The Health Insurance Portability and Accountability Act (HIPAA) affects far more organizations than just hospitals and doctor’s offices. 近年来, the adoption of electronic health records coupled with the continuing cloud revolution has made compliance with key elements of HIPAA a growing and evolving business requirement for many companies and service organizations – not just medical providers.

HIPAA was expanded with the Health Information 技术 for Economic and Clinical Health (HITECH) Act. 美国.S. Department of Health and Human OG电子官网 now performs periodic audits of covered entities and business associates to ensure compliance with the HIPAA Privacy, 安全, 及违反通知规则.

With the expansion of both HIPAA compliance requirements and the companies that are affected, many entities have received requests from stakeholders, particularly their 客户 in the health care industry, 关于HIPAA的遵守情况.


There is not a requirement under HIPAA / HITECH for a “certification” of compliance. As such, some companies will opt to manage compliance internally.  This may involve a self-assessment of potential gaps; a compliance structure and some sort of monitoring function to maintain compliance. While internal programs may enhance compliance, they cannot offer the third party assurance that many businesses associates may need to satisfy the requirements of their 客户.

另外, managing compliance may require specialized knowledge, 技能, objectivity and bandwidth that create a challenging compliance environment.  Outsourcing some or all of the compliance function is often seen as the solution. Many companies look to consultants and experts in HIPAA to guide them. Often this type of engagement will manifest itself as a gap analysis with a deliverable being a letter documenting the noted gaps and a report with recommendations for improvement.


At OG电子官网 we adhere to AICPA standards of quality controls and independence. Unlike many other independent consultants, we can offer third party assurance as well as reporting options to fit specific needs. Our HIPAA engagement options and the assurance they provide include:


We perform procedures to evaluate the current state of compliance against a checklist or protocol/standard that identifies consistency and/or any gaps with the requirements.  This is usually performed at a specific point in time as opposed to a period.  These engagements are generally performed on a non-attest, or a no-assurance basis similar to hiring a consultant or third party expert.  The advantage of having a CPA do this work is that it is often used to lay the groundwork for follow on attestation engagements.

HIPAA Compliance Agreed Upon Procedures Engagements 

This report is issued under AICPA attestation standards, and is designed to allow a CPA firm to express an opinion on an organization’s compliance with the requirements of the HIPAA 安全, Privacy and/or Breach Notification Rules.  Management may also use our service to perform internal testing and thus, these types of engagements can also be done on a non-attest basis, which usually includes our report of our procedures without an opinion and a detailed listing of our testing results.

SOC 2 engagements and reports adapted for HIPAA

SOC 2报告 allow for reporting on the internal controls related to a broad range of users that need to understand internal control at a service organization as it relates to security, 可用性, 处理完整性, 保密性和隐私.  These reports are intended for use by stakeholders (e.g., 客户, 监管机构, 业务合作伙伴, 供应商, directors) of the service organization whereby the engagement will provide those stakeholders assurance in the form of a CPA signed report over management’s description of controls, and the operating effectiveness of controls. A SOC 2 report on 安全 and Privacy maps closely to HIPAA security and privacy rules and can be supplemented with incremental criteria to cover gaps as needed for the service organization entity.  A significant advantage of the SOC 2 report is that it is based on the standards of the AICPA and is well understood with ever growing acceptance in the marketplace.

SSF’s 风险保障OG电子官网 Group can help you evaluate your needs and determine which HIPAA option will be the best choice for your business and 客户.


(408) 286-7780
(408) 286-7780

Ready to learn more about how our HIPAA experts can help your business?