SOC 2 + HIPAA: Combining Two Audits

HIPAA is one of the most frequently demanded subject matters for SOC 2 audits. Learn more about the main peculiarities of the SOC 2 + HIPAA. 

Service organizations that work in the US and deal with customers’ confidential information should know about the importance of the SOC 2 audit report. Many of them have already undergone the SOC 2 audit of the design and effectiveness of controls relevant to the five Trust Service Categories (TSC) – Security, Confidentiality, Processing Integrity, Availability, and/or Privacy. We provided information about these audits in our previous articles: SOC 2: Common Criteria for Controls Evaluation and SOC 2: Specific Criteria For Controls Evaluation. However, not all organizations know that in addition to the controls pertinent to TSC, they can also examine and report on specific subject matters. One of the most frequently demanded subject matters for SOC 2 + examination is the Healthcare Insurance Portability and Accountability Act (HIPAA). This demand arose due to the strict HIPAA requirements as well as the increased amount and severity of cyberattacks on the healthcare industry.

To ensure that your operations meet the demands of the variety of customers you serve in healthcare, consider a SOC 2 + HIPAA audit. The combined audit can help assess the effectiveness of the SOC 2-related controls and HIPAA security requirements at once.

Who Needs HIPAA Compliance?

HIPAA compliance is the cornerstone for organizations working in healthcare. Virtually any business that stores, processes, transmits, or generates Protected Health Information (PHI) must comply with HIPAA. This statute includes covered entities (hospitals, doctor offices, health plans, pharmacies, etc.) and business associates (businesses providing services to covered entities). For the purposes of this article, the high-level goal of HIPAA is to keep patients’ PHI safe and secure.

Who Needs SOC 2 Report?

SOC 2 audit report has become a de-facto standard for the US service providers. Any company that processes or stores customers’ information will benefit from maintaining a SOC 2. The report assures that the service organization adequately protects sensitive data, thereby providing it (service organization) with a competitive advantage. Furthermore, many companies require that their service providers maintain SOC 2 compliance and document this requirement as a contractual obligation.

Where do the HIPAA and SOC 2 Meet?

HIPAA compliance is imperative for those engaged in healthcare. SOC 2, on the other hand, is not a strong obligation, though it gives valuable information about the organization. It helps businesses better understand the performance of their service security controls and allows them to identify potential security issues. Thus, while HIPAA compliance opens the gates to the healthcare industry, SOC 2 audit report helps build stronger relationships with clients. Organizations like Managed Services Providers (MSPs), cloud hosting providers, and Software-as-a-service (SaaS) providers who serve the healthcare industry, will benefit from a security program that enables them to demonstrate implementation of HIPAA-related controls through a SOC 2 + HIPAA audit.

While HIPAA does not specify a single standard by which covered entities or business associates must certify their compliance, the SOC 2 auditing procedure may appear extremely helpful in this regard. As you shape your company’s HIPAA compliance program, you may find that you’re also on the road to satisfying the requirements of SOC 2 certification and vice versa. And since SOC 2 and HIPAA have an overlap in their final reports, it is more efficient to combine the two audits. You can avoid the redundancy of providing the same evidence for separate audits by doing so.  

Where do the SOC 2 and HIPAA Audits Diverge 

Aside from the fact that HIPAA is a governmental regulation and SOC 2 is an audit standard, one of the most obvious differences is that HIPAA requirements extend to a very specific set of data –  PHI and ePHI. SOC 2, on the other hand, is not specific to a particular type of data. The second important distinction entails HIPAA-specific requirements that are not explicitly covered by SOC 2 TSCs. The main requirements include Breach Notification obligations, Business Associate Agreements (BAAs), HIPAA-specific training, and a dedicated role for HIPAA compliance management. 

Breach Notification

First, all covered entities and business associates must provide notifications following any breach of unsecured PHI. The HIPAA Breach Notification Rule provides a procedure on how and when to notify patients, the media, and the Department of Health and Human Services (HHS) regarding the PHI-related data incidents. As the SOC 2 TSPs do not cover this requirement, it must be addressed separately. 

Business Associate Agreements

Second, HIPAA requires covered entities to work with those business associates who assure protection of PHI. As such, HIPAA requires organizations to have written arrangements – Business Associate Agreements (BAAs) – specifying each party’s responsibilities regarding PHI handling. The organization’s compliance with this HIPAA requirement within the SOC 2 + HIPAA audit is usually checked by examining the list of all business associates for the presence of valid BAAs.

HIPAA-Specific Training

Third, all workforce members working with PHI must undergo training on the proper handling of such data. Many HIPAA breaches are happening not because of malicious acts of cybercriminals but due to negligence or inadequate training of authorized data users. Auditors will ensure the company sufficiently trains its workforce members on safe and lawful PHI handling practices. 

Roles for HIPAA Compliance Management

Finally, all covered entities and business associates are required to assign a role responsible for the implementation of HIPAA requirements and for managing ongoing compliance. This includes managing information security responsibilities regarding employees, contractors, third-party users, reporting PHI incidents, etc. In practice, auditees will be required to prove that the organization has assigned a qualified individual with a defined role to manage the HIPAA compliance program.

The above-mentioned requirements, alongside the SOC 2 criteria, are the key elements the auditors will look at during the SOC 2 + HIPAA audit. At the same time, additional requirements may be in scope for group health plans, clearinghouses, and government entities. 

Finalizing the SOC 2+ HIPAA Audit Process

Bundling SOC 2 and HIPAA in one audit means that the final report will look slightly different than it would be with two separate reports. The first point is that the description of systems/services of your SOC 2+ HIPAA  audit report will show how the organization’s controls meet the requirements of both. This description, consequently, will contain more information about the auditee. The second point is that the SOC 2 + HIPAA report will render two opinions – an opinion on whether your controls meet the applicable SOC 2 Trust Services Criteria and on whether your controls meet the requirements of the HIPAA security, privacy, and breach notification rules.

Thus, undergoing the SOC 2 + HIPAA audit is be highly beneficial for service providers. To be aware of the ins and outs of this and other kinds of audit reports and stay updated with the recent security events in the cyberenvironment, keep reading our blog or contact the Planet 9 team. We’ll be happy to assist. 



Phone:  888-437-3646

Related Articles 

SOC 2: Common Criteria for Controls Evaluation 

SOC 2: Specific Criteria for Controls Evaluation 

HIPAA Compliance: Learning from the Others’ Mistakes 

Getting Ready for SOC 2 Audit


Leave a Reply