Information security is a growing concern for many organizations, especially those that handle financial and healthcare information. Many such organizations are required to undergo a Service Organization Control (SOC) 2 examination in order to provide assurance that their security controls are designed and operating effectively. A SOC 2 examination focuses on one or more of the five Trust Service principles as specified by the American Institute of Certified Public Accountants (AICPA):

  1. Security: defines the system’s physical and logical controls against data theft or loss.
  2. Processing Integrity: relates to how a system processes information so that it is complete, accurate, timely and authorized.
  3. Availability: specifies when and how the information system is made available for authorized use.
  4. Confidentiality: describes protection of information designated as confidential per agreement.
  5. Privacy: addresses personal information that must be kept private in order to comply with established criteria, and with an organization’s privacy notice.

A service organization can undergo a SOC 2 examination of any one or all five trust services principles. For example, some software-as-a-service (SAAS) providers may need to address system availability, security, and integrity, but they might not have any privacy or confidentiality concerns. Healthcare organizations, on the other hand, are under increasing pressure to comply with privacy and confidentiality regulations.

Comparing the HITRUST Common Security Framework and SOC 2 Reporting

The Health Information Trust Alliance (HITRUST) created the CSF Framework for use by organizations that work with health information. The CSF was developed in collaboration with healthcare and security experts, and has become the de facto standard for healthcare compliance. HITRUST has developed a standard report that provides a consistent representation of risk exposure, compliance posture and corrective actions that allow for benchmarking of results against industry best practices. The HITRUST CSF Framework and the SOC 2 reporting model are complimentary since both are facilitated through the efficient assessment and implementation of controls to satisfy the CSF.

The “SOC 2 for HITRUST” Combined Reporting Model

HITRUST and the AICPA have collaborated to develop and publish a set of recommendations to streamline and simplify the process of leveraging the CSF for SOC 2 reporting. Because some service organizations have very specific reporting formats from which they may not deviate, it was important to implement an internal control reporting structure that is efficient, yet flexible. Mapping the HITRUST CSF to the AICPA SOC 2 Trust Principles and Common Criteria is a way to provide a reporting structure that is both efficient and flexible. Under this structure of reporting, the SOC 2 for HITRUST report becomes the default method of reporting that meets a diverse range of requests. HITRUST suggests engaging a CPA who also functions as a CSF Assessor in order to enjoy the efficiency of satisfying both needs in one step.

Author Picture

Request a Quote

Get hassle-free pricing in 3 easy steps:

  • Step 1: Send us a message
  • Step 2: Allow us to create a customized plan
  • Step 3: We’ll get you an accurate, no-obligation quote

Start Here

Request a Quote

Please fill out the fields below and one of our specialists will contact you shortly. Want to speak to us now? Call us at (866) 335-6235

Request a Quote (ACTIVE)

I.S. Partners is serious about privacy. We will never share your information with third parties. Please read our Privacy Policy for more information.

I.S. Partners

Your choice regarding cookies on this site

This website stores cookies on your computer. These cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information in order to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use, see our Privacy Policy.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference not to be tracked.