A HIPAA compliance audit report is an independent auditor’s report on internal controls placed in operation at an entity, typically a HIPAA “business associate,” seeking to demonstrate compliance with the Health Insurance Portability and Accountability Act (HIPAA). Like a SOC report, a HIPAA compliance audit report can cover a point in time (a “Type I” report) or a period of time (a “Type II” report).

 

For a HIPAA business associate, the purpose of a HIPAA compliance audit report is to provide assurance to their customers and prospects that they are compliant with the security, breach notification, and/or privacy requirements of HIPAA. For a HIPAA covered entity, the purpose of a HIPAA compliance assessment report is to provide assurance to internal stakeholders regarding the organization’s compliance with the security, breach notification, and/or privacy requirements of HIPAA. The scope of a HIPAA compliance report may include on or more of the following:

​

• HIPAA Security Rule -- Confidentiality, integrity and availability of ePHI.

​

• HIPAA Breach Notification Rule -- Notifications in the event of an unauthorized disclosure of PHI.

​

• HIPAA Privacy Rule -- Permitted uses and disclosures of PHI, among other requirements. 

 

HIPAA compliance audit reports, unlike assessment reports, must conform to the requirements of certain AICPA attestation standards and interpretations. Such guidance is provided in Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification, which includes AT-C Section 315, Compliance Attestation (AICPA, Professional Standards). AT-C Section 315 also incorporates by reference AT-C Section 105, Concepts Common to All Attestation Engagements, and AT-C Section 205, Examination Engagements.

​

The controls addressed by engagements under AT-C Section 315 and its interpretations are those that an entity implements to comply with the requirements of specified laws, regulations, rules, contracts, or grants. In practice, most HIPAA compliance engagements cover the HIPAA Security and Breach Notification rules. The Privacy rule is included in scope when a service organization interacts directly with patients.

 

You may provide a HIPAA compliance audit report to your current and prospective customers. A HIPAA compliance assessment report should not be distributed outside your organization.