This article was updated April 28, 2022.
System and organization control (SOC) examinations, also referred to as SOC audits, aren’t always contractually required, but they’re increasingly being requested by regulators or health care companies and organizations as part of doing business.
The purpose of a SOC audit is to report on the effectiveness of a company’s internal controls and safeguards they have in place while providing feedback that’s both independent and actionable.
In the health care industry, business associate agreements and other contractual client obligations often require an annual SOC report for either SOC 1 or SOC 2.
Discover why your health care organization needs a SOC audit, how a SOC audit can help avoid security breaches, and the overall benefits a SOC audit can provide.
If you have any questions about what type of SOC report your health care organization needs, see What Is a SOC Audit, and Why Is It Important?
Why Does a Health Care Organization Need a SOC Audit?
While additional controls need to be considered, a SOC audit can provide a check for Affordable Care Act (ACA) regulations and achieving Health Insurance Portability and Accountability Act (HIPAA) compliance.
ACA Requirements
The ACA’s 2010 implementation added a host of regulatory and compliance requirements, including measures to ensure the privacy of patient data. Health care organizations are required to maintain stringent controls on privacy and confidentiality, considering the type of information they maintain. This, in turn, has increased the demand for SOC audits on the part of health care organizations.
HIPAA Compliance
Similarly, HIPAA drives a rapid increase in demand for SOC reports. HIPAA mandates the security and privacy of personal medical information. Most of this data is now stored in an electronic format, so the importance of an assessment performed by an objective SOC audit resource is greater than ever.
SOC Compliance According to HIPAA Standards
HIPPA expansions have extended SOC compliance requirements to include business associates and entities that handle electronic protected health information (ePHI). If your organization has any interaction with the health care industry, it will need to have adequate protections in place to reduce the risk of unintended disclosure of ePHI.
Compliance issues for technology related to HIPAA are powerful drivers when it comes to trust criteria within security, confidentiality, and privacy of information. SOC security criteria related to data protection provides a strong baseline for compliance with the HIPAA frameworks and mapping can provide users with an understanding of how a company protects ePHI.
Can a SOC Audit Help Prevent Security Breaches?
A SOC audit covers criteria that enable companies to lessen the risks of a breach. The SOC 2 compliance baseline security criteria focuses on security policies and procedures and the effectiveness of a company’s internal controls to mitigate the risk of a breach.
Many health and wellness programs and procedures are now available on mobile devices. Hospitals and clinical practices must be aware of the threat of security breaches.
Potential Health Care Cybersecurity Breaches
- Health data hacking
- Insider or employee fraud
- Unintentional actions, for example, when a hospital employee accidentally falls prey to system-user fraud or a phishing scam
- Supply chain attacks or breaches, such as when information a hospital shares with a third-party vendor is hacked through the vendor’s platform
To learn more about cyberthreats the health care industry faces, especially with the increase in use of telehealth platforms during COVID-19, see our article.
For additional cybersecurity resources, please see:
- A SOC Examination for Cybersecurity Could Combat Risk for Remote Work
- Mitigate Risk and Reduce Due Diligence Effort with a SOC for Supply Chain Report
- SOC for Cybersecurity: Build Stakeholder Confidence
What Are the Benefits of SOC Reports for a Health Care Organization?
There are many drivers and benefits for conducting a SOC audit:
- Improve compliance of business audit requirements, including HIPAA, Health Information Trust Alliance (HITRUST), Payment Card Industry Data Security Standard (PCI-DSS), the ISO 27002 Standard, and Section 404 of the Sarbanes-Oxley Act (SOX 404)
- Provide due diligence to evaluate service provider controls
- Reduce time auditors and customers need to evaluate an organization
- Stay competitive when entering a new market or gaining or retaining customers
- Develop internal controls to boost confidence for a start-up’s management and credibility by validating its control environment
- Monitor and maintain tighter oversight of third-party vendors
- Help mitigate security breaches
- Potentially lower insurance coverage rates
SOC reports also help health care organizations focus on controls over privacy, which is especially relevant for environments that deal with personally identifiable information (PII) or protected health information (PHI).
Privacy Criteria Topics in SOC Audits
- Privacy policies
- Personal identifiable information (PII) classification
- Risk assessment
- Incident and breach management
- Provision of notice
- Choice and consent
- Collection
- Use and retention
- Disposal
- Access
- Disclosure to third parties
- Security for privacy
- Quality
- Monitoring and enforcement
We’re Here to Help
If you have any questions about SOC compliance and how it relates to your health care organization, please reach out to your Moss Adams professional.