SOC 2 in healthcare is a privacy and security standard that can provide assurances to the C-Suite, to business partners, and to regulators that an organization has implemented appropriate controls to protect data (SOC 2 Type 1) and is using the controls effectively (SOC 2 Type 2). SOC 2 compliance in healthcare is voluntary, but the benefits of being SOC 2 “ready” can be significant.
SOC 2 stands for System and Organization Controls 2 – one of five sets of standards organizations can use to assess that their privacy, security, and/or administrative processes are adequate to ensure the confidentiality, integrity, and availability of data. In healthcare, SOC 2 is the most relevant of the five sets of standards because SOC 2 controls closely align with the requirements of HIPAA.
Healthcare organizations that have implemented policies and procedures to comply with HIPAA should have little difficulty in attesting SOC 2 compliance and passing an SOC 2 audit. The audit report can then be used to demonstrate that the appropriate controls are in place to protect the privacy and security of healthcare data (Type 1) and that they are being used effectively (Type 2).
The SOC 2 process consists of determining what “Trust Services Criteria”, what “Control Components”, and what “Points of Focus” within each Control Component apply to your organization. These can then be compiled into an SOC 2 compliance checklist which can be used to assess “point of time” compliance or “ongoing” compliance with the relevant controls.
Once the assessment is complete, you attest that the organization is SOC 2 compliant. To verify the attestation via an audit report, you arrange for an SOC 2 audit conducted by a firm commissioned or certified by the American Institute of Certified Public Accountants (AICPA). Depending on the “Type” of attestation being certified, the audit can take one day (Type 1) or several months (Type 2).
The SOC 2 controls consist of five Trust Services Criteria, within which there can be multiple Control Components and Points of Focus that can be relevant to an organization’s operations. Because different organizations assess themselves on different Criteria, Components, and Points of Focus, there is considerable overlapping of Points of Focus between the five Trust Services Criteria.
Of the five Trust Services Criteria, this is the only one required in an SOC 2 assessment. Its objective is to demonstrate that an organization’s systems and the data stored on them are protected against physical damage, unauthorized access, and unauthorized disclosure. Within the Security Trust Services Criteria there are nine Control Components, each with multiple Points of Focus.
Each Point of Focus is required to have at least two control activities so that if one control activity fails, the Point of Focus is still supported by at least one other control activity. For example, a logical access control with two control activities would be a username and password combination supported by two factor authentication.
For organizations pursuing SOC 2 in healthcare, compliance with the Availability Trust Services Criteria requires little more than compliance with the Administrative Safeguards of the Security Rule (§164.308) relating to data backups, environmental controls to safeguard physical backups, data recovery controls and ensuring that systems have the capacity to manage demand.
The objective of the Confidentiality Trust Services Criteria is to ensure that PHI maintained in healthcare systems is protected. Omitting overlapping and duplicated Points of Focus, the four most relevant to healthcare organizations relate to data classification and retention, the protection of sensitive information, the encryption of data, and the disposal of data.
Although this Trust Services Criteria has been amended to align with the EU-US Data Privacy Framework and the EU’s General Data Protection Regulation, the requirement to ensure data processing is complete, valid, accurate, timely, and authorized aligns with HIPAA’s Technical Safeguards for the integrity of PHI so is worth reviewing.
The Privacy Control Components and Points of Focus closely align with HIPAA Privacy Rule standards relating to privacy policies, privacy management, and breach notification. It is not necessary for organizations to comply with the Privacy Trust Services Criteria to achieve SOC 2 in healthcare, but it would be unusual for it to be omitted from the point of view of a business partner or a regulator.
From the examples provided above, it is easy to see a close relationship between SOC 2 and HIPAA security standards. However, when you review the Control Components and Points of Focus of the privacy Trust Services Criteria, there is an equally close relationship between SOC 2 and HIPAA privacy standards – particularly in the Privacy Management Framework Control Component.
In the context of SOC 2 in healthcare, the contents of the Privacy Management Framework include (but are not limited to):
The benefits of SOC 2 in healthcare vary depending on what an organization is trying to achieve by going through the SOC 2 process. For example, a business associate may need to prove it has measures in place to protect the privacy and security of PHI before entering into a Business Associate Agreement with a covered entity. In such cases, it may only be necessary for the business associate to demonstrate SOC 2 Type 1 compliance.
