Your head start is real
Most companies approaching SOC 2 for the first time are building a security program from scratch. You're not. If you've done HIPAA's Security Rule properly — documented policies, technical safeguards in place, risk assessments completed, BAAs signed — you've already built the foundation that SOC 2 sits on.
How much of SOC 2 Common Criteria does HIPAA cover?
The number isn't exact — it depends on how thoroughly you've implemented your HIPAA program and which SOC 2 Trust Service Criteria you scope in. But the core point holds: the work you've already done eliminates the hardest, most time-consuming parts of a SOC 2 program. What remains is more targeted than most people expect.
The honest frame: HIPAA gave you the controls. SOC 2 asks you to prove they ran — consistently, with documented evidence, over a 6-month window. The gap is usually less about building new controls and more about tightening operations and improving documentation.
How HIPAA controls map to SOC 2
SOC 2's Security criterion is organized around Common Criteria (CC). Here's how your HIPAA Security Rule safeguards map across:
| Control Area | HIPAA Security Rule | SOC 2 CC | Coverage |
|---|---|---|---|
| Access management | §164.312(a) — Access control | CC6.1, CC6.2, CC6.3 | Strong |
| Encryption at rest | §164.312(a)(2)(iv) — Encryption | CC6.1, CC6.7 | Strong |
| Encryption in transit | §164.312(e)(2)(ii) — Transmission security | CC6.7 | Strong |
| Audit logging | §164.312(b) — Audit controls | CC7.2, CC7.3 | Strong |
| Incident response | §164.308(a)(6) — Security incident procedures | CC7.3, CC7.4, CC7.5 | Strong |
| Risk assessment | §164.308(a)(1) — Risk analysis | CC3.1, CC3.2, CC9.1 | Strong |
| Workforce training | §164.308(a)(5) — Security awareness | CC1.4, CC2.2 | Strong |
| Physical security | §164.310 — Physical safeguards | CC6.4 | Strong |
| Vendor management | §164.308(b) — Business associates | CC9.2 | Partial |
| Change management | Not specifically required | CC8.1 | Gap |
| Access reviews (cadence) | §164.308(a)(3) — Workforce access, no cadence specified | CC6.2, CC6.3 | Partial |
| System description | Not required | Required for report | New |
| Availability monitoring | §164.308(a)(7) — Contingency plan | A1.1, A1.2 (if Availability TSC) | Partial |
The gaps you actually need to close
For most HIPAA-compliant companies, the SOC 2 gaps cluster around a handful of predictable areas. None of them require building new technical infrastructure — they're process and documentation gaps.
1 Change management
HIPAA doesn't require a formal change management process. SOC 2 CC8.1 does — you need documented approval workflows for system changes, with evidence showing the process was followed throughout the observation period.
2 Structured access reviews
HIPAA requires workforce access management but doesn't specify a review cadence. SOC 2 auditors expect quarterly logical access reviews with evidence: user lists, reviewer sign-offs, and deprovisioning tickets for removed accounts.
3 Vendor risk program
BAAs satisfy HIPAA's business associate requirements, but SOC 2's CC9.2 expects a broader vendor risk management program — risk tiering of vendors, annual reviews, and documented security assessments for high-risk vendors.
4 System description document
Every SOC 2 report requires a formal system description: the boundaries of your system, the Trust Service Criteria in scope, infrastructure components, and principal service commitments. HIPAA has no equivalent requirement.
5 Monitoring evidence cadence
HIPAA requires audit logging; SOC 2 auditors want proof your team is actually reviewing those logs. Security alert reviews, anomaly investigations, and monitoring reports — documented regularly throughout the 6-month window.
6 COSO / organizational controls
SOC 2's CC1 covers organizational controls — code of conduct, organizational structure, background checks, performance management. HIPAA touches some of this via workforce procedures but often not at the depth SOC 2 expects.
The gap that catches most teams off guard: It's not the technical controls — it's the evidence. SOC 2 auditors pull samples across the entire observation period. Your controls need to have been running consistently and generating time-stamped evidence from day one of the window. HIPAA assessors often accept that a control exists; SOC 2 auditors need to see it operate.
Documentation uplift
You don't need to rewrite your HIPAA policies — you need to extend them. The goal is a single policy library that satisfies both frameworks, with SOC 2 language layered in where HIPAA didn't require it.
The policies most likely to need updates:
- Access management policy — Add a change management section covering approval workflows, testing requirements, and emergency change procedures.
- Workforce security policy — Specify the quarterly access review cadence, who owns it, and what evidence must be retained.
- Vendor management policy — Expand from BAA requirements to a full risk tiering model. Define how you classify vendors, what due diligence each tier requires, and how often you re-assess.
- Incident response plan — Your HIPAA IR plan is probably solid. Make sure it explicitly covers the SOC 2 CC7.3–CC7.5 requirements: severity classification, escalation paths, post-incident review, and customer notification commitments.
