iQoncept - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Can organizations use a SOC 2 report to help with HIPAA compliance?

SOC 2 evaluations can be helpful tools for organizations assessing their HIPAA compliance, but companies should not solely rely on them. Compliance expert Mike Chapple explains why.

I'm interested in learning more on how Service Organization Control evaluations can benefit organizations that...

are HIPAA business associates. Are SOC 2 evaluations enough to meet HIPAA requirements if your organization is a HIPAA business associate?

Service Organization Control, or SOC, evaluations are not intended to demonstrate compliance with HIPAA and should not be relied upon exclusively to evaluate the HIPAA compliance of business associates. That said, SOC 2 reports can be an important tool for organizations evaluating the security controls of their vendors and other business partners.

The SOC program is administered by the American Institute of Certified Public Accountants, and it is designed to provide independent assessments of the security controls in place at a service provider. It includes three types of assessments: SOC 1, SOC 2 and SOC 3 assessments. Of these, SOC 2 assessments are of most interest to security professionals. These assessments provide a description of a service provider's systems and an evaluation of the design of the security controls in place.

Just to make things a little more confusing, there are two types of SOC 2 reports an auditor may issue after completing a SOC 2 assessment. In a type 1 SOC 2 report, the auditor comments only on the sufficiency of the design of the security controls. Only in a type 2 SOC 2 report does the auditor provide test results designed to demonstrate the operational effectiveness of those controls.

If a service provider presents your organization with a SOC 2 report as evidence of HIPAA compliance, there is still a little work to do. First, compare the controls described in the report to the HIPAA security and privacy rules to determine whether they would be compliant if they worked properly. Second, verify the report is a type 2 SOC 2 report, and then ensure the auditor provided a favorable opinion of the effectiveness of the organization's security controls.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Learn more about healthcare clearinghouse security risks

Find out what rights HIPAA gives medical identity theft victims

Discover how important security gap analysis is for HIPAA compliance

This was last published in July 2016

Dig Deeper on HIPAA