Service Organizational Control 2 (SOC 2)
Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at Solver relevant to security, availability, and processing integrity of the systems that Solver uses to process users’ data and the confidentiality and privacy of the information processed by these systems. These reports can play an important role in:
- Oversight of Solver
- Vendor management programs
- Internal corporate governance and risk management processes
- Regulatory oversight
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is a US healthcare law that establishes requirements for the use, disclosure, and safeguarding of individually identifiable health information. It applies to covered entities — doctors’ offices, hospitals, health insurers, and other healthcare companies — with access to patients’ protected health information (PHI), as well as to business associates, such as cloud service (Solver) and IT providers, that process PHI on their behalf. (Most covered entities do not carry out functions such as claims or data processing on their own; they rely on business associates to do so.)
The law regulates the use and dissemination of PHI in four general areas:
- Privacy, which covers patient confidentiality.
- Security, which deals with the protection of information, including physical, technological, and administrative safeguards.
- Identifiers, which are the types of information that cannot be released if collected for research purposes.
- Codes for electronic transmission of data in healthcare-related transactions, including eligibility and insurance claims and payments.
The scope of HIPAA was extended with the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Together, HIPAA and HITECH Act rules include:
- The HIPAA Privacy Rule, which focuses on the right of individuals to control the use of their personal information, and covers the confidentiality of PHI, limiting its use and disclosure.
- The HIPAA Security Rule, which sets the standards for administrative, technical, and physical safeguards to protect electronic PHI from unauthorized access, use, and disclosure. It also includes such organizational requirements as Business Associate Agreements (BAAs).
The HITECH Breach Notification Final Rule, which requires giving notice to individuals and the government when a breach of unsecured PHI occurs.
Solver and HIPAA and the HITECH Act
HIPAA regulations require that covered entities and their business associates — in this case, Solver when it provides services, including cloud services, to covered entities — enter into contracts to ensure that those business associates will adequately protect PHI. These contracts, or BAAs, clarify and limit how the business associate can handle PHI, and set forth each party’s adherence to the security and privacy provisions set forth in HIPAA and the HITECH Act. Once a BAA is in place, Solver customers — covered entities — can use its services to process and store PHI.
Currently there is no official certification for HIPAA or HITECH Act compliance. However, those Solver services covered under the BAA have undergone audits conducted by accredited independent auditors.