AICPA Creates SOC 2 Model for Health Care Space

The American Institute of CPAs has created an illustrative SOC 2 report to help CPAs report on controls over protected health information.

Developed in collaboration with the Health Information Trust Alliance, the new illustrative report incorporates criteria from the HITrust Common Security Framework, and will help CPAs in reporting on the suitability of design and operating effectiveness of controls needed to meet the applicable trust services criteria and the HITrust CSF requirements.

“This means health care information providers can more easily expand their SOC 2 reports to include controls relevant to a wide array of regulations, standards, best practices and other information protection requirements,” said AICPA senior vice president for public practice and global alliances Susan Coffey in a statement.

An AICPA working group also developed practitioner guidance and a mapping between the criteria for the security, availability and confidentiality principles included in the AICPA’s Trust Service Principles and Criteria  and the requirements of HITrust CSF Version 7. 

“Together, these new tools will enable practitioners who perform these engagements to streamline testing and reporting on controls based on both sets of criteria,” according to Coffey. “It is an excellent example of how SOC 2 reporting can be adapted and applied for use by a variety of industry groups.”

HITrust established the Common Security Framework for use by organizations that create, access, store or exchange personal health and financial information to enable service organizations to communicate information about the processes and procedures they use to meet the HITrust CSF requirements in addition to the applicable trust services criteria relevant to security, availability and confidentiality.

For reprint and licensing requests for this article, click here.
Audit Data security
MORE FROM ACCOUNTING TODAY