Security & Compliance Blog

Stay informed on changing compliance regulations

Get A Fixed Fee Quote Today Request a Free Quote

SOC 2 Audits & HITRUST CSF Assessments – Introduction and Overview

As a healthcare organization – or provider of services to the broader healthcare arena – you’ve probably come across the SOC 2 HITRUST topic. After all, in today’s world of ever-growing regulatory compliance mandates, SOC 2 HITRUST is now front and center for thousands of businesses throughout North America. NDNB, one of the country’s leading provider of security and compliance audits, offers a comprehensive introduction and overview to the SOC 2 HITRUST topic.

And with HITRUST certification comes along one of the biggest questions that healthcare organizations are asking themselves: “Should we become HITRUST CSF compliant, or should I have a CPA firm perform a SOC 2 HITRUST assessment on my organization, and what’s the difference?”

Let’s examine this question – and others – in more detail.

What is HITRUST?

According to, HITRUST, in conjunction with private sector, government, technology and information privacy and security leaders, has developed the HITRUST CSF, a certifiable framework that can be used by any organization that creates, accesses, stores or exchanges sensitive information.

Furthermore, the HITRUST CSF harmonizes multiple frameworks, standards, state, federal and International regulations and leading practices into a single framework. The HITRUST CSF addresses industry- specific challenges by leveraging and enhancing existing frameworks, standards and regulations to provide organizations of varying sizes, geographic operation and risk profiles with prescriptive implementation requirements and guidelines.

Lastly, the HITRUST CSF is a scalable, prescriptive and certifiable framework that harmonizes numerous standards, regulations, control frameworks and leading practices.

A large number of healthcare organizations undertake annual HITRUST compliance by having an independent, third-party auditor assess them against the prescriptive HITRUST CSF framework. Specifically, HITRUST CSF Certification requires the services of a HITRUST approved CSF Assessor organization. The result is a report with findings that can be given to customers, prospects, local/state/federal agencies, and other applicable entities.

Let’s not forget that a much-talked about press release in 2015 ( for which HITRUST gained the attention of the broader healthcare industry as the HITRUST CSF framework was anticipating heavy adoption and implementation, for which this has happened. Bottom line, HITRUST CSF is the unrivaled industry leader in terms of healthcare compliance frameworks, and it’s here to stay.

What is SOC 2?

SOC 2 – System and Organization Controls (SOC) – is an auditing framework put forth the American Institute of Certified Public Accountants for auditing service organizations. Vital to the SOC 2 framework are the Trust Services Criteria (TSC), which consist of the following:

  • Security
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy

Specifically, according to the AICPA, SOC 2 reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. Source:

More simply stated, SOC 2 audits (for which there are two – a SOC 2 Type 1 and a SOC 2 Type 2) effectively assert on whether the controls were designed properly (Type 1) and/or such controls operated effectively (Type 2) in accordance with the requirements put forth by the applicable trust services criteria and the related common criteria.

As stated earlier, there are five (5) trust services criteria (TSCs) for which services organization (i.e., your business) can assess against in a SOC 2 audit: security, availability, processing integrity, confidentiality, and privacy. The security TSC is required for the SOC 2 audits, with the remaining four deemed optional, but can be added depending on the service provided.

It’s important to remember that SOC reports are very well-known in the world of auditing, and as a result, can meet a wide-range of internal control compliance reporting for various industries. So, along comes HITRUST and now the option of having a SOC 2 HITRUST report, something that makes sense for the large number of healthcare organizations throughout North America. Let’s take a look now at what exactly SOC 2 HITRUST is.

What are the Differences Between SOC 2 and HITRUST?

Technically speaking, the biggest difference is that SOC 2 is an AICPA “attestation” report, whereas HITRUST is a “certification” report. More simply stated, the “attestation” aspect of SOC 2 compliance means that management (i.e., the service organization for which the SOC report is being performed on) attests to the information contained within the actual SOC 2 report. Additionally, the independent auditor (i.e., CPA firm) ultimately confirms the attestation via an opinion letter. Now, there can be different “opinions” issued by the CPA firm, such as “unqualified”, which is a clean report, or “qualified” or “adverse”, which is generally seen as an adverse or suspect report on one’s internal control environment.

