HITRUST and AICPA Develop a ‘SOC 2 for HITRUST’ Converged Reporting Model to Improve Efficiency and Reduce Costs

HITRUST and The American Institute of CPAs (AICPA) have collaborated to develop and publish a set of recommendations to streamline and simplify the process of leveraging the HITRUST CSF and CSF Assurance programs for SOC 2 reporting.

What is a SOC 2?

A SOC 2 report is intended to meet the needs of a broad range of users that need to understand internal control at a service organization as it relates to one or more of the American Institute of Certified Public Accountants’ (AICPA’s) Trust Services principles of Security, Availability, Processing Integrity, Confidentiality or Privacy. These reports are performed using the AICPA Guide: Reporting on Controls at a Service Organizations Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy and are intended for use by stakeholders (e.g., customers, regulators, business partners, suppliers, directors) of the service organization that have a thorough understanding of the service organization and its internal controls. A SOC 2 examination is similar in structure and general approach to SOC 1 reporting (legacy SAS70), but also allows the flexibility to incorporate additional suitable criteria, for example, around adherence to public, industry-specific frameworks such as the HITRUST CSF.

Increasing Demand for Third-Party Internal Control Reporting

Cyber security is at the top of the minds of management, boards and regulators. With the impact of regulatory oversight such as the Department of Health and Human Services’ (HHS) Omnibus rules, organizations are under increasing pressure to demonstrate that they have taken appropriate measures to:

  • Secure their environment
  • Be vigilant in anticipating what might occur in the evolving security landscape
  • Implement appropriate measures to detect and react to existing and emerging threats
  • Be resilient in their ability to recover operations when a security incident does occur

Healthcare entities and related business associates (e.g., health plans, healthcare clearinghouses, exchanges, healthcare providers, and organizations that conduct certain financial, research, and administrative functions) are being asked with increased frequency to demonstrate that they meet the common security and privacy requirements such as the HIPAA Security & Privacy Rules, NIST, ISO, PCI and other standards. These entities are often replying to more than 200 individual audit requests and customer questionnaires in response to request for proposals every year, many requiring a separate analysis and response to the same or overlapping questions. In addition, entities respond to these third-party requests in a multitude of forms and reporting formats. These requests may sound like the following:

“We need to see your…
…HITRUST Self-Assessment Report.”
…HITRUST Verified Report.”
…HITRUST Certified Report.”
…SSAE16/SOC1 Report.”
…responses to our questionnaire.”
…documented processes and procedures.”
…SOC 2 report.”

Although HITRUST has worked within the healthcare industry to establish an industry-accepted standard of reporting, various customers— some of whom are outside the healthcare industry—request multiple reporting formats. Therefore, entities need to be prepared to efficiently respond to all types of requests.

What is the answer?

Given a SOC 2 is a reporting format and not a security framework, the best answer is to issue a SOC 2 report on the HITRUST CSF control requirements used as the basis of your organization’s cybersecurity and information protection program. To support this approach, HITRUST and the AICPA have collaborated to align the Trust Services Principles and Criteria to the HITRUST CSF, which provides standard and comparable requirements for use in SOC 2 reporting.

“I thought HITRUST would meet my third-party reporting needs”

HITRUST has developed a standard report that provides a consistent representation of risk exposure, compliance posture and corrective actions that allow for benchmarking of results against security practices at similar organizations in the industry. However, as noted previously, requests come in for other reporting attributes, such as response to security questionnaires, requests for proposals, description of processes and controls implemented to satisfy the CSF, and assurance that controls have operated, as designed, for a fixed and continuous period of time (e.g., a rolling six- or twelve-month reporting cycle). Therefore, the HITRUST reporting model and the SOC 2 reporting model are complementary since both are facilitated through the efficient assessment and implementation of controls to satisfy the CSF.

Determine the most efficient and effective method(s) of internal control reporting

Knowing that some third-parties will have very specific reporting formats from which one may not deviate, it is important to implement a third-party internal control reporting structure that is efficient, yet flexible. Mapping the HITRUST CSF to the AICPA Trust Principles and Criteria used in SOC 2 reporting is a way to provide that efficient and flexible structure. Under this structure of reporting, the SOC 2 for HITRUST report becomes the default method of reporting to meet the widest range of requests.

For those third parties wanting to determine your maturity against the HITRUST CSF, HITRUST has self-assessment, validated or certified reports available. In the case of HITRUST validated or certified reports, you can engage a CSF Assessor that is also a CPA, thereby gaining the efficiency of testing once to satisfy both HITRUST and SOC 2 reporting needs.

Lastly, for those third-parties requiring specific responses in their pre-defined format (e.g., security questionnaires), you can map your SOC 2 HITRUST controls as responses to specific questions the third-party may be requesting, with the full SOC 2 report as a supporting reference document.


The benefits of a SOC 2 for HITRUST converged reporting model

For decades, the AICPA has been the recognized professional body for providing assurance around both financial reporting and outsourced operations. Incorporating HITRUST with an AICPA-recognized reporting model strengthens the framework’s impact to the marketplace. Benefits include the following:

  • Extends the AICPA’s recognized standard for assurance around financially significant outsourced services (SSAE 16/SOC 1) to operational areas of interest to your customers (SOC 2)
  • Offers significant time efficiencies and cost savings due to use of CSF controls to provide the prescription necessary to fully evaluate the Trust Services Principles
  • Reduces the burden of multiple control frameworks and reporting requirements
  • Provides one broad, scalable and up-to-date framework that is relevant to their organization and may be leveraged to meet the wide and varied array of information protection requirements

Benefits to report issuers:

  • Save on time and costs. Reduces time spent by internal resources responding to multiple redundant individual requests. Decreases the number of individual audits that your organization undergoes
  • Feel the synergy. Gains efficiencies by implementing a SOC 2 report that leverages the work invested in your HITRUST CSF-based security program
  • Increase customer satisfaction. Increases ability to provide a customer the information that they want – in the format they desire

Benefits to report recipients:

  • Meets your varied requests. Whether the request is for a HITRUST report, SOC 2 report, or both, a report will be available to meet your needs
  • Recognizes a standard in assurance reporting. Alignment with recognized AICPA reporting formats allows for streamlined adoption of a SOC 2 for HITRUST report within a recipient’s existing internal control monitoring processes

View this press release for more information.