Using SOC 2 to Demonstrate HIPAA Compliance

One important source of confusion with most organizations looking to pursue HIPAA compliance, is that there is no such thing as a “HIPAA certification”. Health and Human Services (HHS) has never issued or recognized any formal mechanism to achieve such certification. Instead, what you want is a legally defensible approach to “demonstrate HIPAA compliance” to your clients, prospects and regulators.

๐—›๐—ฒ๐—ฟ๐—ฒ ๐—ฎ๐—ฟ๐—ฒ ๐˜๐—ต๐—ฟ๐—ฒ๐—ฒ ๐—ผ๐—ฝ๐˜๐—ถ๐—ผ๐—ป๐˜€ ๐˜๐—ผ ๐˜€๐—ต๐—ผ๐˜„ ๐—›๐—œ๐—ฃ๐—”๐—” ๐—ฐ๐—ผ๐—บ๐—ฝ๐—น๐—ถ๐—ฎ๐—ป๐—ฐ๐—ฒ:

1) Formal HIPAA Opinion (Most Assurance, Biggest Audit Burden)

Your first option is to ask your SOC 2 audit firm for a formal HIPAA opinion under the AICPA’s audit standards. In this option, your audit firm will align your SOC 2 controls (possibly with additional controls) to the HIPAA requirements and perform formal audit testing against those controls. The end result will be a formal audit opinion/audit report stating that your firm’s controls are in alignment with HIPAA and operating effectively. This approach is recommended if you have clients or prospects demanding a high degree of assurance that you are compliant with HIPAA.

2) Include a HIPAA Mapping in Section 5 of your SOC 2 Report (Moderate Assurance, Moderate Audit Burden)

Your second option is to map your existing SOC 2 controls to HIPAA requirements and include a table with that mapping in section 5 of your SOC 2 report. Section 5 of a SOC 2 report permits an organization to communicate additional (non-audited) information to the reader of the report. A popular option is to include a mapping to HIPAA as a demonstration of compliance. This allows your customers to read your SOC 2 report and get a sense of how that helps you achieve HIPAA compliance.ย  From our experience, most clients and prospects will accept this as a form of “evidence” of HIPAA compliance.

3) Self Attest that you are Compliant with HIPAA (Least Assurance, Moderate Work)

Your third option is to do all the work to become compliant with HIPAA – then just communicate you are compliant. The downside of this approach is that “saying you are compliant” doesn’t give your clients or stakeholders the same level of confidence as third-party independent assurance. ย This approach is generally acceptable only for organizations whose clients and prospects donโ€™t consider HIPAA compliance as essential to their overall business strategy.


There is no true HIPAA certification. However, there are two ways you can use your SOC 2 report to demonstrate HIPAA compliance; a formal HIPAA opinion, or a HIPAA mapping in Section 5.ย  Last, and least assurance, you can implement HIPAA compliance and then self-attest to your clients and prospects.