over hardware and software
  • Technical Safeguards – access control, unique user identification, emergency access procedures, automatic logoff, encryption and decryption, audit controls, integrity, mechanism to authenticate electronic protected health information, person or entity authentication, and transmission security

Health Information Trust Alliance (HITRUST)

The HITRUST Common Security Framework (CSF) in their words is “a certifiable framework that provides organizations with comprehensive, flexible and efficient approach to regulatory compliance and risk management. Developed in collaboration with healthcare and information security professionals, the HITRUST CSF rationalizes healthcare-relevant regulations and standards into a single overarching security framework.” HITRUST CSF maps to other standards and regulations such as HIPAA, NIST, ISO, PCI, COBIT, and others. This includes a mapping to the SOC 2 reporting criteria. A SOC 2 for HITRUST is a complementary reporting option that service providers can use to demonstrate compliance to their healthcare customers.

Request a Free Consultation