Published on: June 9, 2014

HITRUST and the American Institute of Certified Public Accountants (AICPA) are collaborating to establish SOC 2 reporting for healthcare organizations that would leverage and align the HITRUST Common Security Framework (CSF) as additional suitable criteria. HITRUST is looking for individuals interested in serving in an advisory role to provide input and feedback in support of a joint AICPA and HITRUST initiative.

This industry Advisory Panel will work closely with a working group being formed by the AICPA. The AICPA working group consisting of AICPA members knowledgeable in healthcare and third-party reporting will be developing and publishing a set of recommendations to streamline and simplify the process of leveraging the HITRUST CSF and CSF Assurance as additional suitable criteria for SOC 2 reporting. The AICPA developed SOC 2 for reporting on controls relevant to security, availability, processing integrity, confidentiality, and/or privacy. The work product to be developed will provide healthcare organizations that must comply with HIPAA or other regulatory requirements a comprehensive and standardized control framework to support their SOC 2 reporting requirements.

Some of the benefits to healthcare organizations of this initiative include:

  • Being able to leverage the HITRUST CSF controls in meeting SOC 2 reporting requirements
  • Realizing significant time efficiencies and cost savings due to the overlap between the CSF controls and Trust Services Principles and Criteria
  • Reducing the burden of multiple control frameworks and reporting requirements
  • Having one comprehensive, scalable and kept up-to-date framework relevant to their organization type that can be leveraged to meet the wide and varied array of information protection requirements

Those interested in participating on the advisory group should be knowledgeable about the CSF, the CSF assurance process and third party reporting. Familiarity with the SOC 2 Trust Services Principles and Criteria would also be beneficial. It is anticipated that most of the meetings will occur via conference calls, starting in July of this year. The frequency of the calls is not known at this point but will most likely occur bimonthly and could last up to two hours. In additional to participating in any calls, members of the advisory group will be asked to review and comment on work products produced by the working group. Although dependent upon the final work product, the time line for this initiative is estimated to be six to nine months.

Those individuals interested in participating can indicate interest at hitrustalliance.net/working-group-signup.