Demystifying SOC 2, HIPAA & HITRUST—Top 5 Common Questions 

Julie Butterfield August 30, 2022

In our recent August webinar, “Demystifying SOC 2, HIPAA & HITRUST,” 360 Advanced Practice Director Ryan Winkler and Sr. Compliance Executive Kris Francis, joined by moderator Sr. Compliance Executive Carlos Guerrero, answered several questions posed by guests regarding SOC 2, HIPAA, and HITRUST.  

Here are the top 5 questions our panel addressed:  

1. If you already have a SOC 2, what is the level of effort to get to HITRUST?
Winkler said there’s no set standard in the way that a SOC 2 control is tested because it’s contoured to each individual organization. Yet, there’s a lot of overlap between the SOC 2 criteria and HITRUST

SOC 2 is a great stepping-stone to get there, Francis said. Every control that you include for a SOC 2 will map into the HITRUST framework in some form. “If you have a SOC 2, you’ve brought your organization up to a compliance mindset, and you’re used to keeping that documentation refreshed every 12 months, documenting those controls and how they function. That is going to be a leg up on anyone who has nothing in place who is now targeting a HITRUST certification.”

2. In terms of well-defined HIPAA controls, to line up with SOC 2, do organizations need to use all five trust criteria: security, availability, confidentiality, processing integrity, and privacy?
If you’ve already got controls developed, it’s just taking those controls and mapping them to the SOC criteria and using those controls, Winkler said. “That’s definitely a great exercise to perform. But just note that not everything that is covered in HIPAA is going to be covered in SOC 2. There’s not going to be a one-to-one overlap for everything, but I would say probably about 80% of what you could find in HIPAA can be leveraged into a SOC 2.”

3. If you have the privacy category in your SOC 2, it covers a lot of PII considerations. Is having the privacy category in your SOC 2 equal to being HIPAA compliant outside of your SOC 2?
“You really want to make sure you cover your bases, dot your i’s, and cross your t’s, when you’re building your HIPAA compliance program,” Winkler said. 

When a prospect comes to him for the first time, inquiring about HIPAA, he said he tries to point them in the direction of HITRUST.  

“Because the methodology is already there and defined for you with HITRUST. They really take the guessing game out of implementing controls and developing sound practices. If we can remove half of the learning curve with developing a risk management methodology and already having a model in place to get compliant, then why not just go down the road of HITRUST?” 

4. What is the SOC 2 + HITRUST and when is that applicable?
If an organization is looking for a SOC 2 or HITRUST, Francis said he’s going to go the path of HITRUST because clients understand what it is. “It’s a certification,” he said. “When I hand them my certificate, they’re going to feel good that the services I’m providing are secure.”

Winkler said it’s important to clarify that with a SOC 2 + HITRUST, there is no certification.  

“It is an attestation-only engagement, which means we are providing an opinion that you, the organization, meets the criteria for not only SOC 2, but the 75 HITRUST control references that would be required for certification. It’s purely an opinion, whereas with a (HITRUST) i1 and r2, those are full certifications.”

5. If we’re just getting started with HITRUST, where do we start?
After you’ve familiarized yourself with the HITRUST options (i1 or r2 – which are outlined on the HITRUST website), Francis recommends calling HITRUST to learn what you’ll need throughout the engagement. There are various options within their tool, MyCSF, which is a SaaS solution designed and engineered for performing risk assessments, amongst other things.

With HITRUST i1, the organization is assessed against the implemented maturity level only, Winkler said.  

“With an r2, you’re introducing maturity levels that have to be assessed again for each requirement, and that’s policy process, implementation, and then optionally measured, so there’s a lot more that has to be looked at for an r2.”  

Step two would be to contact an approved HITRUST assessor and have them walk you through their process, Francis said. “I would also say to interview more than one and understand how all of us are doing this a little differently. But what I would say is find the process that’s going to work for your organization, both on a timeline perspective and a fee perspective.” 

How 360 Advanced Helps
We will get you started on the most appropriate compliance program for your business. While hackers are getting more aggressive every day, 360 Advanced actively reviews the latest threats to help you stay ahead of risks and better protect your assets. We tailor our methods to your company’s unique needs, always with an eye on your budget. Contact us today to schedule your assessment.

Watch our webinar to learn more.