HITRUST vs SOC 2 (Which is right for you?)

Information security is becoming a growing concern for cloud-hosted companies and the organizations are under constant pressure to meet the standard regulatory requirements. Understanding the differences between HITRUST vs SOC 2, although both HITRUST and SOC 2 compliance are industry-recognized certifications,  will help cloud-hosted companies demonstrate privacy, security, and quality practices. 

TL;DR: The HITRUST certifications were originally developed to help healthcare organizations mitigate privacy risks and provide information security whereas the SOC 2 certification was designed and created to satisfy the need of users who need assurance that their personal information is stored and processed securely.

This HITRUST Vs SOC 2 comparison article will help you identify which certification is right for your cloud-hosted company.

What is a SOC 2 Engagement?

SOC 2 is a reporting framework that was developed by the American Institute of Certified Public Accountants (AICPA). 

According to AICPA, the SOC 2 engagement is an examination engagement for reporting on matters such as:

• Whether the description of a cloud-hosted company’s system is in line with the description criteria.
• Whether the controls are appropriately designed to ensure reasonable assurance that the cloud-hosted company’s service commitments and system requirements will be met as per the applicable trust service criteria (TSC).
• Whether the controls worked at an optimal level to ensure that service commitments and system requirements were fulfilled as per the applicable TSC. 

The primary purpose of SOC 2 report is to satisfy the needs of a variety of users who need assurance that their information is stored and processed in a secure way. 

What is a HITRUST Engagement?

HITRUST is short for Health Information Trust Alliance and it’s a prescriptive control framework. 

Founded in 2007, HITRUST is a non-profit organization whose mission is to promote programs that protect sensitive information and manage information risk for all industries & third-party supply chains. 

Originally, HITRUST was created to help healthcare organizations manage privacy risks and provide information security. It was used by companies that specifically dealt with Electronic Protected Health Information (ePHI) in one way or another.

Today, however, HITRUST has evolved into a full-fledged regulatory compliance and risk management framework that covers a wide range of standards including HIPAA, PCI DSS, ISO, COBIT, and NIST to name a few.

HITRUST Certification vs SOC 2: What is the Difference?

The main difference between HITRUST Vs SOC 2 is that SOC 2 is more of an attestation report, while the HITRUST review is a control framework.

Watch this video to understand the difference in detail:

In SOC 2 compliance, the management needs to meet the demands of a massive userbase that need information and assurance about the controls that helps to maintain the five Trust Service Criteria (TSC):

• Privacy
• Security
• Availability
• Confidentiality
• Processing integrity

The cloud-hosted company is free to choose which of these five TSC categories to report on (security, however, is compulsory). But they need to engage external assessors to verify if the controls are appropriately designed and are working effectively.

On the other hand, HITRUST is a control framework. And while it allows cloud-hosted companies to define the scope of the environment to be tested, the company must incorporate the HITRUST controls in place and make sure that they are applied to the entire covered environment. 

The SOC 2 has specific criteria for each of the Trust Services Principles (TSP)  of integrity, security, processing, availability, and confidentiality; HITRUST and the AICPA have mapped the CSF controls to these criteria to offer full coverage of the CSF controls needed for CSF Certification (to date, the privacy principle has not been mapped).  

However, based on scoping factors for organizations, HITRUST has different level requirements for controls; it is critical for organizations undergoing a SOC 2+HITRUST to declare the system, organization, and regulatory factors that decide the true scope of HITRUST requirements that have to be tested out for SOC 2 criteria. The factors for one organization could need up to Level 3 implementations, whereas the factors for another organization may only require Level 1 implementations in an examination. 

The good news is that there are synergies between HITRUST and SOC 2. 

For example, cloud-hosted companies can leverage the SOC 2 controls that address HITRUST CSF requirements in their SOC 2 engagements and elevate time efficiencies & cost savings.

What’s even more interesting is the fact that both HITRUST and AICPA have joined hands to streamline and simplify the process by launching the SOC 2 + HITRUST Report.

