Maximizing Efficiency: Save Resources with SOC2+ by Combining SOC 2 and HIPAA Compliance Assessments 

Suppose you’re like most organizations that handle healthcare information. In that case, you’re looking for ways to provide world-class privacy and security for your customers and business partners while minimizing costs. One great way to do this is to use the SOC 2+ provisions to consolidate and simplify your efforts to assess compliance with SOC 2 and HIPAA, which can substantially reduce the amount of time and money required. 

This blog post will provide an overview of SOC 2, SOC 2+, and HIPAA and explain the benefits of using SOC 2+ to perform a combined SOC 2/HIPAA compliance assessment.

What is SOC 2?

SOC 2 (System and Organization Controls) is a compliance standard that specifies how service organizations should meet service commitments to customers, including how to securely manage customer data. Developed by the American Institute of CPAs (AICPA), a non-profit professional organization of certified public accountants, SOC 2 defines criteria for managing customer data based on five “trust service categories”: security, availability, processing integrity, confidentiality, and privacy.

To achieve SOC 2 compliance, organizations must undergo a SOC 2 compliance assessment with information security specialists, and the attestation must be signed by a Certified Public Accountant (CPA). Many organizations find that having a CPA’s review and signoff lends added credibility to their SOC 2 attestation.

What is SOC 2+?

AICPA allows service auditors to examine, report on, and assess compliance with SOC 2 while at the same time reviewing compliance with HIPAA and other security and privacy frameworks. For these multi-standard reviews, AICPA’s SOC 2 Additional Subject Matter Assessment (SOC 2+) provisions allow reports to be expanded to include additional subject matters and criteria to address areas not covered by SOC 2 but are required by additional standards. Areas common to SOC 2 and the additional standard(s) being reviewed only need to be tested and reported on once, which can be a big time-saver for organizations and auditors.

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law intended to protect the security and privacy of Protected Health Information (PHI) handled by organizations. The specific requirements to safeguard PHI are defined in the HIPAA Privacy Rule and the HIPAA Security Rule. Being HIPAA compliant is a great way to demonstrate to your customers and partners that you take privacy and security seriously.

What Are the Benefits of SOC 2+?

By combining the SOC audit review and reporting for SOC 2 and HIPAA, SOC 2+ allows organizations to realize substantial benefits, including:

• Reduced burden of staff interviews. By identifying and grouping the requirements and common interview topics across SOC 2 and HIPAA standards, you can substantially reduce the frequency and duration of staff interviews. 
• Consolidated testing and assessment. Standard testing and assessment requirements, test runs, and documentation can be grouped to reduce the total work required for testing, documentation, and evidence collection.
• Synchronized controls and documentation. You can synchronize and standardize common controls and documentation across the assessment teams and reports, which makes it easier for your team to manage controls on an ongoing basis. 
• Streamline Reporting. By only preparing a single report to demonstrate compliance with SOC 2 and HIPAA, you can reduce overall reporting costs and efforts for your team. 
• Reduced audit fatigue. In addition to improving operational efficiencies and reducing costs, your staff will experience a significant reduction in audit fatigue.

While SOC 2+ allows you to combine SOC 2 assessments with many other security and privacy standards, the approach is particularly efficient for assessing SOC 2 and HIPPA because there is a very high degree of overlap between these two standards. The few things unique to either standard can be covered in a small separate report section. 

For example, while SOC 2 has a general requirement that organizations have contracts with third parties, HIPPA requires a specific Business Associate Agreement for each third party, which can be addressed in a separate HIPAA-only report section. 

Tevora’s Unified Assessment Program

Tevora has helped many of the world’s leading clients use a unified approach to achieve compliance with multiple security and privacy standards—including SOC 2 and HIPAA—as part of a single, synchronized project. We’ve developed a streamlined and efficient Unified Assessment Program methodology. 

Additional Resources

Below are additional resources that provide a deeper dive into the topics covered in this blog post:

• Tevora SOC 2 Compliance Datasheet
• Tevora Case Study: Unified Assessment Program
• Tevora SOC2+ Blog Post
• HHS HIPAA Website

We Can Help

Tevora’s experienced experts can answer any questions about SOC 2, SOC 2+, or HIPAA. We would also welcome the opportunity to leverage our Unified Assessment Program to help you perform a consolidated SOC 2+ compliance assessment for SOC 2 and HIPAA. Just give us a call at (833) 292-1609 or email us at sales@tevora.com.