SOC 2 vs HIPAA

1. Breach notifications

SOC 2 has no specific breach notification requirements, but HIPAA sure does. HIPAA’s breach notification rule specifies how and when to notify patients, the media, and the Department of Health and Human Services (HHS). This is a key element your auditor will look at if you add HIPAA to your SOC 2+.

2. Government mandate

SOC 2 is an optional compliance framework that many clients ask for. HIPAA, on the other hand, is a government-mandated set of rules for anyone who handles protected health information. It is not optional by any stretch of the imagination.

This means if you handle protected health information and don’t comply with HIPAA, you are in danger of substantial fines and potential legal issues. With SOC 2, the primary danger of noncompliance is losing customers’ trust and ultimately their business.

3. Data types

HIPAA’s protections extend to a very specific set of data: protected health information. This is defined as patient data that relates to past, present, or future physical or mental health or healthcare payment. If you touch any of that data, you are obligated to comply with HIPAA.

SOC 2, on the other hand, is not specific to a certain type of data.

4. Data Retention Rate

For HIPAA is min of 6 years, for SOC 2 – it depends on requirements of the company/clients but 1 year will do for most cases

This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. The federal requirement is six (6) years retention of documentation, but your state or jurisdiction may have additional requirements.
HIPAA: §164.316(b)(2)(i) / NIST CSF: ID.BE, ID.RM, PR.IP

PTG Blog

Get email alerts when we publish new blog articles!

more blog posts:

Cloud Security

MITRE ATT&CK Tactics

The Adversarial Tactics, Techniques, and Common Knowledge or MITRE ATT&CK is a guideline for classifying and describing cyberattacks and intrusions.

Read More
shallow focus photography of computer codes
Cloud Security

What is Threat Hunting?

Threat Hunting is a creative process. One’s abilities to think abstractly, challenge ideas, and be unafraid of failure lead to more knowledge and breakthroughs than someone who does everything the same way every time.

Read More
SOC 2

SOC 2 Security Policies

This is a sample list of possible security policies that your organization needs to apply. The exact list needs to be determined based on your

Read More