SOC 2+ HIPAA: What You Need to Know
What is SOC 2+ and do you need it? How does it stack up against HIPAA? An expert auditor weighs in on key differences and how to get started.
Whether you’re subject to HIPAA regulations or being asked for a SOC 2 or ISO 27001 report by your customers, compliance can be a complex, lengthy process for any company.
But what happens when you have two or more frameworks you need to prove compliance for—when you need SOC 2 for corporate customers and HIPAA compliance for your healthcare customers? Or ISO 27001 for your EU customers and SOC 2 for the US? The answer is a SOC 2+ report.
What is SOC 2+?
SOC 2+ is an audit that includes both SOC 2 and another framework such as HITRUST or HIPAA. Your auditor will do a SOC 2 audit as usual but will expand their controls to cover that second framework.
Keep in mind that SOC 2+ is not a certification. If you need a certification for a framework like ISO 27001, you’ll need to get that separately from your SOC 2+ audit.
SOC 2+ HIPAA: An Overview
One of the most common pairings with SOC 2 is HIPAA—the Health Insurance Portability and Accountability Act. If you’re in healthcare, you’re likely already familiar with the term: it’s the US regulation that protects patient information.
HIPAA and SOC 2 have some overlapping controls, but adding HIPAA to a SOC 2 audit also adds some new elements to your auditor’s to-do list. Most notably, this includes breach notifications and an expanded attestation report.
The benefit of bundling SOC 2 and HIPAA is that auditing both together will likely be faster than auditing for both separately. The drawback is that two frameworks are obviously going to go a bit slower than just one. You’ll need to provide more evidence to the auditor and the auditor will have more controls to check.
Your SOC 2+ HIPAA Report
If you choose to bundle SOC 2 and HIPAA, your SOC 2 report will look a bit different than it has in the past. Key differences include:
The system/service description and test results portions of your report will now show how the controls meet both SOC 2 and HIPAA. This makes those sections much larger than usual since they have to cover an expanded set of requirements.
The auditor report will now render two opinions instead of one. The first is an opinion on whether your controls meet the applicable SOC 2 Trust Services Criteria; the second is an opinion on whether your controls meet the requirements of the HIPAA security, privacy, and breach notification rules.
An important thing to note here is that it is possible to receive an unqualified audit opinion for SOC 2 but a qualified opinion for HIPAA—or vice versa—since they are two separate frameworks.
Who Needs SOC 2+ HIPAA?
Do you need both SOC 2 and HIPAA? The answer: It depends on who you’re serving.
If your business serves both healthcare and other types of customers, you probably need both. Any healthcare customer is going to require HIPAA compliance, whereas most other customers are very likely to request a SOC 2 report.
Keep in mind that any company that handles protected health information (including companies that process payments for healthcare) is subject to HIPAA, so even if you don’t work directly with hospitals, HIPAA is often relevant. This means healthcare payment providers, dental offices, and therapy providers are also bound by HIPAA rules.
So, what kind of companies probably don’t need both audits? The easiest answer is hospitals. If you are a hospital, you may only need HIPAA. On the other side of the coin, if you never serve healthcare or healthcare-adjacent clients, you may only need SOC 2.
The Differences Between SOC 2 and HIPAA
If you decide to do a SOC 2+ HIPAA report, these are some of the key differences you should expect:
Breach Notifications
SOC 2 has no specific breach notification requirements, but HIPAA sure does. HIPAA’s breach notification rule specifies how and when to notify patients, the media, and the Department of Health and Human Services (HHS). This is a key element your auditor will look at if you add HIPAA to your SOC 2+.
Government Mandate
SOC 2 is an optional compliance framework that many clients ask for. HIPAA, on the other hand, is a government-mandated set of rules for anyone who handles protected health information. It is not optional by any stretch of the imagination.
This means if you handle protected health information and don’t comply with HIPAA, you are in danger of substantial fines and potential legal issues. With SOC 2, the primary danger of noncompliance is losing customers’ trust and ultimately their business.
Data Types
HIPAA’s protections extend to a very specific set of data: protected health information. This is defined as patient data that relates to past, present, or future physical or mental health or healthcare payment. If you touch any of that data, you are obligated to comply with HIPAA.SOC 2, on the other hand, is not specific to a certain type of data.
Get Started With SOC 2+ HIPAA
Have more questions on SOC 2 and HIPAA? Schedule a demo today to see how Drata can help you understand compliance, automate your processes, and collect evidence with no manual work from your team.
