1. Independent auditor reports for privacy and security audits (i.e., System and Organization Controls (SOC) 2 Type 2, or HITRUST if a SOC 2 Type 2 is unavailable) for the State-Designed HIE, the Chesapeake Regional Information System for our Patients (CRISP), and all CRISP subcontractors (third-party service organizations) to assess the adequacy of business and technology-related controls, policies, and procedures and other safeguards employed by third-party service organizations and any potential risks to protect the confidentiality, integrity, and security of PHI based on industry standards and best practices; 2. Independent auditor reports resulting from assessments relevant to CRISP’s compliance with HIPAA/HITECH and Code of Maryland Regulations (COMAR) 10.25.18, Health Information Exchanges, Privacy and Security of Protected Health Information, and CRISP’s cybersecurity posture for its internal and external environment to gather and examine information on selected networks to ensure the confidentiality, integrity, and availability of all mission critical and confidential information; and 3. The appropriateness and adequacy of corrective actions taken by CRISP and those applicable for CRISP service organizations to address audit findings.
