In Part 1, we looked at a brief HIPAA history, defined PHI and ePHI, and compared covered entities to business associates. We also touched on the main HIPAA rules, including the Privacy Rule, the Security Rule, and the Breach Notification Rule.
Then, in Part 2, we discussed “The Seven Fundamental Elements of an Effective Compliance Program” as spelled out by the US Department of Health & Human Services (HHS). Additionally, we described common HIPAA violations and fines.
In the final post of our HIPAA Compliance Basics series, we’ll tell you why third-party validation matters. After that, we’ll wrap up with an overview of our SOC 2 + HITRUST Report. Let’s dive in!
Security audits are a reliable way to identify gaps in your information security program. Remediating these gaps is the best way to strengthen your security over time.
Security audits fall into two major categories: internal and external. What’s the difference?
Internal audits are self-assessments performed by company employees. You should perform these audits throughout the year as best practice. Tasks that fall into this bucket include:
• Self-assessment questionnaires based on collective security frameworks
• Monitoring and logging of administrative/technical/physical controls
• Updating policies and procedures
• Reviewing vulnerability scans
Internal audits are instrumental in assuring your data is safe and for preparing an external review.
In contrast to internal audits, independent and unbiased third-party auditors perform external checks. These auditors are highly-trained and certified in their area of audit expertise. This third-party validation can take many days, weeks, and even months to complete.
Third-party validation is crucial because it helps meet compliance obligations. It also provides an unbiased opinion on the design and effectiveness of your security and compliance controls. After reviewing the audit results, the auditor delivers an official report, or compliance statement, or certification.
As you can see, third-party validation holds more weight and thus builds more trust than a self-assessed internal audit.
We designed our HIPAA compliance program to reflect best practices for data protection and to build trust with our clients. But we didn’t stop there. We wanted to test ourselves through the rigors of an external third-party validation audit.
With HIPAA, one of the best ways to do that is by using the HITECH Common Security Framework (HITECH CSF) to map HIPAA regulations to measurable security controls.
As we’ve learned, HIPAA has guidelines for administrative, technical, and physical safeguards to protect PHI and ePHI. It also outlines requirements for HIPAA covered entities and business associates.
The HITECH CSF, however, captures not only all of the HIPAA safeguards but risk management and security guidance from other frameworks, too. Structures like ISO (International Organization for Standardization), PCI DSS (Payment Card Industry Data Security Standard), and NIST (National Institute of Standards and Technology), to name a few. It’s a comprehensive framework!
We’ve written about the benefits of our SOC 2 compliance, and we now have a good grasp of HIPAA compliance thanks to Part 1 and Part 2 in this series.
So, when setting out for third-party validation of our HIPAA compliance controls, it made the most sense to combine a SOC 2 + HITRUST Opinion audit and report.
With our SOC 2 + HITRUST report, we have the best of both the SOC and HITRUST Opinion worlds.
What does that mean for you? It means your data is safe because unbiased auditors (held to the highest standards set forth by the AICPA) have attested that our controls, including those controls from the HITRUST framework, are designed appropriately and are operating effectively.
Is your client data as safe as it could be? Find out how secure your current practices are with a FREE Secure Mail Assessment.