Avenues for HITRUST and SOC 2 Compliance

If you have a HITRUST Assessment you may be wondering how much more effort would be required to also obtain a SOC 2 Report. The opposite could be true as well if you have a SOC 2 Report you may still want a HITRUST Certification to demonstrate your organization’s commitment to security. If you are looking to comply with HITRUST and SOC 2 you are probably wondering how you can accomplish this with the least impact on your operations.

The Difference Between HITRUST and SOC2

SOC 2 is a data security compliance standard developed by the American Institute of CPAs (AICPA). The standard focuses on the five AICPA Trust Service Principles: Security, Availability, Confidentiality, Processing Integrity, and Privacy. A SOC 2 Report will assess the effectiveness of your security controls. All organizations must assess against the Security principle. Businesses can determine which of the other four principles are relevant to their operations and need to be included in their SOC 2 scope.

HITRUST assessments are performed against the HITRUST Alliance Common Security Framework (CSF). The CSF is designed to merge numerous existing frameworks to provide a unified framework demonstrating the organization’s commitment to security. The CFS merges requirements from NIST, ISO 27001, PCI DSS, HIPAA, and other regulatory sources to develop a comprehensive security framework. The assessment is tailored to the organization to some extent, but the controls are defined by HITRUST, not the organization.

Leveraging the Frameworks

Clients often ask us if we can rely upon a SOC 2 report for evidence of their control implementation for a HITRUST assessment. Unfortunately, there are a couple of reasons that’s not always possible. HITRUST requires that the External Assessor have access to and be able to review the testing evidence maintained by the CPA firm that issued the SOC 2 report. Unless you are using the same firm for both reviews this is generally not an option. Additionally, there are issues related to the timing of the audits. If the evidence used by the CPA firm is too old, then your External Assessor may not be able to rely upon the testing. Finally, there is the prescriptive nature of the HITRUST assessment. If your SOC 2 control does not meet all of the HITRUST control requirements it will not provide you all the evidence needed for your HITRUST certification.

Leveraging a HITRUST for SOC 2 maturity may run into similar concerns. The CPA firm doing your SOC 2 must be able to access, maintain, and review the supporting testing to ensure that the testing meets the criteria and is accessible for the required quality assurance reviews. Additionally, the timeframes for the audit are often not compatible with the HITRUST assessment meaning the evidence cannot be used.

Combining Assessments

If an organization wants to demonstrate its control maturity by completing both a SOC 2 and HITRUST assessment, the most efficient way might be to do these concurrently.

Since SOC 2 allows organizations to customize their controls to reflect their environment, your HITRUST External Assessor can assist you with the identification of the controls related to your SOC 2 scope. Depending on the type of HITRUST assessment your organization is pursuing, you may discover that the majority of your SOC 2 scope is covered by the HITRUST CSF.

Choosing a HITRUST Assessor who also provides SOC 2 services will accelerate workflows through the coordination of testing windows and the sharing of evidence and testing results. CompliancePoint generally recommends the HITRUST assessment as your baseline, due to its prescriptive nature.

CompliancePoint is an authorized HITRUST Assessor. We also provide SOC 2 readiness services. Our independent CompliancePoint Assurance (CPA) firm can perform audits for a SOC 2 Type 1 and Type 2 report. Contact us at connect@compliancepoint.com to learn how our services can help solve your compliance challenges.