HIPAA & SAS70 Audits | Understanding the Relationship
| posted by charles denyerMany people often ask me about SAS70 audits. Many people also often ask me about HIPAA and its security standards. And yes, SAS70 & HIPAA together make great conversation, and for many good reasons.
HIPAA, passed as federal legislation approximately twelve years ago, is a large and expansive piece of federal legislation that few people really understand. For purposes of today's regulatory compliance environment, SAS70 audits are commonly performed on health care entities for ensuring that they are adhering to the HIPAA guidelines as it pertains to the protection and confidentiality of private consumer health records. How that data is transmitted, protected and kept under lock and key, if you will, is an important component of the HIPAA legislation.
As such, SAS70 audits, used as an audit that examines a service organization's internal controls, is commonly performed on these very service organizations that need to adhere to the HIPAA compliance mandates for protection and confidentiality of private consumer health care records.
So, yes, there is a strong relationship between HIPAA & SAS70 and it will only continue to get stronger as health care records rely more on technology initiatives for processing, securing, and protecting medical data. These very technology initiatives should be protected with strong internal controls and effective safeguarding procedures-and this is where SAS70 continues to play a key role as the dominant internal control audit being used in today's regulatory compliance environment.
