These include security, availability, processing integrity, confidentiality, and privacy. The processing integrity principle, for example, addresses whether or not a system achieves its stated purpose (i.e., delivers the right data at the right price at the right time). Processing integrity consists of measures to ensure data processing is complete, valid, accurate, timely, and authorized. The requirements for SOC 2 HIPAA compliance are discussed below.
SOC 2 HIPAA Compliance: What are the Differences Between SOC 2 and HIPAA?
SOC 2 HIPAA compliance consists of being compliant with both the SOC 2 standard as well as the HIPAA regulations. SOC 2 HIPAA compliance requires that an organization be certified as SOC-2 compliant, and, that an organization has made a good-faith effort to achieve compliance with the HIPAA Security Rule, the HIPAA Privacy Rule, and the HIPAA Breach Notification Rule.
Some SOC 2 facts:
- SOC 2 was introduced in 2010.
- SOC 2 was introduced with the explicit purpose of addressing the need of companies to externally validate and communicate their state of security.
- SOC 2 is an optional compliance framework.
- SOC 2 applies to customer data. “Customer data” is a broad category of information that includes personal information, financial information, and other information tied to specific individuals.
- SOC 2 certification is given by an outside auditor. This auditor, using the SOC 2 standard, determines whether your organization is ensuring that your service providers are securely managing your data.
- The SOC 2 auditor, at the end of the auditing process, issues a SOC 2 report. This report provides detailed information about a service organization’s security, availability, processing integrity, confidentiality, and/or privacy controls, based on its compliance with the AICPA’s TSC (Trust Services Criteria). TSC includes security measures such as encryption, access controls, two factor authentication, and firewalls.
- Organizations that are security-conscious prefer to work with SaaS providers that are SOC 2 compliant.