SOC 2 + HIPAA Examination

by Alan DeVaughan 

One of the frequent topics of discussion with my SOC 2 clients is the possibility of integrating the Health Insurance Portability and Accountability Act, as amended, (HIPAA) standards with their existing SOC 2 control set. As either a covered entity or business associate, they are required to comply with the HIPAA regulations. This is a great discussion to have and our team at Meditology can show you how to add HIPAA controls to your SOC 2 by performing a SOC 2 + HIPAA examination. Let’s start with some background information. 

Can Your Current Controls Withstand an OCR Audit? 

Despite what some compliance vendors would have you believe, there is no such thing as HIPAA certification or HIPAA-certified. Only the U.S. Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) can determine if your organization is fully compliant with the HIPAA standards as part of a formal audit. However, there are two options to help you determine if your existing controls might withstand the scrutiny of an OCR audit. 

The first is to conduct an internal assessment/audit against the HIPAA standards. The OCR publishes an audit guide covering the Security, Privacy, and Breach Notification standards. This audit protocol can be used to determine if the required controls are in place and operating as expected. Our team performs this service for several of our clients and we would be glad to assist you. Use the link below to contact us and we’ll provide more information. 

The second way to determine if your existing controls are sufficient is to enhance your existing SOC 2 by performing a “SOC 2+” examination. A SOC 2+ is the same as a standard SOC 2 Type 2 examination but has an additional control framework added. This could be the HIPAA Security Rule, CIS controls, or other framework. The additional framework is noted in the SOC 2 auditor’s opinion and throughout the report. This provides more assurance that the additional controls are operating as expected. The auditor’s (e.g., Meditology’s) standard SOC 2 testing procedures apply to your standard SOC 2 control set plus the additional ones. 

By adding HIPAA standards (e.g., the Security Rule) to your SOC 2 report, you are providing your clients and other readers of the report a third-party auditor’s opinion that the HIPAA controls were designed and operating effectively for the reporting period. Our SOC 2+ report will map your existing SOC 2 controls to the HIPAA standards, list any HIPAA-specific controls, and show the testing results. While still not a formal HIPAA certification, the SOC 2+ report will demonstrate to your clients your commitment to compliance with the HIPAA standards. 

One of your first questions is probably, “How much extra effort is involved in a SOC 2+ HIPAA examination?” Great question! It will depend on the size of your current SOC 2 control set, the AICPA Trust Services Criteria (TSC) categories included in your current SOC 2 report, and which parts of the HIPAA standards you want to include. The HIPAA Security Rule includes several control areas related to disaster recovery, emergency access to ePHI, and business continuity. If your existing SOC 2 doesn’t include the Availability TSC category, it will take more effort to identify potential controls, and determine if those controls will satisfy the HIPAA standard. The same would be true for including the HIPAA Privacy Rule in your SOC 2+ examination. If you don’t already cover the Privacy TSC category, there will be more work to identify those control areas. 

We would be glad to provide additional information, discuss the best option for your organization, or answer any questions you may have. Please contact us and we’ll be in touch. 

Meditology Services is a leading provider of risk management, cybersecurity, and regulatory compliance consulting services that is exclusively focused on serving the healthcare community. More than a provider of services, Meditology is a strategic partner committed to providing our clients actionable solutions to achieve their most pressing objectives. With experience serving healthcare organizations ranging in size, structure, and operational complexity, we uniquely understand the challenges our clients face every day and dedicate ourselves to helping solve them. 

Our service lines span cybersecurity certifications, security risk assessments, penetration testing, medical device security, incident response, staff augmentation, and more. Our team is run by former CISOs and privacy officers who have walked in our clients’ shoes, and our experienced consultants hold certifications spanning CISSP, CEH, CISA, HCISPP, CIPP, OSCP, HITRUST, and more. In addition, we maintain strong relationships with healthcare regulatory and standards bodies, including serving as HIPAA expert advisors to the Office for Civil Rights, providing us a uniquely thorough perspective on the healthcare cybersecurity landscape. 

Together with our sister company, CORL Technologies, we serve hundreds of leading healthcare payers, providers, and business associates across the United States.


Alan DeVaughan is an experienced compliance and information security senior manager specializing in assisting organizations with SOC 2 readiness assessments and examinations for over 10 years. In addition to leading the firm's SOC 2 service line, he serves as a consultant team leader focused on advising healthcare clients of varying size and complexity in areas of IT, privacy, security, and compliance. Alan has in-depth knowledge of security technology frameworks such as NIST, HITRUST, SOC 1 / SOC 2, HIPAA, and FFIEC. With a background in network administration, he has over 25 years’ experience in information technology consulting for a wide variety of organizations and industries. 

Most Recent Posts
SOC 2 + CIS Controls Read More
A Cybersecurity Professional's Guide to HIPAA-Compliant Online Tracking Read More
Rise of Responsible AI Read More