SOC 2 Reporting and HITRUST CSF Leveraging the Best Path to Assurance


SOC 2 Reporting and HITRUST CSF Leveraging the Best Path to Assurance

Business associates can agree that providing assurances of the protection of systems and data is the right thing to do. Some of the biggest names in health care require that their business associates adopt the HITRUST Common Security Framework (CSF) Assurance Program.

Becoming HITRUST certified can certainly be a potential differentiator. But many business associates who’ve undergone a SOC 2 examination wonder whether that isn’t already enough to provide the assurances health care organizations are requesting.

The reason it is not enough lies in the big difference between the two services. SOC 2 is a reporting framework, while the HITRUST CSF is a control framework.

SOC 2 reports, developed by the American Institute of Certified Public Accountants (AICPA), are intended to meet the needs of a broad range of users who need information and assurance about the controls at a service organization that help maintain security, confidentiality, privacy, availability, and processing integrity—the five Trust Services Criteria (control criteria). Organizations choose which of the five criteria to report on and engage an independent service auditor to determine whether controls are properly designed and operating effectively.

In contrast, the HITRUST CSF is a prescriptive control framework designed for the health care industry. And although the service organization/business associate may define the scope of the environment to be tested, HITRUST controls must be in place and applied to that entire covered environment.

The good news is that there are synergies between SOC 2 control criteria and the underlying criteria and HITRUST CSF controls. By combining and leveraging the HITRUST CSF controls in SOC 2 engagements, business associates can realize time efficiencies and cost savings. In fact, HITRUST and AICPA have collaborated to develop and publish a set of recommendations to streamline and simplify that process.

Types of Reports

Altogether, business associates are faced with four reporting options offered by HITRUST and the AICPA, all with cost ramifications and time implications. Choosing the right one takes careful consideration.

Pick Your Path

Talking with your health care clients and conferring with a firm that is both an AICPA member and an approved HITRUST CSF assessor can give you the confidence you need to choose the right path to assurance, one that makes the most sense for your business and its bottom line.

Wipfli is proud to be an approved and accredited HITRUST CSF Assessor. As a CPA firm with professionals who’ve served as former IT leaders in health care environments, we bring best practices to help organizations make their best decisions.


Paul Johnson
Paul J. Johnson, CISSP, CCSFP, CPA
View Profile