Protect Health Data: SOC Controls, HIPAA, and HITRUST Compliance Intersect

Wearables, apps, telehealth, and other digital sources have transformed the care continuum—keeping people more informed and empowered to take control of their own health.

But as that digital health engine becomes more advanced, so does the volume of protected health information (PHI). To cybercriminals, that data is a hot commodity.

Health care and health-adjacent organizations not only need to be aware of the nuances of various frameworks and regulatory requirements such as System and Organization Controls (SOC) examinations, HIPAA, and HITRUST CSF, but they should also understand how to combine efforts to be more efficient with their security and privacy controls.

What Is SOC 2®?

SOC reporting involves an independent examination of an organization’s safeguards.

SOC 1® covers financial reporting, SOC 2 covers managing customer data, and SOC 3® is used for marketing. Vendors providing data security and storage often need to have SOC 2 reports in place.

These incorporate five criteria:

  • Security
  • Availability
  • Processing integrity
  • Confidentiality
  • Privacy

As an optional framework—not a regulation—SOC 2 reporting can be important for multiple purposes, including organization oversight, vendor management programs, internal corporate governance, risk management processes, and regulatory oversight. Some business agreements may require them.

From a SOC 2 report perspective, you can build upon it by adding in controls designed to meet HIPAA and HITRUST requirements.

What Is HIPAA?

HIPAA requires the security and privacy of personal medical information.

While that may have once only been relevant for the health care sector, today’s vast data sprawl expanded HIPAA’s reach to any business associate or entity that transmits PHI.

There are three types of HIPAA safeguards applicable to the security rule:

  • Administrative
  • Technical
  • Physical

The following standards additionally apply:

  • Organization
  • Policies and procedures
  • Documentation

Altogether, these safeguards and standards create a regulatory requirement but not a certifiable framework.


HITRUST CSF is a certifiable framework built from multiple other security and compliance frameworks, with roots in the International Organization for Standardization (ISO) 27001, 27002, and National Institute of Standards and Technology (NIST) 800 Series.

As an optional certification, HITRUST CSF demonstrates and implements an organization’s security and compliance with requirements such as HIPAA and other major regulatory factors —and can scale with the organization based on its unique risk profile.

Certification is commonly sought among highly regulated industries including health care organizations, technology companies, payers, and others.

HITRUST certification occasionally goes through iterative improvements, with version 11 requiring certain legacy HITRUST certificate holders to switch to a newer version. HITRUST assessments and certifications can be done on an annual or biennial basis.

What Is the Difference Between HIPAA and HITRUST?

HIPAA is a regulatory mandate required by law. It has no prescriptive controls, only the requirement that organizations comply.

HITRUST, on the other hand, is an optional certifiable framework. It does contain prescriptive controls that together create a roadmap to assess and adjust security and compliance risks.

But there are overlaps between the two. HITRUST started with a focus on demonstrating HIPAA compliance. Over time, the increasing prevalence of ransomware, phishing, and business email compromise among web applications and cloud computing resources pushed boards of directors and audit committees to focus on pursuing certification for more than just HIPAA purposes.

What Is the Advantage of HITRUST Certification?

One of the biggest benefits of HITRUST is that it’s multipurposed.

In a single certification, an organization can show compliance with some of the most important regulatory requirements—not just HIPAA, but also NIST CSF (the standard for cybersecurity frameworks), ISO 27001/27002, General Data Protection Regulation (GDPR), and many others.

HITRUST is also highly scalable and can flex with an organization’s individual compliance needs.

This sets it apart from other frameworks. You can tailor the controls based on industry-specific or other applicable regulatory requirements—scoping in and out various measures within the HITRUST system based on what matters most to you.

What Is the Relationship Between HIPAA, HITRUST, and SOC 2 Reporting?

While all different types of reporting, they can be strategically combined for more efficient use. This can be especially helpful for organizations looking to improve their security investments.

For instance, you might have a business associate agreement that requires SOC 2 reporting and HIPAA compliance. By stacking HITRUST certification atop the SOC 2, you demonstrate HIPAA compliance but can also meet other regulatory compliance needs you may face now or in the future.

Synergizing and consolidating these controls in relationship with one another could help reduce redundancy and help organizations get the most from IT and cybersecurity investments.

We’re Here to Help

For more information about compliance in health care or an adjacent sector, or to discuss IT resources for security and compliance, please contact your Moss Adams professional.

Additional Resources

Contact Us with Questions

Enter security code:
 Security code