• There are no suggestions because the search field is empty.

Untangling HIPAA, HITRUST, and SOC 2

Posted by Sierra Labs on Sep 14, 2023 11:42:00 AM

Explore the differences and benefits of the following regulatory frameworks for SaMD.


In the past decade, the healthcare has experienced rapid implementation of regulations via various compliance frameworks. This has resulted in raising the bar for companies developing their medical devices or better yet, Software as a Medical Device (SAMD).

With new regulations sweeping the healthcare industry, it becomes more complex for companies in the space to market their medical devices. How does your product fit with these frameworks? How much time do you have? How much is it going to cost your company? This blog will breakdown the purpose of HIPAA, HITRUST, and SOC 2 as they pertain to your medical device. 

HIPAA Compliance for SaMD

Prior to the Health Insurance Portability and Accountability Act (HIPAA), companies developing a medical device that managed sensitive informations of patients had no clear regulatory boundaries. HIPAA established boundaries for these companies by defining the appropriate data as patient health information (PHI). Medical records are highly sought after due to their high worth and value, they could cost someone’s identity, insurance, medication, or even finances.

With a new baseline, HIPAA has improved the standards for medical device companies by making them more cautious when handling data to avoid penalties and scandals. There are multiple areas your organization should assess to become HIPAA compliant. To learn more about best practices and guidance steps to achieve HIPAA Compliance, check the link below:

Check out our HIPAA Checklist to see if your company is ensuring optimal compliance with HIPAA Standards.

HIPAA allows flexibility in implementation of safeguards based on the size and complexity of the organization. That kind of flexibility is necessary but could also put your organization at risk! It can be easy to make subjective decisions based on misinformation and lack of expertise that may increase vulnerability  the impact and puts many healthcare organizations (and their patients) at risk.

What is HITRUST?

The Health Information Trust (HITRUST) framework was developed from current information security standards. It’s intention was to unify industry standards and give companies developing SaMD that handled sensitive data a specific set of controls. HITRUST framework’s purpose is to go beyond the requirements of HIPAA captivating regulatory standards from across the globe. With ongoing improvements by industry leaders, the HITRUST CSF has become the most popular and widely adopted security framework in the U.S. healthcare industry.

Developing an eHealth application? Learn how to establish safeguards for HIPAA compliance with our FREE eBook!

Breaking Down HITRUST Certification

The HITRUST CSF maps the CSF controls to specific HIPAA standards and specifications. Since each CSF control contains multiple levels, organizations must implement the specific requirements for each control based on current systems and risks.

Organizations wanting to comply with HITRUST have three options within the CSF Security Framework known as Degrees of Assurance:

Degrees of Assurance Description


. Self-Assessment Companies can perform a self-assessment using the myCSF tool. This assessment will determine what areas your organization must focus on to become HITRUST compliant. Taken Anytime
CSF Validated Follows a "Self-assessment" and thorough implementation of CAPAs for any potential non-compliance issues identified. A HITRUST-approved CSF Assessor will then inspect all documentation gathered through the assessment with an onsite visit. A HITRUST CSF Validated Assessment Report will be generated based on the score criteria and allow you to be CSF Validated. (Valid for one year after issuance)
CSF Certified If all requirements are met by CSF Validation, the CSF Assessor will determine that your organization is HITRUST CSF Certified. Your organization must maintain policies and procedures, demonstrate implementation of controls and undergo an interim assessment at the one-year mark. (Valid for 24 months)

What is the difference between HITRUST and HIPAA?

While there currently doesn’t exist an official “HIPAA certification” to demonstrate HIPAA compliance, the HITRUST Alliance does in fact provide a certification for organizations that successfully undergo HITRUST assessments. The HITRUST certification is essentially a badge for your company demonstrating it understands and maintains activities under global regulatory standards like HIPAA.

Despite the level of penalties that come with HIPAA, HITRUST CSF Certification is a much more strict and rigorous process due to its global recognition. Completing HITRUST CSF Certification recognizes that your organization not only complies to the standards of HITRUST but also checks off every box to meet HIPAA compliance.

Importance of SOC 2 for Healthcare

Service Organization Control 2 (SOC 2) addresses third-party risk concerns by evaluating non-financial reporting controls, policies, and procedures that directly relate to the American Institute of Certified Public Accountants' (AICPA) Trust Services Criteria. Non-financial reporting controls include:

  • Security – Is the system protected against unauthorized access?
  • Availability – Is the system available for operation and use as agreed?
  • Processing Integrity – Is the system processing complete, valid, accurate, timely, and authorized?
  • Confidentiality – Is the information that’s designated as confidential protected as agreed?
  • Privacy – Is personal information collected, used, retained, disclosed, and destroyed in accordance with the entity’s privacy notice?

These principles are all described within HIPAA’s Security Rule requirements as well. The SOC 2 audit and HITRUST CSF provides a streamlined and practical methodology for creating, accessing, storing or exchanging protected health information (PHI).

It’s become increasingly common for organizations to request that their vendors become SOC 2 compliant so they can ensure that the healthcare organizations they work with have strong security postures. If a client can’t be assured that you have reliable, secure processes for securing protected health information, why would they choose to work with you?

Secure Compliance With Less Stress

As you can infer by now, achieving compliance for each regulatory entity can require a significant amount of work especially when lacking any expertise in the subject matter. Here is what we can offer your business and team.

With Sierra Labs, you can fully understand the specific requirements and options to develop audit-ready actionable policies and procedures to become fully-compliant with HIPAA, HITRUST, or SOC 2. Our team will create a regulatory roadmap for your specific business size and type to uncover critical points that need to be improved for audits or assessments.

Sierra Services is the first step to achieve regulatory compliance, speak with our regulatory experts and avoid the hassle of compliance obstacles for your medical device's journey to market. We will guide you every step of the way to ensure your team feels safe and confident for inspections and submissions.

Need Help Achieving HIPAA, HITRUST, or SOC 2 Compliance?

Click Here for a Free Consultation!

Sierra Services

It's that simple.

Topics: SaMD, Data Security, Medical Device Company, Data Privacy, Data Requirements, SaMD Development, Software Requirement Specification, HIPAA, Personal Health Information, Health Data, HIPAA Compliance, HIPAA Checklist, Covered Entities, Business Associates, ePHI, PHI, eHealth, Health Applications, SOC 2, HITRUST, SOC, HITRUST CSF

Recent Posts


See all

Subscribe Here