One important source of confusion with most organizations looking to pursue HIPAA compliance, is that there is no such thing as a “HIPAA certification”. Health and Human Services (HHS) has never issued or recognized any formal mechanism to achieve such certification. Instead, what you want is a legally defensible approach to “demonstrate HIPAA compliance” to your clients, prospects and regulators.
๐๐ฒ๐ฟ๐ฒ ๐ฎ๐ฟ๐ฒ ๐๐ต๐ฟ๐ฒ๐ฒ ๐ผ๐ฝ๐๐ถ๐ผ๐ป๐ ๐๐ผ ๐๐ต๐ผ๐ ๐๐๐ฃ๐๐ ๐ฐ๐ผ๐บ๐ฝ๐น๐ถ๐ฎ๐ป๐ฐ๐ฒ:
1) Formal HIPAA Opinion (Most Assurance, Biggest Audit Burden)
Your first option is to ask your SOC 2 audit firm for a formal HIPAA opinion under the AICPA’s audit standards. In this option, your audit firm will align your SOC 2 controls (possibly with additional controls) to the HIPAA requirements and perform formal audit testing against those controls. The end result will be a formal audit opinion/audit report stating that your firm’s controls are in alignment with HIPAA and operating effectively. This approach is recommended if you have clients or prospects demanding a high degree of assurance that you are compliant with HIPAA.
2) Include a HIPAA Mapping in Section 5 of your SOC 2 Report (Moderate Assurance, Moderate Audit Burden)
Your second option is to map your existing SOC 2 controls to HIPAA requirements and include a table with that mapping in section 5 of your SOC 2 report. Section 5 of a SOC 2 report permits an organization to communicate additional (non-audited) information to the reader of the report. A popular option is to include a mapping to HIPAA as a demonstration of compliance. This allows your customers to read your SOC 2 report and get a sense of how that helps you achieve HIPAA compliance.ย From our experience, most clients and prospects will accept this as a form of “evidence” of HIPAA compliance.
3) Self Attest that you are Compliant with HIPAA (Least Assurance, Moderate Work)
Your third option is to do all the work to become compliant with HIPAA – then just communicate you are compliant. The downside of this approach is that “saying you are compliant” doesn’t give your clients or stakeholders the same level of confidence as third-party independent assurance. ย This approach is generally acceptable only for organizations whose clients and prospects donโt consider HIPAA compliance as essential to their overall business strategy.
Conclusion:
There is no true HIPAA certification. However, there are two ways you can use your SOC 2 report to demonstrate HIPAA compliance; a formal HIPAA opinion, or a HIPAA mapping in Section 5.ย Last, and least assurance, you can implement HIPAA compliance and then self-attest to your clients and prospects.