As healthcare organizations face increased risk of privacy and security breach, recognizing the significant role played by their business associates is critical.

Rigorous due diligence is part of the risk analysis conducted by covered entities (CEs) to ensure partners have HIPAA-compliant policies in place to safeguard the privacy and security of protected health information (PHI).

In recent years, many provider organizations have incorporated the HITRUST and SOC 2 frameworks into their third-party assurance process. The focus on breach notification protocols is largely a result of the increased number of breaches involving third-party vendors.

SOC 2 is an attestation report that has long been regarded as the standard for service providers outside of healthcare. SOC 2 provides a third-party assessment aligned with HIPAA and HITRUST service trust principles—security, availability, processing integrity, confidentiality and privacy of the systems and controls in place. The report criteria provide a means to measure effectiveness of the controls against a standard. SOC 2 has evolved and continues to mature as a solid foundation for CEs to evaluate BA management programs.