Combining SOC 2 and HIPAA Audits

by Sarah Harvey / February 26th, 2020

We get a lot of questions about SOC 2 and HIPAA audits. Should your company do both? Are you able to consolidate multiple audits into one project? KirkpatrickPrice has developed the Online Audit Manager to make it easier to combine multiple audits into one project. Let’s talk through why and how you would take on the project of a combined SOC 2 and HIPAA audit.

What are SOC 2 and HIPAA Audits?

Before we discuss how to go through a combined SOC 2 and HIPAA audit, let’s review what each of these types of audits are.

A SOC 2 audit is an assessment of the internal controls at a service organization that protect client data. The SOC 2 audit was designed to determine if service organizations are compliant with the principles of security, availability, processing integrity, confidentiality, and privacy (also known as the Trust Services Criteria). A SOC 2 audit must be conducted by a CPA firm.

The integrity of the healthcare industry relies on keeping data secure and patients safe. This, in part, was why HIPAA was created. HIPAA sets a national standard for the protection of consumers’ PHI and ePHI by mandating risk management best practices and physical, administrative, and technical safeguards. HIPAA was established to provide greater transparency for individuals whose information may be at risk, and the OCR enforces compliance with the HIPAA Security, Privacy, and Breach Notification Rules.

Why a Combined SOC 2 and HIPAA Audit?

Why would a company pursue a combined SOC 2 and HIPAA audit? Depending on your services, both could be valuable for your organization. HIPAA compliance may not be an option for you – rather, it’s a requirement. But there are organizations like MSPs, cloud hosting providers, and SaaS providers who serve the healthcare industry and go after both SOC 2 and HIPAA compliance, like Dash. These organizations have made the commitment to come at compliance from two, proactive angles. Our clients who undergo a combined SOC 2 and HIPAA audit are also, in many cases, specifically asked for a SOC 2 report from their key accounts and stakeholders. Yes, a HIPAA report is valuable, but a SOC 2 attestation can add even greater assurance that PHI is secure. Whenever your clients (especially key accounts) or stakeholders have specific compliance requirements, it’s always a wise decision to do your due diligence and know what your options are for meeting their requirements and industry standards. To effectively ensure that your controls meet the demands of the variety of clients and stakeholders that you serve, you should know that a combined SOC 2 and HIPAA audit is an option.

Using the Online Audit Manager

Our goal is to make SOC 2 and HIPAA reports more accessible to organizations who are being asked for them, so in order to complete a combined SOC 2 and HIPAA audit, we utilize the Online Audit Manager. The Online Audit Manager is an online audit delivery tool that maps the requirements of each framework to one another so that you can capitalize on your resources instead of answering the same question over and over again on separate audits – all with the goal of saving your organization’s time, effort, and money. Completing a combined SOC 2 and HIPAA audit with KirkpatrickPrice will be a more efficient, accessible process for your organization. Interested in more specifics on how this works? Let’s set up a demo of the Online Audit Manager.