Currently, HITRUST is not a replacement for SOC 1 or SOC 2 examinations. HITRUST and the AICPA have recently released a mapping document that identifies the CSF controls that are mapped to SOC 2 Trust Services Principles for Security, Availability, Processing Integrity, and Confidentiality.
Privacy requirements are expected to be mapped sometime in 2016 after AICPA releases its new revision to the Trust Services Principles. According to HITRUST, the AICPA and HITRUST are working on a combined HITRUST CSF – AICPA SOC 2 reporting structure to support dual assessment and reporting. More information can be obtained from www.aicpa.org. A spreadsheet with the detailed SOC 2 to CSF mappings can also be found on the AICPA Website.
About the Author
Greg Miller is a Principal at Schellman. Greg leads the HITRUST service line. Greg has more than 20 years of combined audit experience in both public accounting and private industry.More Content by Greg Miller