System and Organization Controls for Healthcare Organizations

By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

System and Organization Controls for Healthcare Organizations

Internal Controls for Healthcare Organizations

For healthcare companies, choosing a third-party service provider that you can trust is critical. In many cases, the healthcare company is entrusting the service provider with its customers’ protected health information (PHI), which is protected by the Health Insurance Portability and Accountability Act (HIPAA). Under HIPPA, penalties for a single violation can reach $50,000 and cap out at $1.5 million annually.

Thus, it is essential that a healthcare company use service providers that have strong internal controls to protect their customers’ PHI. But how can a healthcare company perform due diligence and gain assurance over their service providers’ security?

Healthcare System and Organization Controls: manual audits vs SOC 2 Reports

One option is to include specific security requirements within its contracts with the service provider. Some healthcare companies go as far as to manually audit the security of their higher risk providers. In doing so, the healthcare company gains assurances through the manual review and the service provider’s contractual representations that certain security controls are in place. However, this is labor intensive, especially for organizations that have a large number of vendors.

A second option is to request and review a service provider’s System and Organization Controls (SOC) 2 Report. SOC 2 Reports are widely accepted and provide assurances relating to the service provider’s controls surrounding Security, Availability, Confidentiality, Processing Integrity, and Privacy. SOC 2 Reports therefore replace the laborious manual audit with a simple report review process. Service providers benefit by undergoing a single examination by a CPA firm rather than continuous customer audits. Because of the reduced overall effort, increased rigor of the audit, and the broad acceptance across industries, it is no surprise the SOC 2 reports are popular.

As a best practice, when evaluating third-party service providers, a healthcare company should determine if the provider obtains a SOC 2 report annually. If so, the healthcare company should obtain and review the SOC 2 report to confirm the service provider has adequate data security controls. If the prospective service provider does not have a SOC report, the healthcare company should determine if the service provider obtains another industry recognized certification such as HITRUST.

Source: Becker’s Hospital Review

Are you a healthcare company that uses third-party service providers and want to learn more about SOC reports? Or are you a third-party service provider whose clients include healthcare companies and want to learn more about the SOC reporting process? Keiter’s Risk Advisory Services team can help you.

Additional Resources:

Cybersecurity for Healthcare Providers

Share this Insight:

About the Author

Christopher Moschella

Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

Chris is a Senior Manager in Keiter’s Risk Advisory Services. Chris has a strong combination of IT skills, which range from IT audit and internal control assessments, including general computer controls and application controls, to full stack web development. Most recently, Chris developed a Cybersecurity web application that assesses an organization’s resistance to social engineering attacks. Chris shares his cybersecurity insights on our blog.

More Insights from Christopher Moschella

The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.


Contact Us