Statement on Auditing Standards No.

70
RESOURCE GUIDE
1-800-277-5415

SAS 70 and HIPAA Security Standards

Securing Information is a Requirement
It has been more than a decade since HIPAA was rolled out by the United States
Government for the purposes of establishing national standards for health care transactions
along with ensuring the privacy and protection of valuable health care information, such as
patient records and other related health information. Unfortunately, HIPAA has been a
complex law, causing uncertainty as to compliance and even greater unfamiliarity with
specific provisions and guidelines that need to be adhered to. Of the many concerns voiced
in the ever-expanding health care industry, the following questions have warranted a more
thorough understanding of HIPAA, such as:

Recent historical events such as the 9/11 terrorist attacks, followed by hurricanes Katrina
and Rita have forced health care professionals to revisit their disaster recovery plans.
Though known informally as business resumption, disaster planning, or a number of other
phrases and abbreviations, this type of due-diligence activity should be considered
paramount in today’s ever-changing and volatile world. Fortunately, many organizations
have clearly understood the need to protect their valuable health care information and other
related data. Unfortunately, just as many organizations have ignored these calls for safety
and have looked upon HIPAA as nothing more than another legislative compliance mantra
pushed down by Congress. What’s worse, HIPAA guidelines were written in such a way that
interpretation of the law was difficult along with overall enforcement being lax. Here’s what
you need to know for ensuring compliance for HIPAA as it relates to organizations such as
health plans, health clearinghouses, and certain health care providers.

"Each entity needs to determine its own risk in the event of an emergency that would result
in a loss of operations. A contingency plan may involve highly complex processes in one
processing site, or simple manual processes in another. The contents of any given
contingency plan will depend upon the nature and configuration of the entity devising it." (1)
The Department of Health and Human Services, 45 CFR Parts 160, 162, and 164, Health Insurance
(1)

Reform: Security Standards; Final Rule and Mike Talon of Tech Republic.

Note: A copy of the final rule regarding HIPAA security standards can be obtained by visiting the
following link: http://www.cms.hhs.gov/SecurityStandard/Downloads/securityfinalrule.pdf

Without question, one can see how interpretation of the above phrase is directly left up to
the health care professional, void of any specific requirements from the law itself. With that
said, listed below are key items you should be concerned with for ensuring HIPAA
compliance for disaster recovery planning:

• Conduct a formal analysis of your organization’s risks and how your organization as a
whole can continue in the event of a major business interruption.
• Create a formal disaster recovery planning policy and document. These documents
can be developed internally with the aid of dozens of templates and white papers
available on the internet.

http://www.sas70.us.com Provided by NDB, LLP

 Statement on Auditing Standards No. 70
RESOURCE GUIDE
1-800-277-5415
• Create an atmosphere of awareness within your organization concerning disaster
recovery and its implications if a major business interruption event occurred.

More than anything, because the HIPAA requirements for disaster recovery are vague, it's
up to your organization to use your best judgment as to what suffices for HIPAA compliance
and for overall good business practice. Talk to your I.T. experts, confirm with management,
and implement a sound, workable, and feasible plan.

SAS 70 and its Impact on HIPAA

When you look at the standards set forth in The Department of Health and Human Services,
45 CFR Parts 160, 162, and 164, Health Insurance Reform: Security Standards; Final Rule,
one can see many items that are also commonly tested for when conducting a SAS 70 Type
II audit. Though differences exist in formality as to what they may be labeled or called by
SAS 70 auditors and the Final Rule itself, similarities can be seen in a number of areas
pertaining to Information Technology. Listed below is a sample of DHHS standards that can
align with control objectives developed for a SAS 70 audit by a competent auditor.

Department of HHS Security Standards

• Security Management Process

• Information Access Management
• Transmission Security

SAS 70 Audit Control Objectives

• Five Elements of Internal Control

• Logical Security
• Network Security

Though by no means are the Department of HHS Security Standards and SAS 70 Audit
Control Objectives a perfect match, a one-for-one. However, the SAS 70 audit can be
utilized for helping achieve HIPAA compliance relating to information security standards.
What’s more, the SAS 70 audit can cover additional requirements as set forth by HIPAA if
these specific requirements are clearly addressed in the scope of the audit and
communicated in an effective manner to the auditors themselves.

http://www.sas70.us.com Provided by NDB, LLP