How SOC2 Compliance easily achieves HIPAA & HITRUST

By Narendra Sahoo

vista infosecToday, we are witnessing an increase in the transition of physical data moving towards digital format. This has pushed the need for implementing strict security practices to protect the data from incidents of theft or breach. As personal information becomes more valuable, the frequency and severity of security breaches have only increased over the years. To address these growing issues of data security, a number of regulatory and compliance requirements have been established across industries for businesses to comply with. However, with so many compliances established, businesses are often left confused about which compliance commitment is right for their organization to pursue. Among many, there are some well-known compliances pertaining to data protection law which includes HIPAA, GDPR, CCPA, PCI DSS, etc that are designed to protect data and privacy of consumers.

While most of these industry standards and approaches have evolved to protect the data better, yet their variety and complexity can leave you struggling to know where to begin. While most have specific and unique requirements, all require a basic set of best practices with respect to the privacy and the protection of data and service. Having said that, using well-known standards like the SOC2 will help organizations establish a solid foundation for information security. Implementing SOC2 will also help your organization keep up with the evolving demands of compliance. In this article today we have highlighted how using SOC2 Compliance makes the process of achieving HIPAA Compliance easy.

Understanding SOC2 & HIPAA Compliance

SOC2 and HIPAA compliance are two different standard requirements that overlap on many fronts. There is an increasing trend among organizations using the SOC2 framework and the supporting Trust Services Principles for simplifying the process of achieving HIPAA compliance. Organizations that seek to become compliant with the evolving HIPAA standards, particularly HIPAA Security and Privacy Rules may find the process much simpler if they have achieved SOC2 Attestation. Before understanding how the process becomes simpler let us start with the basics of understanding what is SOC2 and HIPAA Compliance.

What is SOC2 Attestation?

SOC2 is an audit procedure that ensures organizations are securely managing customer data protecting the interest and the privacy of its clients. For security-conscious businesses, SOC2 compliance is a minimum requirement and a basic foundation for achieving other Regulatory Compliance.

What is HIPAA Compliance?

HIPAA Compliance is a regulatory Act that ensures entities and business associates covered under the act protect the integrity, and privacy of customer’s Protected Health Information (PHI). It is a federal law that requires entities to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

Establishing the Foundation with SOC2

Achieving compliance with HIPAA and SOC2 only shows how serious organizations are when it comes to securing the privacy of consumer’s data.  Today, organizations are keen to demonstrate their desire towards implementing stringent security controls to prove their seriousness towards information security and data privacy. For this very purpose, SOC2 forms the foundation for achieving the most compliance and regulatory requirements pertaining to protecting data. SOC2 can present organizations with significant advantages by demonstrating the effectiveness of the design and operations of an organization’s internal controls. SOC2 defines a set of criteria for managing customer data which is based on five “trust service principles”—security, availability, processing integrity, confidentiality, and privacy.

SOC2 Trust Service Principles

  1. Security: The system should be protected against unauthorized access, use, or modification;

2.Availability: The system should be available for operation and use as committed or agreed;

3.Processing Integrity: System processing should be complete, valid, accurate, timely, and authorized;

  1. Confidentiality: Information designated as confidential should be protected as committed or agreed;

5.Privacy: The collection, use, retention, disclosure, and disposal of personal information should be as per the commitments in the service organization’s privacy notice and with criteria outlined in the Generally Accepted Privacy Principles (GAPP) issued by the AICPA.

Defining the Systems in Scope

Determining which TSP’s to validate against for achieving compliance with the HIPAA mandates is a major concern most people have. However, in reality, all of the five (5) TSP has a credible connection with HIPAA Compliance, but the organizations should first define the relevant scope for achieving compliance.

Infrastructure The physical and hardware components of a system that includes facilities, equipment, and networks.

Software Programs and operating software of systems that include applications, systems, and utilities.

People Personnel involved in the operation and use of systems that may include developers, operators, users, and managers.

Procedures– The Programmed and manual procedures involved in the operation of systems which may be either automated or manual.

Data – The information used and supported by a system which includes transaction streams, files, database, and tables.

SOC2 and HIPAA Compliance: Requirements that Overlap

While the regulations an organization is expected to follow greatly depend on the industry, customer base, region, and market of operations, there are enough overlapping requirements between established SOC2 standards and various regulations including HIPAA which make SOC2 a good foundation for achieving HIPAA Compliance. Given below are areas of SOC2 and HIPAA Compliance requirements that overlap. To understand how far SOC2 will get you on HIPAA Compliance, we have drawn out a comparison chart below to illustrate coverage levels on critical elements.

Security The 5TSP requires organizations to protect the system against unauthorized access, use, or modification  HIPAA’s Security Rule calls for security of data and protection against unauthorized access or use. The rule includes having three protective measures in place which includes-·         Administrative security

·         Physical Security

·         Technical security

Availability The TSP requires the system to be available for operation and use as committed.  HIPAA rule requires entities to ensure the availability of all e-PHI they create, receive, maintain, or transmit.
Confidentiality Information designated as confidential should be protected by all means. In HIPAA Compliance the confidentiality of PHI is given great emphasis. PHI cannot be disclosed to anyone without the consent of the patient.
Integrity System processing should be complete, valid, accurate, timely, and authorized.  HIPAA compliance needs to cover integrity controls or have in place measures to confirm that ePHI is not altered or destroyed.
Privacy The collection, use, retention, disclosure, and disposal of personal information should be as per organization policy and as set in the GAPP The Privacy rule in HIPAA suggests a balance between protecting the PHI and using the information only when it is necessary.


SOC2 and HITRUST CSF Convergence

HITRUST CSF is a security and privacy framework, initially built on ISO 27001 which meets the requirements of multiple regulations and standards. Over time, the CSF evolved to include a significant number of standards, regulations, and business requirements which includes 14 high-level control categories, 46 control objectives, and 149 control specifications. The framework provides a way to comply with standards such as ISO/IEC 27000-series and HIPAA. While SOC2 reports are based on a framework of reporting, and HITRUST CSF is based on a security and privacy control framework. There are synergies between SOC2 TSC categories and the underlying criteria and HITRUST CSF controls.  HITRUST certification and SOC2 attestation in tandem facilitate greater resource efficiency as the HITRUST CSF requirements cover many of those within SOC2 attestation.

Simplifying Compliance Efforts 

The bottom line is that organizations should select the standard that is best suited to their market and customers. Selecting a standard that aligns your organizational goal closer to meeting another standard is critical. Having said that, SOC2 Type 2 audit is a broader framework and goes farther than ISO 27001 in terms of measuring the design and operating effectiveness of systems. Since SOC2 Compliance covers a broader range of control requirements, it builds a foundation for achieving compliance with other regulations. It simplifies the effort required to achieve and demonstrate compliance with other regulations like HIPAA & HITRUST CSF. With a SOC2 attestation, your organization will be well-positioned to satisfy a range of requirements under other regulatory compliance. However, it is important to note that while SOC2 brings makes compliance efforts easy, but it is not a substitute for a HIPAA audit.  HIPAA requires specific policy, personnel training, and breach remediation processes that are not covered in SOC2 audits. So, do not misinterpret SOC2 Compliance as a substitute for HIPAA or HITRUST audit.

Author Bio

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, CRISC) is the Founder and Director of VISTA InfoSec, a foremost Company in the Infosec Industry.

Posted in Uncategorized.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>