SOC 2 HIPAA Compliance for Corporate and Healthcare Clients

SOC 2 HIPAA Compliance

System and Organization Controls 2, or SOC 2, is a voluntary compliance standard. Voluntary compliance standards are issued by private organizations. SOC 2 was developed by the American Institute of CPAs (AICPA). The SOC 2 standard specifies how organizations should manage customer data, by grouping data management into five “trust service” principles. 

These include security, availability, processing integrity, confidentiality, and privacy. The processing integrity principle, for example, addresses whether or not a system achieves its stated purpose (i.e., delivers the right data at the right price at the right time). Processing integrity consists of measures to ensure data processing is complete, valid, accurate, timely, and authorized. The requirements for SOC 2 HIPAA compliance are discussed below.

SOC 2 HIPAA Compliance: What are the Differences Between SOC 2 and HIPAA?

SOC 2 HIPAA compliance consists of being compliant with both the SOC 2 standard as well as the HIPAA regulations. SOC 2 HIPAA compliance requires that an organization be certified as SOC-2 compliant, and, that an organization has made a good-faith effort to achieve compliance with the HIPAA Security Rule, the HIPAA Privacy Rule, and the HIPAA Breach Notification Rule.

Some SOC 2 facts:

  • SOC 2 was introduced in 2010.
  • SOC 2 was introduced with the explicit purpose of addressing the need of companies to externally validate and communicate their state of security.
  • SOC 2 is an optional compliance framework.
  • SOC 2 applies to customer data. “Customer data” is a broad category of information that includes personal information, financial information, and other information tied to specific individuals. 
  • SOC 2 certification is given by an outside auditor. This auditor, using the SOC 2 standard, determines whether your organization is ensuring that your service providers are securely managing your data.
  • The SOC 2 auditor, at the end of the auditing process, issues a SOC 2 report. This report provides detailed information about a service organization’s security, availability, processing integrity, confidentiality, and/or privacy controls, based on its compliance with the AICPA’s TSC (Trust Services Criteria). TSC includes security measures such as encryption, access controls, two factor authentication, and firewalls.
  • Organizations that are security-conscious prefer to work with SaaS providers that are SOC 2 compliant.

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

The purpose and scope of SOC 2 significantly differs from that of HIPAA.

Some HIPAA facts:

  • HIPAA was introduced in 1996.
  • HIPAA was introduced in part to provide protection for the privacy and security of patient health information.
  • HIPAA and its regulations are laws. Covered entities, whether they are healthcare providers, health plans, or healthcare clearinghouses, must comply with HIPAA. Business associates must also comply with HIPAA.
  • HIPAA applies to a narrower set of information than “customer data.” HIPAA applies to protected health information (PHI), which is individually identifiable health information held or transmitted by a HIPAA covered entity. HIPAA also applies to electronic protected health information (ePHI), which is PHI stored or maintained in electronic form.
  • The government does not recognize the concept of “HIPAA certification.” Third party subject matter experts can assist organizations with developing the measures those organizations need to be HIPAA compliant. However, organizations may not represent themselves as being “HIPAA certified” or having earned “HIPAA certification.” The federal government alone has