866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

HITRUST meets SOC 2: Relationship Advice Blog Feature

By: Schellman Compliance

Print/Save as PDF

HITRUST meets SOC 2: Relationship Advice

Healthcare Assessments | SOC Examinations

HITRUST, or the Health Insurance Trust Alliance, is a security organization and the creator of the Common Security Framework (CSF), "a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health, and financial information." Also, HITRUST developed a standard security report that addresses risk and compliance issues and helps compare security issues for an organization with others across the industry.

However, when an outside entity seeks information additional to what the HITRUST validated report contains, the reporting mechanism needs to be flexible enough to address other questions, respond to specific security questionnaires, and provide information that others request. To accomplish this, HITRUST has teamed up with the AICPA to add the ability for a Security Organization Controls (SOC) reporting mechanism to complement the HITRUST validated report or serve as an alternate reporting mechanism to the HITRUST validated report.

Reporting Framework for HITRUST and the AICPA

Recently the AICPA announced a collaboration with HITRUST to develop a SOC 2 report that incorporates the HITRUST Common Security Framework (CSF). The CSF was built upon other security requirements that include HIPAA, HITECH, PCI, COBIT, NIST and FTC. The AICPA HITRUST working group has developed an illustrative SOC 2 report and performed a mapping between the current TSP Section 100 and the HITRUST CSF version 7.

As shown on the mapping document, HITRUST has determined the CSF controls that would apply to each of the criteria within the TSP Section 100. These controls would be tested in a SOC 2 examination by a CPA firm for fairness of presentation and suitability of design (Type 1) or additionally for operating effectiveness (Type 2) according to AICPA standards. One important note is that even though the reporting mechanism is per AICPA standards, the content of the CSF is licensed HITRUST material that can only be utilized for reporting purposes by organizations that have a license to utilize the CSF.

While the CSF content is similar for a HITRUST assessment and the SOC 2 examination, the reporting options will address controls in a different manner. A HITRUST validated assessment relies on a PRISMA scoring model for control maturity levels and allows associated corrective action plans (CAPs) for controls lacking in a minimum maturity level. Conversely, the SOC 2 report does not incorporate either the PRISMA maturity scoring or CAPs as part of the audited section of the report. Information related to HITRUST control maturity scoring or CAPs would be considered as “unaudited” information provided by management in the SOC 2 report.

What Does the SOC 2 Report Add?

A SOC 2 report expands beyond the standard HITRUST reporting to provide information on a service organization’s controls relevant to one or more of the Trust Services Principles and Criteria for specific users or knowledgeable parties. The AICPA has published some guidance on preparing such a report, commonly referred to as a SOC 2 + Additional Subject Matter report. The guidance outlines example SOC 2 engagements for varying types of subject matter. It also describes the requirements of the service organization when additional subject matter is included in the scope of the engagement.

The AICPA states that the following is required for a service auditor to report on the additional subject matter:

  1. An appropriate supplemental description of the subject matter;
  2. A description of the criteria used to measure and present the subject matter; and
  3. If the criteria are related to controls, a description of the controls intended to meet the control-related criteria and an assertion by management regarding the additional subject matter or criteria.

Implementing the SOC 2 Examination

The SOC 2 examination should not appear as an obstacle but as a complement to a HITRUST validated assessment already in place or an alternate to a HITRUST validated assessment. The audit examination should be according to the AICPA's AT Section 101 and SOC 2 guide. The resulting report will provide auditors, customers, and regulators a greater comfort level as to the security, availability, processing integrity, and confidentiality controls relating to the personal health and financial information in place within the organization.

New Call-to-action

Authors

headshot-zaller-about.pngDebbie Zaller
Debbie is a Principal at Schellman, with over 15 years of IT attestation experience. Debbie currently spearheads the Schellman SOC 2 practice, where she is responsible for internal training, methodology creation, and quality reporting. Debbie also currently serves on the Florida Institute of Certified Public Accountants’ Finance and Office Advisory Committee and was a past member of the Board of Governors.

headshot-nelson-sm.pngGary Nelson
Gary is a Senior Manager at Schellman, with over 14 years of experience. He has experience providing both IT audit and IT consulting services, including financial audit support, IT risk assessments, process and control reviews, revenue assurance projects, IT contract compliance reviews, application and platform security reviews, firewall and network perimeter security reviews, and IT security and risk management policies development and implementation. Gary has provided professional services for multiple Global 1000, Fortune 500, and regional companies during the course of his career.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.