HIPAA Security compliance Designing security programs HIPAA Security compliance Designing security programs SOC 2

HIPAA + SOC 2: Why tackling them in unison makes sense

  • copy-link-icon

    Copy URL

  • facebook-icon
  • linkedin-icon

HIPAA and SOC 2 compliance are essential milestones for any business that deals with the storage or transmission of consumers' data and health information. Achieving compliance can seem daunting, but it can be made less so if you tackle them simultaneously.

What is HIPAA?

First, let's talk about what HIPAA is. HIPAA stands for Health Insurance Portability and Accountability Act, and it is a collection of medical privacy regulations for healthcare organizations handling sensitive personal health information (PHI). To implement HIPAA requirements, in 1996, the US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule. The Privacy Rule protects the privacy of individuals' health information and gives patients the rights to access their information and request corrections to it. Additionally, HIPAA's Breach Notification Rule requires companies to notify patients when their PHI is impermissibly used or disclosed (or "breached"). These HIPAA stipulations are governed by the Enforcement Rule, which contains provisions relating to the imposition of monetary penalties for HIPAA violations. In short, the Enforcement Rule makes you liable not only for your business's actions – or inactions – but also for the actions of people working under your direction.

What is SOC 2?

SOC 2 refers to a type of audit developed by the American Institute of CPAs (AICPA) for companies that store customer data in the cloud. The focus of a SOC 2 report and audit is on a service organization's internal controls relevant to the security, availability, processing integrity, confidentiality, and privacy (collectively referred to as the Trust Services Criteria) of customer data. 

SOC 2 can include either a Type 1 or a Type 2 audit. Type 1 is a point-in-time snapshot where an auditor is assessing the design of your organization's controls. A type 2 audit includes an assessment of the effectiveness of the same controls over a longer period, anywhere from 3 to 12 months. A 12-month type 2 audit period is standard. 


Should I pursue both audits at the same time?

Simply put, yes! First, you should know that a SOC 2 report alone is not enough to demonstrate that your company is HIPAA compliant. There is a ton of overlap between the two reports, but the HIPAA Security Rule, Breach Notification Rule, and Privacy Rule require specific controls representing ePHI and PHI that are not covered by a SOC 2. Simultaneously tackling both requirements can save your organization time, money, and resource allocation, and essentially help you avoid unnecessary repetition resulting from the overlapping aspects of the requirements.

In addition, the main driver to attain both HIPAA and SOC 2 compliance is to position your company to market to two types of customer pools. SOC 2 will advance you above many technologies and big enterprise customers. At the same time, HIPAA not only prevents your company from potentially being fined for lack of security and privacy safeguards but will also place you ahead of competitors related to health, including but not limited to insurance companies, healthcare providers, and clearinghouses.

All in all, both provide absolute confidence in your operations and technology. You will have confidence that you are abiding by the law. You will have confidence in your people, processes, and policies. You will gain trust from your customers and prospects (and not to mention an increase in revenue) by sharing your due diligence that supports your services to your customers.

How can Strike Graph help?

In addition to offering assistance in interpreting the SOC 2 and HIPAA standards and regulations, Strike Graph offers a range of package options, right-sized to cover the risks that apply to your business. We not only partner with our customers through an audit, but we offer pre-audit readiness packages to build your security and compliance program for when you are ready for audit. Strike Graph's solutions help demystify the entire audit process, arming you with the tools you need to better understand your company's internal controls, gaps, and associated risks. We provide all the required policies and guide you through the audit processes in a logical, step-by-step fashion, and we'll never abandon you to software – we pair experts with our technology, ensuring you'll always have a partner available to ease any compliance concerns.

Our HIPAA and SOC 2 compliance solutions boast:

  • A thorough gap analysis to set you up for success with both audits
  • Continuous monitoring to alert you to any expiring evidence
  • An all-in-one system to save you time (no more fishing around in multiple applications!)

Keep up to date with Strike Graph.

The security landscape is ever changing. Sign up for our newsletter to make sure you stay abreast of the latest regulations and requirements.