Frameworks Explained
SOC 2 + HIPAA (Combined Engagement)
For organizations handling both sensitive client data and protected health information, running SOC 2 and HIPAA together is the most efficient path to dual compliance. A combined engagement maps overlapping controls once, shares evidence across both frameworks, and coordinates review cycles — so your clients demonstrate security and regulatory readiness without running two separate audits.
SOC 2 evaluates a service organization's data security, availability, processing integrity, confidentiality, and privacy controls under the AICPA Trust Services Criteria. HIPAA establishes federal requirements for protecting patient health information (PHI) through administrative, physical, and technical safeguards. Together, they address the full compliance picture for healthcare-adjacent organizations and technology providers serving covered entities.
What is SOC 2 + HIPAA’s combined engagement target audience & industries?
Healthcare technology companies, health IT vendors, SaaS platforms serving hospitals or insurers, business associates under HIPAA, and any organization that stores, processes, or transmits PHI while also needing to demonstrate security and trust to enterprise clients.
Does it apply to my organization?
You likely need both if you:
Are a business associate or subcontractor under HIPAA handling PHI
Serve healthcare providers, payers, or clearinghouses and receive enterprise security questionnaires or SOC 2 requests
Need to demonstrate both regulatory compliance (HIPAA) and security best practices (SOC 2) to prospects and clients
Want to reduce the total audit burden by combining overlapping control work into a single engagement
Often not required when:
Your platform has no contact with PHI and serves outside the healthcare sector
You only need SOC 2 for non-healthcare enterprise clients with no HIPAA obligations
What are the benefits and risks of conducting a SOC 2 + HIPAA combined engagement?
Eliminate duplicate work: Overlapping controls — access management, encryption, incident response, audit logging — are documented and tested once, satisfying requirements for both frameworks simultaneously
Shared evidence collection: A single evidence request to your clients covers both SOC 2 and HIPAA requirements, reducing back-and-forth and shortening total cycle time
Unified reporting: Deliver a combined report package that satisfies enterprise procurement, covered entity due diligence, and regulatory requirements in one engagement
Cost efficiency: Combined engagements typically cost 30–40% less than running SOC 2 and HIPAA independently with separate auditors and timelines
Stronger market positioning: Signal to healthcare clients that your organization takes both security and regulatory compliance seriously — in a single, credible report package
Audora workflow advantage: Run both frameworks in one Audora workspace with coordinated evidence collection, unified control mapping, and simultaneous reviewer sign-offs
What are the core SOC 2 + HIPAA combined engagement requirements?
Trust Services Criteria (TSC) scoping — Security is required; Availability, Confidentiality, Processing Integrity, and Privacy are additive based on client needs
System description covering services, boundaries, subservice organizations, and complementary user entity controls (CUECs)
Control mapping to TSC criteria with versioned evidence and period testing
Type I (design at a point in time) or Type II (design + operating effectiveness over 6–12 months)
Independent CPA attestation and restricted-use report
HIPAA components:
Administrative safeguards: risk analysis, workforce training, access management policies, contingency planning
Physical safeguards: facility access controls, workstation use policies, device and media controls
Technical safeguards: access controls, audit controls, integrity controls, transmission security (encryption)
Business Associate Agreement (BAA) documentation and subcontractor management
PHI-specific evidence: breach notification procedures, minimum necessary standards, audit logs for PHI access
Overlapping controls addressed once:
Identity and access management (MFA, least privilege, access reviews)
Encryption at rest and in transit
Incident response and breach notification procedures
Audit logging and monitoring
Vendor/subservice organization management
Change management and patching
Business continuity and disaster recovery
What arethe general guidelines for executing a SOC 2 + HIPAA combined engagement?
Map the overlap first: Before scoping, identify controls that satisfy both SOC 2 TSC criteria and HIPAA safeguards — this is where the efficiency gain lives. Typically 40–60% of controls are shared
Define PHI scope clearly: Identify all systems, data flows, and personnel that touch PHI; this boundary drives the HIPAA technical safeguard scope
Align Type selection with HIPAA timing: HIPAA assessments are ongoing rather than period-bound, so a SOC 2 Type II engagement (6–12 month period) is the natural pairing for a meaningful combined report
Single evidence request cadence: Use Audora to send unified evidence requests that tag artifacts to both SOC 2 criteria and HIPAA safeguards simultaneously — clients respond once
Coordinate walkthroughs: Schedule SOC 2 and HIPAA walkthroughs in the same sessions with the same SMEs where controls overlap; separate only where frameworks diverge
BAA and subservice alignment: Ensure all subservice organizations have BAAs in place and obtain bridge letters or vendor SOC reports covering the engagement period
Readiness assessment: Run a combined gap assessment before fieldwork begins — identify controls that are strong for one framework but weak for the other
Reporting strategy: Decide upfront whether to issue a single combined report or two separate reports issued together; discuss with your CPA/assessor what format best serves your client base
What are estimated timelines to complete a SOC 2 + HIPAA combined engagement?
Type I + HIPAA Assessment (point-in-time):
Startup: 8–12 weeks
Small: 10–16 weeks
Medium: 14–20 weeks
Large: 18–26 weeks
Type II + HIPAA Assessment (6–12 month SOC 2 period):
Startup: 8–12 months total
Small: 10–14 months
Medium: 10–16 months
Large: 12–18 months
Note: Combined timelines are typically 20–30% shorter than running SOC 2 and HIPAA sequentially due to shared scoping, evidence collection, and walkthrough sessions.
What arethe typical costs?
Costs vary by organization size, PHI scope, and readiness. Ranges below reflect a combined SOC 2 + HIPAA engagement (Type I / Type II):
Startups (1–25 employees, single product, 1 environment): $20k–$45k / $45k–$80k
Small (<100 employees, 1–2 products, low vendor count): $35k–$70k / $65k–$120k
Medium (100–1,000 employees, multi-product, multi-region): $65k–$130k / $130k–$240k
Large (>1,000 employees, complex environment, high vendor count): $130k–$260k+ / $260k–$500k+
Ranges include readiness, combined audit/assessment fees, and operating period where applicable. Costs are USD and assume a single CPA firm or assessor conducting both. PHI scope size and number of BAAs materially affect HIPAA cost.
Where to Learn More
HHS HIPAA Security Rule Guidance — https://www.hhs.gov/hipaa/for-professionals/security
AICPA SOC 2 Resources — https://www.aicpa-cima.com/resources/landing/soc-suite-of-services
OCR Guidance on Business Associates — https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates
Ready to run SOC 2 + HIPAA combined engagement in Audora?
Click below to learn about other Frameworks?