How Much is SOC 2 Mapped to HITRUST?

If you’re planning to obtain both reports for your cloud-hosted company, the good news is that it is possible to have the HITRUST report map the controls needed to give SOC 2 opinion for the five TSC. 

However, your cloud-hosted company will still require to perform complete testing annually to maintain the SOC 2 opinion. 

Alternatively, there is one more option for obtaining both reports. It’s called SOC 2 + HITRUST CSF. In this case, a CPA firm must execute certain procedures to test the design as well as operation of controls related to both SOC 2 and HITRUST CSF. 

Unlike the SOC 2 + HITRUST Report, this report does not provide a letter of certification with one exception. — The CPA firm must be a HITRUST CSF assessor and the report must be certified by the HITRUST organization.

What is a SOC 2 + HITRUST Report?

If you’re wondering which report your cloud-hosted company needs between SOC 2 Vs HITRUST, the first thing you need to know is that the two reports are quite extensive and different from one another in various ways. 

HITRUST is leveraged by cloud-hosted companies that collect, house, and process ePHI. 

SOC 2, on the other hand, applies to all cloud-hosted companies that store or process customer data. This includes the business associates, third-party vendors, and even support agencies who work with those cloud-hosted companies that are required to be SOC 2 compliant.

But as we have just learned, the ACIPA and HITRUST have collaborated to enable cloud-hosted companies to issue a SOC 2 + HITRUST report. 

The final SOC 2 + HITRUST report is quite similar to SOC 2 in nature compared to the HITRUST report. It consists of a signed assertion by a cloud-hosted company’s management, an independent auditor’s report, and a written description of the cloud-hosted company-provided system.

SOC 2 vs HITRUST Reporting Options

There are a total of four different reporting options offered by AICPA & HITRUST for cloud-hosted companies:

• HITRUST CSF Certification – A cloud-hosted company can opt for a HITRUST CSF certification report by having a HITRUST-approved CSF Assessor assess their system and issue the Certification report by HITRUST.
  
• SOC 2 Only – A cloud-hosted company can opt for SOC 2 only certification report when they have adopted the HITRUST CSF framework but have not yet requested an auditor to provide an opinion on whether the controls are appropriately designed and operating at an optimal level to meet HITRUST CSF requirements.
  
• SOC 2 and HITRUST CSF – A cloud-hosted company can opt for this report when it can implement controls concerning HITRUST requirements that cover trust services criteria of security, confidentiality, and availability. An auditor’s report gives an opinion on the appropriateness of design and operating effectiveness of the same controls that are relevant to SOC 2 and HITRUST CSF.
  
• SOC 2, HITRUST CSF, and CSF Certification – A cloud-hosted company can opt for this report when they have an auditor’s opinion on SOC 2 & HITRUST CSF, and they’ve successfully acquired the HITRUST CSF certification, is eligible for this combined reports.

Conclusion

Figuring out which certification report your cloud-hosted company needs between SOC 2 vs HITRUST requires serious consideration.

That said, if you’re just beginning your journey to the certification path, Sprinto can help to acquire SOC 2 Certification to help ensure that your cloud-hosted company meets the standard regulatory requirements of your customers.

FAQ: HITRUST SOC 2

What is the HITRUST standard?

The HITRUST framework is designed to streamline the regulatory compliance process via a predefined set of security controls that are mapped to different standards which enable cloud-hosted companies to achieve and maintain HITRUST compliance.

What is the difference between HITRUST and SOC 2?

The main difference between HITRUST and SOC 2 is that HITRUST is a review that is accompanied by a certification while SOC 2 is an attestation report.

Does HITRUST cover SOC 2?

Yes, it is possible to meet both requirements in a single report. The SOC 2 + HITRUST program helps to map the HITRUST CSF requirements with the five Trust Service Criteria of AICPA and releases a single HITRUST + SOC 2 report.