1. Breach notifications
SOC 2 has no specific breach notification requirements, but HIPAA sure does. HIPAA’s breach notification rule specifies how and when to notify patients, the media, and the Department of Health and Human Services (HHS). This is a key element your auditor will look at if you add HIPAA to your SOC 2+.
2. Government mandate
SOC 2 is an optional compliance framework that many clients ask for. HIPAA, on the other hand, is a government-mandated set of rules for anyone who handles protected health information. It is not optional by any stretch of the imagination.
This means if you handle protected health information and don’t comply with HIPAA, you are in danger of substantial fines and potential legal issues. With SOC 2, the primary danger of noncompliance is losing customers’ trust and ultimately their business.
3. Data types
HIPAA’s protections extend to a very specific set of data: protected health information. This is defined as patient data that relates to past, present, or future physical or mental health or healthcare payment. If you touch any of that data, you are obligated to comply with HIPAA.
SOC 2, on the other hand, is not specific to a certain type of data.
4. Data Retention Rate
For HIPAA is min of 6 years, for SOC 2 – it depends on requirements of the company/clients but 1 year will do for most cases
| This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. The federal requirement is six (6) years retention of documentation, but your state or jurisdiction may have additional requirements. |
| HIPAA: §164.316(b)(2)(i) / NIST CSF: ID.BE, ID.RM, PR.IP |
