What is SOC 2 + HITRUST?
Prolific and unique musician MF Doom once said, “I'm always trying to show versatility. I'm juggling, and I'm flipping fire, and I'm chewing gum and rhyming at the same time... on a unicycle, while playing the drums.”
This was a man known for his “supervillain” stage persona but such a sentiment extends beyond his world of underground hip-hop and into ours of compliance. Despite the benefits of versatility, it’s increasingly difficult for organizations to keep up with multiple audits, oftentimes around the same processes and policies, year after year.
After all, you might not have the necessary resources for internal compliance services, which means that your staff is forced to take on multiple roles for multiple audits throughout the year—and that’s on top of their existing roles within the organization.
Juggling’s great, but wouldn’t it be nice to be able to maybe combine at least the chewing gum and flipping fire into one effort instead of many? We’ve got good news for you—there may be an opportunity, as HITRUST and the American Institute of CPAs (AICPA) took notice of this issue plaguing organizations and sought to alleviate some of these concerns.
SOC 2 + HITRUST was created by streamlining and combining the CSF and SOC audit efforts—a natural combination since HITRUST CSF can fit within SOC 2’s criteria and reporting structure. Though they remain separate reporting efforts, in this article, we’re going to break down how these two frameworks can exist separately yet mesh well together.
After learning the advantages of pursuing such a combined approach, you’ll know if it can help you better juggle multiple obligations.
What is SOC 2?
But before discussing the mutual benefits of the collective effort, let’s set a baseline by briefly exploring each individually.
- Data/service availability
- Transaction processing integrity
- Data confidentiality, and/or
- Data privacy.
Of these five different areas, known as the Trust Service Categories, you can select which apply to your organization and your auditor will assess your controls against the criteria in your selected categories.
On their own, SOC 2 reports represent a staple in compliance and can benefit anyone charged with protecting data and delivering services. But these examinations also feature an added advantage—the flexibility for organizations to incorporate any additional suitable criteria, including HITRUST.
What is HITRUST?
The other half of this potential combination, HITRUST was originally designed to serve healthcare services but has developed into a comprehensive risk and compliance-based security and privacy framework that can be applied across many industries and organizations.
The HITRUST CSF risk-based, 2-year (r2) Validated Assessment allows clients to select from a variety of pre-determined risk factors to generate implementation requirements within 19 domains that you can tailor specifically to your organization. You choose from two types of r2 Validated Assessments within the HITRUST portfolio:
- “Readiness Assessments”
- “Validated Assessments”
What are the Advantages of SOC 2 + HITRUST?
Both initiatives on their own have their merits, but for those of you that need or are interested in both, combining SOC 2 and HITRUST CSF reporting into one effort presents different advantages.
Currently, HITRUST has developed a standard report that allows for the reporting of risk, compliance posture, and corrective action plans. However, requests for this type of information can come in different formats such as:
- Security Questionnaires;
- Description of processes and/or controls being implemented to satisfy the CSF; and
- The assurance that controls have operated effectively for a fixed period of time.
For those of you unfamiliar with SOC, those elements are remarkably similar to the SOC 2 report. As such, it’s both possible and beneficial to leverage HITRUST CSF controls into your SOC engagement. Rather than requesting evidence twice to satisfy two different reports at two different times, they’ll get it all done in one go, and you’ll still be able to report on similar controls for two different reporting requirements.
So, how does that work? HITRUST has collaborated with the AICPA to develop recommendations around streamlining the process of combining the CSF and the SOC reporting efforts, and that primarily meant mapping the CSF controls to the Trust Services categories of security, availability, and confidentiality.
This collaboration between the two governing bodies has led to the following work products:
- Mapping of CSF to Trust Services Categories and Criteria (Security, Confidentiality, and Availability)
- Overview document with frequently asked questions
- HITRUST and SOC 2 reporting template
These tools were designed to aid organizations that create, handle, store, or transmit PHI to meet their dual reporting requirements more easily, and that they do. Streamlining like this in combining SOC 2 criteria and the HITRUST CSF controls will:
- Save you on costs;
- Save you on your time commitment
- Minimize inefficiencies; and
- Maximize your already-strapped resources’ availability.
Of course, circumstances may dictate that you keep these reports separate regardless of the benefits of the combination. If that’s the case, we still recommend scheduling those separate audits for the same period. Even if you need separate reports, your auditor can still find efficiencies in testing overlapping controls (and there are more than a few regarding management, monitoring, access, operations, and communications.)
Other Considerations to Make Regarding SOC 2 + HITRUST
Finding efficiencies in anything is always desirable, especially when it’s reducing two audits to one. You’ve just learned how combining SOC 2 + HITRUST can save you in a number of ways, but we need to paint a complete picture.
So, if you do opt for a SOC 2 + HITRUST report, understand these two things:
- You will be obligated to adopt and be evaluated against the SOC 2 security, availability, and confidentiality criteria.
- For those unused to three categories (rather than say, just the security criteria), this will mean increasing your level of effort just to accommodate the additional categories to ensure the mapping to HITRUST.
- Any issues identified on one side will likely affect the other as well.
- Integration is a double-edged sword: Say you meet all the SOC 2 criteria but fail any of the 75 required HITRUST controls. Because the combination would mean one set of controls impacts the other, such a failure might mean you don’t receive the opinion you want in your final report.
Even still, there’s no denying that organizations—particularly those in the health industry—have been avidly searching for a better way to deal with multiple audits over the same processes and policies. The reporting collaboration between HITRUST and SOC 2 represents a possible solution, and maybe it’s right for you.
Interested in learning more about your options and their particulars (including the difference between SOC 2+HITRUST and HITRUST certification)? Our team of experts would love to speak with you and address any concerns you may have, so please contact Schellman today.
About DOUG KANNEY
Doug Kanney is a Principal at Schellman based in Columbus, Ohio. Doug leads the HITRUST and HIPAA service lines and assists with methodology and service delivery across the SOC, PCI-DSS, and ISO service lines. Doug has more than 17 years of combined audit experience in public accounting. Doug has provided professional services for multiple Global 1000, Fortune 500, and regional companies during the course of his career.