Wipfli logo

Manpower (DMark Group, Inc.)


HITRUST vs SOC 2: Leveraging the Best Path to Assurance

Apr 21, 2019

Service organizations can agree that providing assurances of the protection of systems and data is the right thing to do. Some of the biggest names in health care require their service organizations, many defined as business associates under HIPAA, adopt the HITRUST CSF (R) (i.e., become HITRUST certified).

Becoming HITRUST™ certified can certainly be a potential differentiator. But many service organizations who’ve undergone a SOC 2® examination wonder whether that isn’t already enough to provide the assurances health care organizations are requesting.

HITRUST vs Soc 2

The reason it’s not enough lies in the big difference between the two services. SOC 2 is a reporting framework, while the HITRUST CSF is a control framework.

SOC 2 reports, developed by the American Institute of Certified Public Accountants (AICPA), are intended to meet the needs of a broad range of users who need information and assurance about the controls at a service organization that help maintain security, confidentiality, privacy, availability and processing integrity — the five Trust Services Criteria (TSC) categories. Organizations choose which of the five TSC categories to report on and engage an independent service auditor to determine whether controls are properly designed and operating effectively.

In contrast, the HITRUST CSF is a prescriptive control framework. And although the service organization/business associate may define the scope of the environment to be tested, HITRUST controls must be in place and applied to that entire covered environment.

The good news is that there are synergies between SOC 2 TSC categories and the underlying criteria and HITRUST CSF controls. By leveraging controls for addressing the HITRUST CSF requirements in SOC 2 engagements, service organizations can realize time efficiencies and cost savings. In fact, HITRUST and AICPA have collaborated to develop and publish a set of recommendations to streamline and simplify that process.

Types of Reports

Altogether, service organizations are faced with four reporting options offered by HITRUST and the AICPA, all with cost ramifications and time implications. Choosing the right one takes careful consideration. The reporting options are:


Pick Your Path

Talking with your clients and conferring with a firm that is both an AICPA member and an approved HITRUST CSF assessor can give you the confidence you need to choose the right path to assurance, one that makes the most sense for your business and its bottom line.

Wipfli is proud to be a HITRUST Authorized CSF Assessor. As a CPA firm with professionals who’ve served as former IT leaders in health care environments, we bring best practices to help organizations make their best decisions. Contact us to learn more.


Paul J. Johnson, CPA
View Profile