As for HITRUST, again, it’s a certification, and is without question a much more detailed report when compared to a standard, baseline SOC report. The HITRUST CSF framework simply has more controls, more detail, and more overall testing requirements than a standard, baseline SOC 2. This ultimately requires more time and effort from businesses undergoing HITRUST CSF compliance – no question about it.

Keep in mind that HIRTUST has built the actual CSF framework from a variety of standards – with a heavy emphasis from ISO 27001/27002 – and the result is a set of controls far greater than a standard, baseline SOC 2.

When Combined, what is a SOC 2 HITRUST Report?

A SOC 2 HITRUST report is essentially a SOC 2 combined with the HITRUST CSF control requirements used as the basis of an organization’s cybersecurity and information framework. To support this approach, HITRUST and the AICPA have collaborated to align the Trust Services Principles and Criteria to the HITRUST CSF, which provides standard and comparable requirements for use in SOC 2 reporting. Note that only a Certified Public Accountant (CPA) or CPA firm can issue a SOC 2 HITRUST.

One of the most critical elements of performing a SOC 2 HITRUST is working with a CPA firm that can correctly map the HITRUST CSF to the SOC 2 Trust Services Principles and Criteria. NDNB has the expertise, so contact Christopher Nickell, CPA, at This email address is being protected from spambots. You need JavaScript enabled to view it., or call him at 1-800-277-5415, ext. 706 today.

Is One Better than the Other?

This really comes down to one’s reporting requirements. So, ask yourself this? Are you being required to perform an actual HITRUST CSF, or is there some degree of flexibility involved, perhaps allowing you to perform a SOC 2 HITRUST? This will ultimately determine which route to go. It’s not that one report is “better” than the other (even though the HITRUST CSF is much more comprehensive than just a baseline SOC 2 audit, but when performing a SOC 2 HITRUST, it holds up in stature against a HITRUST CSF), it’s just about reporting needs.

Tips in Preparing for SOC 2 HITRUST

One of the fundamentally most important measures any service organization can do in preparing to undergo an initial SOC 2 HITRUST assessment is to perform a scoping & readiness assessment. Why? Because you’ll need to asses and identify certain scoping issues, such as what information systems, personnel, physical locations, third-party providers – and more – are in scope. Second, you’ll want to identify gaps and deficiencies within your control environment that require remediation, such as policies and procedures, technical/security misconfigurations, and more.

Hosting in Amazon AWS and Need a SOC 1 or SOC 2 Audit? Let's Talk.

aws logo

It's also important to remember that you’ll need to perform an annual risk assessment, along with conducting annual security awareness training for your employees. These are two very important elements when it comes to SOC 2 HITRUST. NDNB has industry leading documentation that can help save you dozens of hours and thousands of dollars on SOC 2 HITRUST, so contact Christopher Nickell, CPA at This email address is being protected from spambots. You need JavaScript enabled to view it., or call him at 1-800-277-545, ext. 706 to learn more.

The Importance of Policies and Procedures for SOC 2 HITRUST

One of the most fundamentally important – yet often overlooked – aspects of becoming SOC 2 HITRUST compliant is documentation. Specifically, a wide-range of information security and operational policies and procedures will need to be developed. Look, compliance is largely about documentation, so not having any meaningful policies and procedures in place spells big challenges for your SOC 2 HITRUST audit.

The solution? Let NDNB author your information security policies and procedures for you. We have years of experience writing documentation. Additionally, we understand SOC 2 and HITRUST very well, which allows us to save an immense amount of time and money on the exact documents you need.

NDNB. North America’s SOC 2 HITRUST Leaders

NDNB has the expertise, manpower, and knowledge when it comes to SOC 2 HITRUST reporting. Thousands of healthcare providers throughout North America are being hit hard with massive regulatory compliance reporting mandates, and SOC 2 HITRUST is fast becoming a common request. SOC 2 HITRUST compliance “can” be an expensive and time-consuming process, but not with NDNB, North America’s SOC 2 HITRUST experts. Contact Christopher Nickell, CPA at This email address is being protected from spambots. You need JavaScript enabled to view it., or call him at 1-800-277-545, ext. 706 to learn more.

Stay Informed

When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.

AICPA Trust Services Principle and Criteria (TSP) ...
SSAE 18 SOC 1 Introduction and Overview for Califo...
Since 2006, NDNB has been setting the standard for security & compliance regulations