Efficiency in Reporting: SOC2 Plus HITRUST

HIPAA, ISO, and COBIT, oh my!  Companies that create, access, store or exchange personal health and financial information are beginning to feel a never-ending pressure to comply with the many federal and state regulations and standards that are in place today.  Additionally, many of the standards can be open to interpretation and difficult to apply.  The question is: As the list of standards and regulations continues to grow, how can a company efficiently prove compliance with all of the standards that are applicable to them? 

The Health Information Trust Alliance, or HITRUST, has developed a Common Security Framework (CSF) which provides a single overarching security framework for healthcare-relevant regulations and standards.  The purpose of the CSF is to create a common security baseline, and resulting communication of validated security controls, that encompasses many well-known standards, including HIPAA, ISO, COBIT, PCI and NIST. 

The CSF is made up of 14 security Control Categories, which includes 45 Control Objectives and 149 Control Specifications.  However, testing of only 64 of the Control Specifications is required for the HITRUST Certification. 

HITRUST Common Security Framework (CSF) Control Categories

  • Information Security Management Program
  • Access Control
  • Human Resources Security
  • Risk Management
  • Security Policy
  • Organization and Information Security
  • Compliance
  • Asset Management
  • Physical and Environmental Security
  • Communications and Operations Management
  • Information Systems Acquisition, Development and Maintenance
  • Information Security Incident Management
  • Business Continuity Management
  • Privacy Practices

Service organizations that are interested in reporting on compliance with the HITRUST CSF should consider utilizing a SOC 2 plus HITRUST report. This type of report allows companies to demonstrate compliance with the required HITRUST CSF Control Specifications in addition to the applicable trust services criteria that would be addressed in a SOC 2 report.  To ensure that HITRUST CSF is efficiently included within a SOC 2 report, the AICPA has developed a mapping tool that details the necessary criteria from the HITRUST CSF with the AICPA Trust Services Principles and Criteria. 

The SOC2 plus HITRUST report could be your organization’s means to efficiently report on compliance with various applicable standards and regulations, while also reporting on the applicable trust services criteria.

Contact us with questions regarding the SOC2 plus HITRUST report and visit our SOC Reporting page to learn about the services that we provide.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2020 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on

Does Your Institution Offer the Correct Number of Courses?
SOC for Supply Chains
Do Managed Service Providers Need a SOC Report?
Do Relocation Companies Require a SOC (System and Organization Controls) Report?
What has COVID-19 taught us about our businesses processes?
Risks to Consider When Reopening Your Branches

Register to receive our weekly newsletter with our most recent columns and insights.

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office

One PPG Place, Suite 1700
Pittsburgh, PA 15222

p:412.261.3644     f:412.261.4876

Map of Columbus Office

65 East State Street, Suite 2000
Columbus, OH 43215

p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102