This article explains the nature and purpose of SOC 2 reports, including bridge or gap letters. It also discusses the benefits of conducting SOC 2 audits and the purpose of SOC 2 bridge letters.
What Is a SOC 2 Report?
External auditors generally use SOC reports to assess a healthcare organization’s information security controls. Specifically, it focuses on measures taken to ensure security, availability, processing integrity, confidentiality, and privacy during transitions, such as changes to an organizational structure. Furthermore, this report demonstrates an entity’s commitment to protecting patient information and other sensitive data.
There are three different kinds of SOC letters. The focus here is on SOC 2 letters, which emphasize cybersecurity, particularly the protection of patient data. When healthcare organizations change their structures or operations, the SOC 2 report indicates how well they uphold privacy and security to protect patient information in the process.
Furthermore, there are two types of SOC 2 reports. A SOC 2 Type 1 report assesses an entity’s controls and systems at a specific time, such as at the end of a calendar year. In contrast, SOC 2 Type 2 covers a period, usually six or 12 months.
Medical practices, healthcare organizations, and other companies use SOC 2 reports to show customers, compliance teams, senior leaders, and other stakeholders that they use best practices to secure data. Health organizations must enlist an independent certified public accountant (CPA) to conduct a SOC audit. The CPA must follow standards that the American Institute of Certified Public Accountants (AICPA) sets.
What Is a SOC 2 Bridge Letter?
Also referred to as a gap letter, the SOC 2 bridge letter includes an evaluation during the period between the end of an organization’s last SOC 2 report and the current date. Suppose a hospital completed a SOC 2 report covering August, but the end of its fiscal year is September 30. The organization could use the SOC 2 bridge letter or report to cover the month of September to show that there were no significant changes to their cybersecurity measures or data breaches as the organization was transitioning to a new fiscal year.
Bridge letters typically aren’t intended to cover more than three months. While they should not substitute for a complete and up-to-date SOC 2 report, they can provide additional peace of mind to customers, C-suite leaders, and other stakeholders between audit periods.
A SOC 2 bridge letter typically contains the following:
- The beginning and end dates of the most recent SOC 2 report
- An explanation of any systems or structural changes since the audit, if any
- A statement that there are no known changes that could affect the auditor’s opinion in the latest SOC 2 report, if applicable
- A statement that the bridge letter relates only to the organization and does not apply to any other company or entity
What Are the Benefits of SOC Reporting?
A SOC 2 compliance report does more than appease stakeholders and healthcare decision-makers. It allows a healthcare organization or medical practice to demonstrate how it ensures the security of its information systems, especially when dealing with sensitive patient data. Patients, vendors, regulatory agencies, and other entities want to know that an organization has strong cybersecurity measures and is compliant with the highest healthcare standards.
While beneficial to a healthcare organization’s adherence to data security, SOC 2 reporting can be complex. Contact Compliancy Group today to learn how you can get a SOC 2 readiness assessment, along with other tools and resources to support your compliance efforts.