Tech Services Vendor HIPAA/HITECH Audit and Assessment Considerations
One of my key areas of practice is, and for some years has been, HIPAA compliance assessments for technology companies and professional services firms serving health care organizations. These companies provide anything from outsourced EMR/EHR and administrative systems, to health information exchange (HIE) and related services, to e-discovery, legal, accounting and consulting services.
Any or all of these may be asked to assure their Covered Entity clients that they have security (and perhaps privacy) policies and procedures appropriate for Business Associate compliance. They are all also very likely to have to ensure their own compliance when the HITECH Business Associates regulations are final and effective. (It’s something I will have to do for my own firm – I do provide services as a Business Associate or subcontractor, after all.) So I’ve developed a few considerations I like to put before clients asking me about these processes and how to handle them.
Assessment Considerations.
The principal considerations in structuring a HIPAA/HITECH assessment are the following:
- Who is the principal audience? Is it compliance staff, management, the executive team, clients, regulatory authorities or some combination?
- What is the appropriate scope? Right now it is HIPAA, but the HITECH Megarule’s probable requirements are well-enough known that inclusion should at least be considered even prior to its publication. Likewise, it may be possible to include meaningful use requirements for some companies, such as EHR vendors, who might find this useful to provide to healthcare provider clients in particular. I have also worked with healthcare IT services organizations which found it useful to identify their services supporting client compliance with JCAHO requirements.
- What existing resources can the client draw upon? In particular, prior to initiating engagement of an external auditor to provide a report for external use it will be highly advisable to develop a description of the company’s control objectives which maps to the scope of the assessment, internally review the client’s controls which support those objectives, and where gaps are identified either adjust the objective (if appropriate) or take corrective action.
Assessment Strategies.
There are a few different ways to approach this kind of project.
- Assessment could be conducted internally, by security staff and internal audit. I would as a rule expect that this has been happening to some extent, as a matter of management’s due diligence and perhaps in response to client contract requirements or requests. (Note that under the HITECH Megarule routine security assessments are likely to be required of Business Associate service organizations.) Information generated through internal reporting is essential, but may not be fully trusted by external stakeholders. If external stakeholders are the principal audience, internal assessment is probably most valuable as preparation for external assessment.
- External assessment could be conducted by a CPA firm under AICPA standards. In particular, a service organization controls (SOC) 2 attestation could be obtained for use by COMPANY management, or a SOC 3 attestation could be obtained which could be provided to third parties such as clients. The former could be used to support representations by the client to its customers, but the latter would probably be viewed as more trustworthy by external stakeholders.
- Note that a SOC 2 report can be “Type 1” or “Type 2.” SOC 2 Type 1 is a report which attests to whether management’s description of its systems and controls were suitably designed to meet the applicable “trust service criteria” (i.e., controls for privacy, security, data processing), while Type 2 reports on the same matters but includes an opinion as to the effectiveness of the controls. A SOC Type 2 report therefore requires a more intrusive and burdensome auditing process including observation and testing of controls.
- A non-CPA assessment could be structured and performed which covered essentially the same ground as a SOC 2 or 3 assessment, with a report to management which could be made available to external stakeholders. This would probably not be considered as trustworthy as the equivalent SOC report by some external stakeholders.
Legal Considerations.
I am not a CPA and do not work in an accounting firm, though I did so for a time as a HIPAA security assessor. Only CPAs can provide a SOC attestation, but it can be helpful to have a lawyer who understands this process support management. A savvy lawyer can support and assist internal assessments, and can lead or support external assessments, and review and assess policies, procedures, business processes and relevant documentation (e.g. subcontracts, risk assessments, etc.).
Engaging a lawyer in this process has certain advantages.
- Audits and assessments proceed based upon management’s definition of control objectives, which in my view should definitely be supported by legal counsel. Control objective statements define the scope of assessment. Since the goal of this assessment is to determine compliance with legal requirements, definition of control objectives can require some interpretation of statutes, regulations and caselaw. This can be particularly helpful in defining objectives where there are overlapping or conflicting legal requirements, in “grey areas,” where the organization must consider and accept potentially material risks, and where the assessment team is not itself supported by legal counsel experienced in healthcare IT.
- Non-lawyers are not legally qualified to render opinions as to the legal adequacy of controls. I have often been asked to give legal opinions about whether or not a given organization is “HIPAA compliant,” or a given system’s controls are “appropriate for HIPAA compliance.” (Note that HIPAA compliance is judged at the organizational, not the system level.) Assessors’ reports which include opinions about HIPAA compliance should be rejected, and in my experience often are. Negative opinions in reports or drafts nonetheless create evidence against the organization, so opinions as to legal compliance should be ruled out when a non-lawyer engagement is set up.
- In addition to opinions about legal compliance, reports may include opinions about the adequacy of controls which are not based on regulatory standards, or are otherwise questionable. Management may have made a considered decision to implement a given control based on a HIPAA-appropriate risk analysis, which the assessor may seek to second-guess. It can be appropriate to challenge such reports, which in my experience are sometimes based on questionable regulatory interpretations.
Attorney-client communications are generally confidential. This can be valuable in allowing for frank discussions about possible compliance gaps or risk determinations, where there may be some potential legal exposure. This can be especially valuable in reviewing internal assessment information preparatory to external assessment, in defining control objectives, and in analyzing and deciding how to respond to draft reports. A good lawyer can advise fiduciary executives in these areas to support their risk and compliance decision-making.
By Auditor Question September 25, 2012 - 2:18 pm
Can you explain more fully, the basis for why a SOC 3 may have more trust value than a SOC 2?
A SOC 3 report is missing a description of controls and tests performed; removing the ability to independently determine if the scope of controls are appropriate and effective design is understood by the provider; and whether assessor tests performed were adequate for the needs of the report audience.
Excerpt referenced: “In particular, a service organization controls (SOC) 2 attestation could be obtained for use by COMPANY management, or a SOC 3 attestation could be obtained which could be provided to third parties such as clients. The former could be used to support representations by the client to its customers, but the latter would probably be viewed as more trustworthy by external stakeholders.”
While the SOC 2 is written for the benefit of internal company management, company management owns the report once it is issued. By default, sharing is only restricted to appropriate audiences. Company management of a SOC 2 can choose to utilize the *option* to further restrict the report to only company management, but restriction to all it is not mandatory for a SOC 2.
By John R. Christiansen September 27, 2012 - 12:42 pm
Thanks for your comment!
For me the underlying question is, what does the stakeholder want the report for? If the stakeholder wants to do its own factual due diligence by reviewing the auditor’s discussion of controls, maybe a SOC 2 is the way to go. However, if the stakeholder accepts a SOC 2 prepared for vendor management, it is also accepting that report as commissioned (and therefore influenced) by management, and without any legal duty from the auditor to the stakeholder. If I’m really concerned to obtain this kind of information, however, I probably also want the auditor to be reporting to me, not management, so I would want to commission such a report myself.
The reason I commented that a SOC 3 is likely to be viewed as more trustworthy by an external stakeholder reflects this same concern with legal duties. While management may commission the SOC 3, the auditor is exposed to potential third party liabilities if external stakeholders rely on it. (That may be one reason the SOC 3 doesn’t include the same kind of details as a SOC 2 – less content means there are fewer representations an external party can claim it relied upon.) While I do assume and hope that auditors and opining lawyers will do their ethical duties whether reporting or opining for management or for external reliance, I can’t help but believe that documentation prepared for internal use is somewhat more likely to be influenced by management, compared to documentation prepared with an awareness that somebody outside of management might have a claim based on its content.