How SSF can help
At Sensiba San Filippo we adhere to AICPA standards of quality controls and independence. Unlike many other independent consultants, we can offer third party assurance as well as reporting options to fit specific needs. Our HIPAA engagement options and the assurance they provide include:
We perform procedures to evaluate the current state of compliance against a checklist or protocol/standard that identifies consistency and/or any gaps with the requirements. This is usually performed at a specific point in time as opposed to a period. These engagements are generally performed on a non-attest, or a no-assurance basis similar to hiring a consultant or third party expert. The advantage of having a CPA do this work is that it is often used to lay the groundwork for follow on attestation engagements.
HIPAA Compliance Agreed Upon Procedures Engagements
This report is issued under AICPA attestation standards, and is designed to allow a CPA firm to express an opinion on an organization’s compliance with the requirements of the HIPAA Security, Privacy and/or Breach Notification Rules. Management may also use our service to perform internal testing and thus, these types of engagements can also be done on a non-attest basis, which usually includes our report of our procedures without an opinion and a detailed listing of our testing results.
SOC 2 engagements and reports adapted for HIPAA
SOC 2 reports allow for reporting on the internal controls related to a broad range of users that need to understand internal control at a service organization as it relates to security, availability, processing integrity, confidentiality and privacy. These reports are intended for use by stakeholders (e.g., customers, regulators, business partners, suppliers, directors) of the service organization whereby the engagement will provide those stakeholders assurance in the form of a CPA signed report over management’s description of controls, and the operating effectiveness of controls. A SOC 2 report on Security and Privacy maps closely to HIPAA security and privacy rules and can be supplemented with incremental criteria to cover gaps as needed for the service organization entity. A significant advantage of the SOC 2 report is that it is based on the standards of the AICPA and is well understood with ever growing acceptance in the marketplace.
SSF’s Risk Assurance Services Group can help you evaluate your needs and determine which HIPAA option will be the best choice for your business and customers.