New AICPA and HITRUST Report Will Help CPAs Report on Controls over Protected Health Information

Leverages HITRUST’s Common Security Framework (CSF) for SOC 2® Reporting

December 17, 2015

NEW YORK (Dec. 17, 2015) – The American Institute of CPAs’ (AICPA) collaboration with the Health Information Trust Alliance (HITRUST) has resulted in the development of an illustrative SOC 2® report. The new report will assist CPAs in reporting on the suitability of design and operating effectiveness of controls relevant to meet the applicable trust services criteria and the HITRUST Common Security Framework (CSF) requirements.

SOC 2® reports are intended to meet the needs of a broad range of users that need information and assurance about the controls at a service organization that affect  the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.

The new illustrative report incorporates criteria from the HITRUST CSF. HITRUST, a health information trust alliance, established the CSF for use by organizations that create, access, store or exchange personal health and financial information. This approach enables service organizations to communicate information about the processes and procedures it uses to meet the HITRUST CSF requirements in addition to the applicable trust services criteria relevant to security, availability, and confidentiality, increasing transparency and providing information for decision making. “This means healthcare information providers can more easily expand their SOC 2® reports to include controls relevant to a wide array of regulations, standards, best practices and other information protection requirements,” said Susan Coffey, CPA, CGMA, , senior vice president for public practice and global alliances for the AICPA.

An AICPA working group also developed practitioner guidance and a mapping between the criteria for the security, availability, and confidentiality principles included in the AICPA’s Trust Service Principles and Criteria  and the requirements of HITRUST CSF version 7. 

“Together, these new tools will enable practitioners who perform these engagements to streamline testing and reporting on controls based on both sets of criteria,” according to Coffey. “It is an excellent example of how SOC 2 ® reporting can be adapted and applied for use by a variety of industry groups.”

The AICPA and HITRUST announced their intention to collaborate on the development and publication of a set of recommendations to streamline and simplify the process of leveraging the HITRUST CSF for SOC 2® reporting in July 2014.