SOC 2 Overview
A Service Organization Controls (SOC) 2 audit examines the controls an organization has in place to protect and secure its system, or services used by customers or partners. An organizationā€™s security is assessed based on the requirements within a SOC 2 examination, known as the Trust Services Criteria (TSC). The is the governing body of the SOC framework and they set the U.S. standards that auditors follow for SOC 2 examinations.

The report assesses if a companyā€™s controls are appropriately designed and working under the five TSC. They include:

• Security
• Availability
• Processing Integrity
• Confidentiality
• Privacy

Security is the only TSC that must be met in the SOC 2 report. The other four are optional but are usually added depending on the type of service(s) that an organization offers. This versatility is essential because SOC 2 reports are meant for use across all industries.Ā No matter the nature of the business, the focus is on securing digital information.

There areĀ , Type 1 and Type 2.

• SOC 2 Type 1Ā evaluates an organizationā€™s cybersecurity controls at a single point in time. The goal is to determine whether the internal controls put in place to safeguard customer data are sufficient and designed correctly. Do they fulfill the required TSC? Type 1 audits and reports can be completed in a matter of weeks.
• SOC 2 Type 2 examines how well a service organization’s system and controls perform over a period of time (typically 3-12 months). What is their operating effectiveness? Do they function as intended? Type 2 audits can take 12 months to complete and are costlier than Type 1 audits.

How Does SOC 1 Differ From SOC 2?
SOC 1 Type 2 is an audit 911³Ō¹Ļ undergoes annually. It focuses on financial controls instead of data security. If a company uses a third-party service provider to perform crucial financial reporting processes (e.g., an outsourced payroll management system or a revenue reporting platform), the company will likely ask those service providers for a SOC 1 report. As a bill review provider conducting payment processing services on behalf of clients, 911³Ō¹Ļ frequently provides our SOC 1 report to customers.

Like SOC 2, there are two levels of SOC 1 audits:

• SOC 1 Type 1 evaluates the fairness of managementā€™s description of the service organizationā€™s system and the suitability of the design of the controls to achieve the related control objectives included in the description, as of a specified date.
• SOC 1 Type 2 evaluates the fairness of managementā€™s description of the service organizationā€™s system and the suitability of the designĀ and operating effectivenessĀ of the controls to achieve the related control objectives included in the description throughout a specified period.Ā Type 2 audits are much more robust than Type 1. Type 2 audits actually evaluate if a company is doing what it says over a period of time.

HITRUST Overview
Founded in 2007, the, orĀ , is a not-for-profit organization advocating programs that protect sensitive information and manage information risk.

While the HITRUST Common Security Framework (CSF) is designed for all industries,Ģżit is closely associated with the healthcare industryā€™s challenges, such as the numerous applications of controls specific to healthcare (e.g., ). Overall, the HITRUST framework is used as a guide by organizations that deal withĀ or ePHI. TheĀ Ā was a response to the need to have more consistency in certifications. The aim is to have a standard regulation and risk management framework.

HITRUST CSF consolidated the varying requirements from ,Ģż, , , and and checks for the following:

• The presence of clearly defined procedures and policies
• Capability testing to prove its implementation
• Demonstration of a companyā€™s ability to measure and manage these controls

Compliance with this frameworkĀ ensures the protection of sensitive ePHI.Ā This is why meeting the HITRUST CSF requirements is vital to stay on top of all relevant regulations and standards.

Both SOC 2 and HITRUST reports revolve around the protection of sensitive personal data.Ā One main difference is that SOC 2 is an attestation report, while HITRUST is a certification.

Attestation Report (SOC 2)
An attestation report discusses the confirmation of management that the information in the report is accurate. An independent author will then confirm this report with the help of an opinion. The opinion in the SOC 2 report can be clean, unqualified, qualified, or adverse. Qualified means that the testing cannot confirm that at least one objective has been identified by management. Adverse implies that the testing has failed to verify most of the purposes outlined by management. Even though it may seem it has an asterisk beside it, a qualified report is still reliable. But the company must follow up on it to prove that remediation steps have been undertaken to address any issues raised in the qualified report. SOC 2 reports are completed yearly and may go on from one to three months from completion to report delivery. This depends on how promptly the SOC 2 client can provide documentation and the evidence needed for testing.

Certification Report (HITRUST)
The HITRUST report differs from SOC 2 because it comes with a certification. It has more details peppered in with the reportĀ with five times more controls as it incorporates requirements from numerous standards within the HITRUST CSF. Within the HITRUST report, the organizationā€™s management needs to submit a Letter of Representation instead of the management assertion inscribed within the SOC 2 report. This Letter of Representation is still collected within the SOC 2 report but is not included in the final report. The opinion in the HITRUST Certification letter is presented as a Letter of Certification or Letter of Validation, all dependent on the final score of the conducted assessment. The HITRUST certification has a duration of two years, with interim testing finished within a year.Ā Because of the increased number of controls, it takes more time and significantly greater resources to complete.

Why 911³Ō¹Ļ Chose HITRUST Certification
Given the volume of ePHI 911³Ō¹Ļ stores and processes as part of our daily operations, it was clear that HITRUST certification would best serve our customersā€™ needs, and we made significant investments in infrastructure, processes, and personnel to achieve it. With five times the controls of SOC 2, achieving HITRUST Risk-based, 2-year (r2) Certification assures our clients that we are using the highest security standards to safeguard their sensitive data from ongoing digital threats facing the healthcare and insurance industries.

The post HITRUST vs. SOC 2 – Why 911³Ō¹Ļ Chose HITRUST appeared first on 911³Ō¹Ļ.

Even for patient data not covered by HIPAA requirements, the workersā€™ compensation industryĀ still needsĀ to guard patient information diligently. It is the ethically rightĀ thing to do, regardless of the governmentā€™s involvement.

For this reason, we have recently added the below language to our 911³Ō¹Ļ brand promise:

ā€œWe treat our customersā€™ time, money, health and information as if it were our own.ā€

The post HIPAA Fines ā€“ More Prominent and Pricey appeared first on 911³Ō¹Ļ.

Obviously this is a colossal mistake, and a violation of privacy, decency and common sense.

These types of HIPAA transgressions could lead to the following consequences for the patient and the violator:

• People can lose their health insurance
• People can have their identity stolen and experience financial fraud
• It can cause personal embarrassment
• It can cost people their job
• Employees can lose their license and/or acquire a criminal record

The implications can be life changing for all parties involved.

People make mistakes. However, our culture of ā€œinstant communicationsā€ and social media make people more prone to these types of errors than ever. One quick text or tweet without thinking it through, and a patient and employeeā€™s life can change dramatically for the worse. This is a good reminder. We in the medical management and insurance industries must be vigilant with our employee training, policies, and procedures.

The post Common Sense & HIPAA appeared first on 911³Ō¹Ļ.