We often have clients or prospective clients with questions about whether a SOC 2 report is sufficient to demonstrate HIPAA compliance. They are both reports related to data security, but the short answer is no. A SOC 2 report alone typically does not demonstrate compliance with all HIPAA security rules, though it may demonstrate compliance with some of them. In this post, I will discuss the difference between HIPAA compliance and a SOC 2 report, the purpose of a SOC 2 vs HIPAA, and how the two overlap.
If your organization is in healthcare and handles electronic protected health information (ePHI), HIPAA compliance is not optional — it’s the law. Whereas, SOC 2 is a separate, voluntary standard applicable to service organizations – not just healthcare organizations – that demonstrates broader security controls relevant to data security to its customers and business partners. Many healthcare SaaS companies need both, and pursuing them together reduces duplicate effort because some controls overlap. Keep reading for a breakdown of how they compare and where they overlap.
What Is the Difference Between HIPAA Compliance & SOC 2?
Let’s cover some basics needed to understand the differences between SOC 2 and HIPAA. A SOC 2 report is a voluntary compliance standard used by service organizations to demonstrate to the users of their services and stakeholders the controls related to data security that have been implemented to secure the services the service organization provides.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was created to provide national standards for maintaining the security and privacy of electronic health information. Being HIPAA compliant is a federal law that requires organizations that provide healthcare-related services and handle protected health information (PHI) to comply with if they are a covered entity or business associate.
One of the key differences to highlight here is that a SOC 2 is a voluntary attestation engagement, whereas HIPAA is a legal requirement that applicable healthcare organizations must comply with.
| Fact | SOC 2 | HIPPA |
|---|---|---|
| Governing Body | American Institute of Certified Public Accountants (AICPA) | U.S. Dept. of Health & Human Services (HHS) |
| Purpose | The standard used to evaluate how service organizations secure customer data and their services; how the criteria are met is flexible. | National standards for healthcare organizations have strict regulations for maintaining the security and privacy of PHI. |
| Is Compliance Required? | SOC 2 is a voluntary compliance audit. Some service organizations may have customers who require they undergo a SOC 2 audit in order to do business with them. | HIPAA compliance is mandatory for applicable healthcare organizations. |
| Who It Applies To | Service organizations that store, process, or transmit customer data. | Healthcare organizations – covered entities and business associates. |
| Data Covered | Sensitive and customer data handled by the service organization’s system/service. | Protected health information (PHI) |
| Report Type/Audit Output for Compliance Process | SOC 2 Type I or Type II audit performed by an independent CPA firm. | SSelf Assessment or Independent Attestation; no standardized report format. |
| Enforcement & Penalties | No regulatory penalties for non-compliance. | Yes – Civil and criminal penalties enforced by HHS Office for Civil Rights (OCR) |
| Overlap | Access controls, monitoring and logging, incident response, and risk management controls often satisfy HIPAA requirements. | Some HIPAA Security Rule safeguards align with SOC 2 Common Criteria. |
What Is the HIPAA Security Rule?
Before HIPAA, there were no generally accepted standards or requirements for how health information should be protected, especially electronic health information. The HIPAA Security Rule provides standards for protecting users’ PHI. There are multiple ways for organizations to demonstrate compliance with the HIPAA Security Rule, including HIPAA compliance audits. HIPAA compliance audits can be self-assessments or an independent attestation performed by auditors who evaluate the organization’s HIPAA compliance using the HIPAA Security, Privacy, and/or Breach Notification Rules. These requirements are sourced from federal legislation as implemented by the U.S. Department of Health and Human Services (HHS). Legislators and HHS created the criteria after consideration of healthcare industry feedback. In this post, we will be focusing specifically on the HIPAA Security Rule.
This brings up another difference between SOC 2 and HIPAA. The AICPA established the trust services criteria (TSCs) that are used in SOC 2 audits, which can only be performed by an independent CPA firm. The TSCs were created to evaluate and report on a service organization’s controls over the security, availability, confidentiality, processing integrity, or privacy of data and systems used to provide their services. There are five TSCs that can be included in a SOC 2 report based on the services and/or systems provided by the service organization. The five criteria are:
The only criteria that must be included in a SOC 2 report is security, also called the common criteria. The other four criteria are added at the discretion of the service organization, with help from their auditor, when determining the scope of the SOC 2 audit based on the services and/or systems provided to their users.