Alternatively, a healthcare organization may wish to demonstrate that it complies with SOC 2 Type 2 to qualify for reduced cybersecurity insurance rates, or it may pursue an SOC 2 in healthcare audit report to demonstrate compliance with a recognized security framework. Being able to demonstrate at least one years’ compliance with a recognized security framework could help mitigate regulatory penalties for violations of HIPAA.
Even if no direct motive exists for pursuing SOC 2 in healthcare, the process of determining what Trust Services Criteria, Control Components, and Points of Focus apply can help organizations identify and address potential privacy and security risks to increase their compliance posture. It is important to be aware there are no passes or fails in a SOC2 audit. The auditor compiling the SOC 2 audit report only records a “qualified opinion”.
Because organizations can select which Trust Services Criteria, Control Components, and Points of Focus they wish to include in an SOC 2 attestation, there is no such thing as an SOC 2 certification. The term “certification” usually refers to an SOC 2 audit report which – as discussed above – does not have passes or fails. A more appropriate term to use is SOC 2 “ready” which, in the context of SOC 2 in healthcare, means being ready for an SOC 2 audit.
Being SOC 2 ready is the ideal state for a healthcare organization to aim for and maintain because, even if the organization does not undergo an SOC 2 audit, it implies the healthcare organization is complying with HIPAA. If your organization requires help with identifying which Trust Services Criteria, Control Components, and Points of Focus apply, or requires advice about how to become SOC 2 ready, it is recommended you speak with an SOC 2 compliance professional.
The post What is SOC 2 in Healthcare? appeared first on HIPAA Journal.
OSHA bloodborne pathogens training is required prior to an employee being assigned a task in which there may be occupational exposure to blood or another potentially infectious material. Thereafter, training is required at least annually and whenever there is a material change that affects the employee’s potential exposure.
Like many standards in Subpart Z of the OSHA standards (Toxic and Hazardous Substances), the OSHA bloodborne pathogens standard is extremely comprehensive. The standard (§1910.1030) covers every type of engineering control to mitigate the threat of an employee acquiring an infection from contact with blood, other bodily fluids (including saliva), human tissues, or medical equipment.
To comply with the bloodborne pathogens standard, employers must compile a list of all job classifications in which some or all employees potentially have occupational exposure to bloodborne pathogens. They must also list all tasks and procedures in those job classifications, and develop engineering controls and work practices to eliminate or mitigate employee exposure.
The engineering controls should include hand washing/skin flushing facilities, sharps disposal units, and personal protective equipment (i.e., gloves) where considered necessary. The standard also requires employers to prohibit eating, drinking, smoking, applying cosmetics or lip balm, and handling contact lenses in work areas where there is a likelihood of occupational exposure.
Further requirements of the bloodborne pathogens standard include repairing or replacing damaged equipment, washing or disposing of personal protective equipment, and housekeeping controls to ensure spills, splashes, and spattering of hazardous substances are immediately contained and cleaned up by members of the workforce who have received OSHA bloodborne pathogen training.
OSHA bloodborne pathogens training consists of training members of the workforce on the epidemiology and symptoms of bloodborne diseases and how they are transmitted from patient to provider. Thereafter, training must include information about the engineering controls and work practices developed by the employee to comply with OSHA. For example:
There may be additional training requirements depending on the manner in which members of the workforce are exposed to infectious materials. For example, if a task includes patient handling, ergonomics training must be provided under the OSHA General Duty clause to mitigate the risks of musculoskeletal disorders and other physical injuries.
OSHA bloodborne pathogens training is required prior to an employee being assigned a task in which there may be occupational exposure to blood or another potentially infectious material. Subject to state-approved OSHA Plans with more stringent requirements, refresher training is required at least annually or whenever there is a material change that affects employees’ potential exposure.
With regards to material changes, OSHA bloodborne pathogens training must be provided even if the procedure for carrying out a task is modified or if the coding of a hazard is amended. Training must also be provided when a member of the workforce progresses from (for example) handling non-infectious human pathogens to handling infectious human pathogens.
With regards to the provision of OSHA bloodborne pathogens training when training of a similar nature has already been provided, it is important to note OSHA has stated employees must receive OSHA bloodborne pathogens training regardless of prior education or training, but the standard allows employers to tailor training to each employee’s background and responsibilities.
If after reviewing the standard, you have questions about OSHA bloodborne pathogen training or how often it is required, you should seek professional compliance advice.
OSHA Violation Cases in Healthcare
What does OSHA Stand for in Medical Terms?
OSHA Compliance for Dental Offices
The post How Often is OSHA Bloodborne Pathogens Training Required? appeared first on HIPAA Journal.