SOC 2 HIPAA Compliance for Corporate and Healthcare Clients

SOC 2 HIPAA Compliance

System and Organization Controls 2, or SOC 2, is a voluntary compliance standard. Voluntary compliance standards are issued by private organizations. SOC 2 was developed by the American Institute of CPAs (AICPA). The SOC 2 standard specifies how organizations should manage customer data, by grouping data management into five “trust service” principles. 

These include security, availability, processing integrity, confidentiality, and privacy. The processing integrity principle, for example, addresses whether or not a system achieves its stated purpose (i.e., delivers the right data at the right price at the right time). Processing integrity consists of measures to ensure data processing is complete, valid, accurate, timely, and authorized. The requirements for SOC 2 HIPAA compliance are discussed below.

SOC 2 HIPAA Compliance: What are the Differences Between SOC 2 and HIPAA?

SOC 2 HIPAA compliance consists of being compliant with both the SOC 2 standard as well as the HIPAA regulations. SOC 2 HIPAA compliance requires that an organization be certified as SOC-2 compliant, and, that an organization has made a good-faith effort to achieve compliance with the HIPAA Security Rule, the HIPAA Privacy Rule, and the HIPAA Breach Notification Rule.

Some SOC 2 facts:

  • SOC 2 was introduced in 2010.
  • SOC 2 was introduced with the explicit purpose of addressing the need of companies to externally validate and communicate their state of security.
  • SOC 2 is an optional compliance framework.
  • SOC 2 applies to customer data. “Customer data” is a broad category of information that includes personal information, financial information, and other information tied to specific individuals. 
  • SOC 2 certification is given by an outside auditor. This auditor, using the SOC 2 standard, determines whether your organization is ensuring that your service providers are securely managing your data.
  • The SOC 2 auditor, at the end of the auditing process, issues a SOC 2 report. This report provides detailed information about a service organization’s security, availability, processing integrity, confidentiality, and/or privacy controls, based on its compliance with the AICPA’s TSC (Trust Services Criteria). TSC includes security measures such as encryption, access controls, two factor authentication, and firewalls.
  • Organizations that are security-conscious prefer to work with SaaS providers that are SOC 2 compliant.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

G2 Leader Fall 2024

The purpose and scope of SOC 2 significantly differs from that of HIPAA.

Some HIPAA facts:

  • HIPAA was introduced in 1996.
  • HIPAA was introduced in part to provide protection for the privacy and security of patient health information.
  • HIPAA and its regulations are laws. Covered entities, whether they are healthcare providers, health plans, or healthcare clearinghouses, must comply with HIPAA. Business associates must also comply with HIPAA.
  • HIPAA applies to a narrower set of information than “customer data.” HIPAA applies to protected health information (PHI), which is individually identifiable health information held or transmitted by a HIPAA covered entity. HIPAA also applies to electronic protected health information (ePHI), which is PHI stored or maintained in electronic form.
  • The government does not recognize the concept of “HIPAA certification.” Third party subject matter experts can assist organizations with developing the measures those organizations need to be HIPAA compliant. However, organizations may not represent themselves as being “HIPAA certified” or having earned “HIPAA certification.” The federal government alone has the authority to determine whether an organization meets the legal requirements needed for HIPAA compliance.
  • The federal government has several tools to determine whether an organization is HIPAA compliant. First, the Department of Health and Human Services (HHS) may choose to audit selected covered entities and business associates. HHS has conducted two such audits already. In each instance, dozens of organizations were audited. HHS compiled the results of the audits to determine which areas of HIPAA compliance were deficient. Second, HHS, typically upon receiving a complaint or breach notification data, may investigate an entity to determine whether the entity has violated one or more HIPAA standards.
  • When HHS investigates a covered entity or business associate, HHS may decide to take remedial action. This may consist of entering into a corrective action plan (CAP) with the covered entity or business associate, and/or a resolution agreement, under which the entity pays a specific sum to HHS in lieu of a civil monetary penalty. 
  • Healthcare providers who intend to share PHI with business associates, such as SaaS entities, MSPs, and cloud storage providers, must obtain satisfactory written assurances from these entities, embodied in a business associate agreement, to the effect that the entities will take appropriate measures to safeguard protected health information and electronic protected health information.

SOC 2 HIPAA: Do I Need Both?

Businesses may require that their SaaS providers be SOC 2-certified. SOC 2 certification is not a legal requirement, but is frequently required as a prerequisite to entering into a SaaS services agreement. In other words, a business may insist that a SaaS provider be SOC-2 certified before doing business with that provider.

An organization can demand SOC 2 HIPAA compliance. This means the organization, as a prerequisite to doing business with a SaaS provider, can require that a SaaS provider be both SOC 2 certified AND HIPAA compliant. The organization can gauge the existing degree of HIPAA compliance by sending a due diligence questionnaire to the prospective HIPAA compliant SaaS provider. The questionnaire consists of questions designed to assess the SaaS provider’s ability and capability to safeguard the confidentiality, integrity, and availability of PHI and ePHI. If an organization has provided SOC 2 certification, and has demonstrated its ability to protect the confidentiality, integrity, and availability of PHI, the organization has met SOC 2 HIPAA requirements.