866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

What is SOC 2 + HITRUST? Blog Feature
DOUG KANNEY

By: DOUG KANNEY

Print/Save as PDF

What is SOC 2 + HITRUST?

Healthcare Assessments | SOC Examinations

Prolific and unique musician MF Doom once said, “I'm always trying to show versatility. I'm juggling, and I'm flipping fire, and I'm chewing gum and rhyming at the same time... on a unicycle, while playing the drums.”

This was a man known for his “supervillain” stage persona but such a sentiment extends beyond his world of underground hip-hop and into ours of compliance. Despite the benefits of versatility, it’s increasingly difficult for organizations to keep up with multiple audits, oftentimes around the same processes and policies, year after year.

After all, you might not have the necessary resources for internal compliance services, which means that your staff is forced to take on multiple roles for multiple audits throughout the year—and that’s on top of their existing roles within the organization.

Juggling’s great, but wouldn’t it be nice to be able to maybe combine at least the chewing gum and flipping fire into one effort instead of many? We’ve got good news for you—there may be an opportunity, as HITRUST and the American Institute of CPAs (AICPA) took notice of this issue plaguing organizations and sought to alleviate some of these concerns.

SOC 2 + HITRUST was created by streamlining and combining the CSF and SOC audit efforts—a natural combination since HITRUST CSF can fit within SOC 2’s criteria and reporting structure. Though they remain separate reporting efforts, in this article, we’re going to break down how these two frameworks can exist separately yet mesh well together.

After learning the advantages of pursuing such a combined approach, you’ll know if it can help you better juggle multiple obligations.

What is SOC 2?

But before discussing the mutual benefits of the collective effort, let’s set a baseline by briefly exploring each individually.

A SOC 2 examination can help you understand how well you achieve your service commitments or promises related to:

  • Security
  • Data/service availability
  • Transaction processing integrity
  • Data confidentiality, and/or
  • Data privacy. 

Of these five different areas, known as the Trust Service Categories, you can select which apply to your organization and your auditor will assess your controls against the criteria in your selected categories.

On their own, SOC 2 reports represent a staple in compliance and can benefit anyone charged with protecting data and delivering services. But these examinations also feature an added advantage—the flexibility for organizations to incorporate any additional suitable criteria, including HITRUST.

What is HITRUST?

The other half of this potential combination, HITRUST was originally designed to serve healthcare services but has developed into a comprehensive risk and compliance-based security and privacy framework that can be applied across many industries and organizations.

The HITRUST CSF risk-based, 2-year (r2) Validated Assessment allows clients to select from a variety of pre-determined risk factors to generate implementation requirements within 19 domains that you can tailor specifically to your organization. You choose from two types of r2 Validated Assessments within the HITRUST portfolio:

  • “Readiness Assessments”
  • “Validated Assessments”

Readiness Assessments are designed to prepare for Validated Assessments, and—once completed—Validated Assessments are submitted to HITRUST, usually for HITRUST Certification.

What are the Advantages of SOC 2 + HITRUST?

Both initiatives on their own have their merits, but for those of you that need or are interested in both, combining SOC 2 and HITRUST CSF reporting into one effort presents different advantages.

Currently, HITRUST has developed a standard report that allows for the reporting of risk, compliance posture, and corrective action plans. However, requests for this type of information can come in different formats such as:

  • Security Questionnaires;
  • RFPs;
  • Description of processes and/or controls being implemented to satisfy the CSF; and
  • The assurance that controls have operated effectively for a fixed period of time.

For those of you unfamiliar with SOC, those elements are remarkably similar to the SOC 2 report. As such, it’s both possible and beneficial to leverage HITRUST CSF controls into your SOC engagement. Rather than requesting evidence twice to satisfy two different reports at two different times, they’ll get it all done in one go, and you’ll still be able to report on similar controls for two different reporting requirements.

So, how does that work? HITRUST has collaborated with the AICPA to develop recommendations around streamlining the process of combining the CSF and the SOC reporting efforts, and that primarily meant mapping the CSF controls to the Trust Services categories of security, availability, and confidentiality.

This collaboration between the two governing bodies has led to the following work products:

  • Mapping of CSF to Trust Services Categories and Criteria (Security, Confidentiality, and Availability)
  • Overview document with frequently asked questions
  • HITRUST and SOC 2 reporting template

These tools were designed to aid organizations that create, handle, store, or transmit PHI to meet their dual reporting requirements more easily, and that they do. Streamlining like this in combining SOC 2 criteria and the HITRUST CSF controls will:

  • Save you on costs;
  • Save you on your time commitment
  • Minimize inefficiencies; and 
  • Maximize your already-strapped resources’ availability.

Of course, circumstances may dictate that you keep these reports separate regardless of the benefits of the combination. If that’s the case, we still recommend scheduling those separate audits for the same period. Even if you need separate reports, your auditor can still find efficiencies in testing overlapping controls (and there are more than a few regarding management, monitoring, access, operations, and communications.)

Other Considerations to Make Regarding SOC 2 + HITRUST

Finding efficiencies in anything is always desirable, especially when it’s reducing two audits to one. You’ve just learned how combining SOC 2 + HITRUST can save you in a number of ways, but we need to paint a complete picture.

So, if you do opt for a SOC 2 + HITRUST report, understand these two things:

  • You will be obligated to adopt and be evaluated against the SOC 2 security, availability, and confidentiality criteria.
    • For those unused to three categories (rather than say, just the security criteria), this will mean increasing your level of effort just to accommodate the additional categories to ensure the mapping to HITRUST.
  • Any issues identified on one side will likely affect the other as well.
    • Integration is a double-edged sword: Say you meet all the SOC 2 criteria but fail any of the 75 required HITRUST controls. Because the combination would mean one set of controls impacts the other, such a failure might mean you don’t receive the opinion you want in your final report. 

Even still, there’s no denying that organizations—particularly those in the health industry—have been avidly searching for a better way to deal with multiple audits over the same processes and policies. The reporting collaboration between HITRUST and SOC 2 represents a possible solution, and maybe it’s right for you.

Interested in learning more about your options and their particulars (including the difference between SOC 2+HITRUST and HITRUST certification)? Our team of experts would love to speak with you and address any concerns you may have, so please contact Schellman today.

About DOUG KANNEY

Doug Kanney is a Principal at Schellman based in Columbus, Ohio. Doug leads the HITRUST and HIPAA service lines and assists with methodology and service delivery across the SOC, PCI-DSS, and ISO service lines. Doug has more than 17 years of combined audit experience in public accounting. Doug has provided professional services for multiple Global 1000, Fortune 500, and regional companies during the course of his career.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.