HITRUST is pleased to announce that the American Institute of Certified Public Accountants (AICPA) has finalized its guidance for performing and issuing SOC 2 reports leveraging the HITRUST CSF. HITRUST and the AICPA have been collaborating to develop and publish guidance that specifies the process for leveraging the HITRUST CSF and CSF Assurance programs as acceptable criteria to meet the requirements for the AICPA’s Service Organization Control SOC 2 reporting.

HITRUST is committed to ensuring the HITRUST CSF and CSF Assurance programs, the industry’s most widely adopted information security framework and assurance methodology, are enhancing and streamlining information protection in the healthcare industry. A key element of the programs is their ability to support an “Assess-Once Report-Many” approach that simplifies and optimizes the assessment and reporting process for those requiring 3rd party assessments and those being assessed.

The use of SOC 2 as a reporting method provides healthcare and other organizations seeking to communicate their program for complying with HIPAA or other regulatory requirements with a single report that provides information regarding controls over PHI from the perspectives of both the AICPA’s Trust Services Principles and Criteria and the HITRUST CSF. This creates the ability to increase transparency and communicate through a single deliverable to customers, business partners, and stakeholders both in, and outside, the healthcare sector.

This guidance between the HITRUST CSF and AICPA’s Trust Services Principles and Criteria enables service organizations whose stakeholders desire information on how controls at the service organization address the HITRUST CSF to communicate how their processes and procedures meet the HITRUST CSF, while also increasing transparency and information for decision making through the use of SOC 2 reporting.

For those interested in learning more about leveraging the HITRUST CSF and CSF Assurance programs for the AICPA’s Service Organization Control SOC 2 reporting, an informative webinar is scheduled for 11:00 a.m. CT on Tuesday, December 22.

During the webinar industry experts, Chris Halterman, Executive Director, EY and Chair of the AICPA’s Trust Information Integrity Task Force, and Ken Vander Wal, Chief Compliance Officer, HITRUST, will address key issues and answer questions regarding:

  • The synergy between the AICPA Trust Services Principles and the HITRUST CSF, how to leverage the SOC 2/HITRUST CSF mapping mentioned above.
  • Reporting options available to a service organization that has adopted the HITRUST CSF as its security framework.
  • The benefits of a combined SOC 2 and HITRUST CSF certification report.

If you would like to attend the Leveraging the HITRUST CSF for SOC 2 Reporting Webinar, please register via the link to receive your confirmation and login information.

Also, click the link to access the AICPA guidance for performing and issuing SOC 2 reports leveraging the HITRUST CSF.

If you have additional questions, please contact us at info@hitrustalliance.net