Who Does the HIPAA Security Rule Apply To?
As mentioned previously, HIPAA compliance is not voluntary. Organizations that provide healthcare-related services and handle protected health information (PHI) are required to comply with HIPAA if they are a covered entity or business associate. Organizations that must be HIPAA compliant, like a healthcare SaaS company, may also benefit from undergoing a SOC 2 examination, but SOC 2 audits are voluntary. The guidance on who must comply with the HIPAA Security Rule is much more prescriptive than the guidance on who should obtain a SOC 2. If an organization is having a hard time determining whether it must comply with HIPAA and is a covered entity or business associate, there is a tool provided by the Centers for Medicare and Medicaid Services (CMS) that provides additional guidance.
In contrast, the AICPA states that SOC 2 reports are meant for organizations that provide services and/or systems to user entities, and they address the needs of a broad range of users. SOC 2 reports provide details around the systems used by the service organization to process and store customer data and assurance around the controls in place at the service organization, relevant to the five TSCs. This is why, in some instances, a SOC 2 report will demonstrate compliance with some of the HIPAA Security Rules.
Is a SOC 2 Report HIPAA Compliant?
The short answer is no. As mentioned previously, a SOC 2 report will demonstrate compliance with some of the HIPAA Security Rules, but not all, depending on the scope of the SOC 2. Oftentimes, controls will overlap between the two standards, but because the purpose of these compliance standards/requirements is different, a SOC 2 is not considered “HIPAA compliant”.
Typically, we will perform the fieldwork for both a SOC 2 and HIPAA Compliance report in tandem–if a client has engaged us for both–as there is a significant amount of overlap in the two reports, but we issue two separate reports: one to address the SOC 2 criteria and another to demonstrate HIPAA compliance. This helps demonstrate how the organization is meeting all the SOC 2 criteria and separately all the applicable HIPAA compliance rules, without the two being dependent on one another.
What We Commonly See During SOC 2 + HIPAA Scoping
We have seen instances where clients rely on a SOC 2 report only to demonstrate HIPAA compliance, and there are several requirements of the HIPAA Security Rule that are not typically covered by a SOC 2 report. Below are a few examples where a SOC 2 report with the security criteria only in scope could fall short when demonstrating compliance with the HIPAA Security Rule.
- Policies have been established and implemented at the organization to meet the SOC 2 criteria, but the policies are not HIPAA-compliant security policies that specifically address controls implemented to restrict access to and secure PHI.
- The requirement for a disaster recovery plan that addresses HIPAA-specific requirements, such as emergency mode operations, applications, and data criticality analysis, contingency operations, access to PHI in an emergency, etc., may not be met in a SOC 2 that includes only the security criteria. Controls around disaster recovery are typically included in a SOC 2 report scope when the availability criteria is applicable.
- The maintenance of a log of all individuals and devices with access to PHI and monitoring procedures to discourage unauthorized access may not be considered in the scope of a SOC 2, depending on the criteria included, as this is specific to HIPAA compliance.
- The maintenance of HIPAA-required records of actions, activities, and assessments for 6 years is also a HIPAA compliance-specific activity and not typically included in the scope of a SOC 2 report.
The list above is not meant to be exhaustive. Additionally, depending on the scope of the SOC 2 report and the criteria included, some of the control activities listed above could potentially be included in a SOC 2 report.
The Bottom Line: SOC 2 Supports HIPAA Compliance, But It Doesn’t Replace It
In summary, we discussed the main objectives and differences between a SOC 2 and HIPAA compliance. There is overlap between the two standards, but their objectives and users are different. A SOC 2 provides a baseline for data security practices, but a HIPAA report has additional requirements that need to be met. A SOC 2 report alone will not typically be enough to demonstrate that an organization is in compliance with the HIPAA Security Rule. In order to tackle either of these audits for the first time, engaging a reputable CPA firm is a great first step.
To find out more about how Linford & Co. can assist your organization in starting the process towards obtaining your SOC 2 or HIPAA Compliance reports, please contact us.
This article was originally published on 8/18/2020 and was updated on 5/13/2026.
