HITRUST vs. SOC 2 – Why Rising Chose HITRUST

There are two main certifications for data security and confidentiality, SOC 2 and HITRUST. Here’s why Rising opted to pursue the latter.

SOC 2 Overview
A Service Organization Controls (SOC) 2 audit examines the controls an organization has in place to protect and secure its system, or services used by customers or partners. An organization’s security is assessed based on the requirements within a SOC 2 examination, known as the Trust Services Criteria (TSC). The American Institute of Certified Public Accountants (AICPA) is the governing body of the SOC framework and they set the U.S. standards that auditors follow for SOC 2 examinations.

The SOC 2 report assesses if a company’s controls are appropriately designed and working under the five TSC. They include:

  • Security
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy

Security is the only TSC that must be met in the SOC 2 report. The other four are optional but are usually added depending on the type of service(s) that an organization offers. This versatility is essential because SOC 2 reports are meant for use across all industries. No matter the nature of the business, the focus is on securing digital information.

There are two audit levels for SOC 2, Type 1 and Type 2.

  • SOC 2 Type 1 evaluates an organization’s cybersecurity controls at a single point in time. The goal is to determine whether the internal controls put in place to safeguard customer data are sufficient and designed correctly. Do they fulfill the required TSC? Type 1 audits and reports can be completed in a matter of weeks.
  • SOC 2 Type 2 examines how well a service organization’s system and controls perform over a period of time (typically 3-12 months). What is their operating effectiveness? Do they function as intended? Type 2 audits can take 12 months to complete and are costlier than Type 1 audits.

How Does SOC 1 Differ From SOC 2?
SOC 1 Type 2 is an audit Rising undergoes annually. It focuses on financial controls instead of data security. If a company uses a third-party service provider to perform crucial financial reporting processes (e.g., an outsourced payroll management system or a revenue reporting platform), the company will likely ask those service providers for a SOC 1 report. As a bill review provider conducting payment processing services on behalf of clients, Rising frequently provides our SOC 1 report to customers.

Like SOC 2, there are two levels of SOC 1 audits:

  • SOC 1 Type 1 evaluates the fairness of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description, as of a specified date.
  • SOC 1 Type 2 evaluates the fairness of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period. Type 2 audits are much more robust than Type 1. Type 2 audits actually evaluate if a company is doing what it says over a period of time.

HITRUST Overview
Founded in 2007, the Health Information Trust Alliance, or HITRUST, is a not-for-profit organization advocating programs that protect sensitive information and manage information risk.

While the HITRUST Common Security Framework (CSF) is designed for all industries, it is closely associated with the healthcare industry’s challenges, such as the numerous applications of controls specific to healthcare (e.g., HIPAA). Overall, the HITRUST framework is used as a guide by organizations that deal with electronic protected health information or ePHI. The HITRUST CSF was a response to the need to have more consistency in certifications. The aim is to have a standard regulation and risk management framework.

HITRUST CSF consolidated the varying requirements from COBITPCI, NIST, ISO, and HIPAA and checks for the following:

  • The presence of clearly defined procedures and policies
  • Capability testing to prove its implementation
  • Demonstration of a company’s ability to measure and manage these controls

Compliance with this framework ensures the protection of sensitive ePHI. This is why meeting the HITRUST CSF requirements is vital to stay on top of all relevant regulations and standards.

Essential Differences Between SOC 2 & HITRUST

Both SOC 2 and HITRUST reports revolve around the protection of sensitive personal data. One main difference is that SOC 2 is an attestation report, while HITRUST is a certification.

Attestation Report (SOC 2)
An attestation report discusses the confirmation of management that the information in the report is accurate. An independent author will then confirm this report with the help of an opinion. The opinion in the SOC 2 report can be clean, unqualified, qualified, or adverse. Qualified means that the testing cannot confirm that at least one objective has been identified by management. Adverse implies that the testing has failed to verify most of the purposes outlined by management. Even though it may seem it has an asterisk beside it, a qualified report is still reliable. But the company must follow up on it to prove that remediation steps have been undertaken to address any issues raised in the qualified report. SOC 2 reports are completed yearly and may go on from one to three months from completion to report delivery. This depends on how promptly the SOC 2 client can provide documentation and the evidence needed for testing.

Certification Report (HITRUST)
The HITRUST report differs from SOC 2 because it comes with a certification. It has more details peppered in with the report with five times more controls as it incorporates requirements from numerous standards within the HITRUST CSF. Within the HITRUST report, the organization’s management needs to submit a Letter of Representation instead of the management assertion inscribed within the SOC 2 report. This Letter of Representation is still collected within the SOC 2 report but is not included in the final report. The opinion in the HITRUST Certification letter is presented as a Letter of Certification or Letter of Validation, all dependent on the final score of the conducted assessment. The HITRUST certification has a duration of two years, with interim testing finished within a year. Because of the increased number of controls, it takes more time and significantly greater resources to complete.

Why Rising Chose HITRUST Certification
Given the volume of ePHI Rising stores and processes as part of our daily operations, it was clear that HITRUST certification would best serve our customers’ needs, and we made significant investments in infrastructure, processes, and personnel to achieve it. With five times the controls of SOC 2, achieving HITRUST Risk-based, 2-year (r2) Certification assures our clients that we are using the highest security standards to safeguard their sensitive data from ongoing digital threats facing the healthcare and insurance industries.