How risk3sixty Uses SOC 2 to Demonstrate HIPAA Compliance


The AICPA-designated SOC 2 framework is used to express an opinion on controls over security, privacy, availability, confidentiality, and processing integrity for many different systems, organizations, and environments.

In addition to improving security posture at your organization, SOC 2 is a great sales tool to demonstrate to your customers that you have a strong foundation of security, privacy, etc. as well as demonstrating compliance.

Similarly, the Health Insurance Portability and Accountability Act (HIPAA) is a framework for maintaining certain standards for areas within the organization that handle protected health information (PHI). Often, these systems, organizations, and environments for the scope of the SOC 2 are the same place where PHI is handled.

Combining both frameworks will save your team time, money, and resources.

How does HIPAA relate to SOC 2?

HIPAA compliance can include the following requirements:

  • Security
  • Privacy
  • Breach Notification Rules

You wouldn’t be mistaken if you thought that these frameworks likely overlap.

HIPAA takes many foundational points from SOC 2, naturally, as they both are concerned with the protection of certain data. In the case of HIPAA, this information comes in the form of PHI.

If I have a SOC 2, does that mean I can achieve HIPAA compliance?

It depends! If the scope of where PHI is maintained falls under the same umbrella of systems, business units, etc. that are in scope for SOC 2, then HIPAA compliance may be achievable with minimal additional effort.

There is a tremendous overlap of requirements for SOC 2 and HIPAA and often, the additional efforts needed to combine SOC 2 report and HIPAA opinion are minimal. Speak to an expert at risk3sixty to help to scope efforts.

At risk3sixty, we have created a SOC 2-to-HIPAA mapping within Phalanx to help streamline these efforts. The experts here will help scope your controls across the organization to help meet both SOC 2 and HIPAA framework requirements.

What does this mean for me?

It means that if you are seeking both a SOC 2 report and HIPAA opinion, those workstreams are then combined by our team of SOC 2 and HIPAA experts to make it feel as if it is one engagement.

As a result, risk3sixty will publish a report that includes an opinion on the SOC 2 controls for the system in scope as well as an opinion on HIPAA compliance.

Share to


Share to

Like our content? Subscribe and stay informed.