What SOC 2 auditors want that HIPAA assessors don't
This is where HIPAA-compliant companies most often get surprised. HIPAA assessors tend to review documentation and interview your team. SOC 2 auditors do that too — but they also pull operational evidence samples and test whether controls ran throughout the observation period.
Build a habit of collecting and retaining this evidence from the moment your observation period starts:
- Quarterly access reviews — Exported user lists, reviewer sign-off records, and closed tickets showing deprovisioned users were removed within your defined SLA.
- Change management tickets — Every system change approved through your change management process, with approver, date, and testing sign-off.
- Security monitoring reviews — Meeting notes, alert summaries, or SIEM reports showing your team reviewed security events on a regular cadence.
- Vendor assessments — Completed security questionnaires or reviews for your high-risk vendors, dated within the audit window.
- Training completions — Records showing all employees completed security awareness training during the observation period.
- Vulnerability scan results — Regular scan reports and evidence that findings were triaged and remediated within your defined SLAs.
Realistic timeline from HIPAA to SOC 2 Type II
Gap assessment and planning
Map your HIPAA controls against SOC 2 Common Criteria. Identify the delta. Scope your Trust Service Criteria. Engage your auditor early so they can advise on evidence expectations before the clock starts.
Close the gaps
Implement change management procedures, set up the quarterly access review cadence, expand your vendor risk program, and draft your system description. For most HIPAA-compliant companies this takes 4–8 weeks, not months.
Observation period (6 months minimum)
Controls run, evidence accumulates. Conduct your quarterly access reviews, log change management tickets, keep monitoring records. Your auditor may check in at the midpoint. This is the phase where operational discipline matters most.
Fieldwork and report
Auditor conducts fieldwork — evidence requests, interviews, sample testing. You respond to any exceptions. Draft report issued, management response written if needed. Final report typically 6–8 weeks after observation period closes.
Total from gap assessment to final report: 9–11 months for most HIPAA-compliant companies — faster than the 12–15 months typical for companies starting from scratch.
Choosing your Trust Service Criteria
Your HIPAA work already supports multiple TSC — here's how to think about scoping:
- Security (CC) — always required. This is where the HIPAA overlap is strongest. Non-negotiable.
- Availability — strongly recommended for healthcare SaaS. Hospitals and health systems take uptime seriously. Your HIPAA contingency plan gives you a head start on A1.1 and A1.2. Adding Availability to scope is usually a modest incremental effort.
- Confidentiality — worth adding. Health data is inherently sensitive. Your HIPAA controls already address most Confidentiality criteria. Including it in scope signals seriousness to buyers without much additional work.
- Privacy TSC — optional. Not to be confused with HIPAA's Privacy Rule. The SOC 2 Privacy TSC covers how you collect, use, retain, and disclose personal information. If privacy differentiation matters to your buyers, it's worth considering — but it's a meaningful additional scope commitment.
- Processing Integrity — usually skip it unless your product does financial transactions or data transformations where accuracy is a specific customer concern.
Your action plan
-
Run a gap assessment now Use a free gap assessment to map your current controls against SOC 2 Common Criteria and get a concrete list of what to fix first. Takes 15 minutes.
-
Engage your auditor before you start CPA firms book up fast. Start conversations with AICPA-licensed auditors now, even if you're 3–4 months from being ready. Ask whether they offer combined HIPAA and SOC 2 engagements — the economics are usually better.
-
Stand up change management first It's the most common gap and the one that takes the longest to generate clean evidence for. Get a lightweight change management process running immediately — even a simple ticketing workflow is enough to start.
-
Run your first quarterly access review Don't wait until the observation period starts. Run an access review now, document it properly, and use it as a template. When the clock starts you'll have the process dialed in.
-
Draft your system description Your auditor will need this. It describes the boundaries of your system, the services you provide, the infrastructure components in scope, and your principal service commitments. Block time to write it before fieldwork begins.
-
Start the observation period with intention The moment your auditor confirms the window is open, every control needs to be running and generating evidence. Brief your team on what to retain and how. Six months of clean evidence is what gets you a clean report.
The bottom line: HIPAA compliance is a genuine head start. The gap to SOC 2 is real but manageable — a few months of targeted work, not a year-long rebuild. The companies that get tripped up are those that underestimate the evidence requirements, not the control requirements. For more on the two frameworks side by side, see SOC 2 vs HIPAA: Do I Need Both?
See exactly where your gaps are
Run a free gap assessment to map your HIPAA controls against SOC 2 Common Criteria and get a prioritized list of what to fix first.
Start Free Assessment →Frequently asked questions
Roughly 50–60% of the controls required for SOC 2 Type II are already in place if you've done HIPAA's Security Rule properly. The overlap is strongest in access management, encryption, audit logging, incident response, risk assessment, and vendor management. The gaps are usually in documentation rigor, change management procedures, and the structured evidence cadence that SOC 2 auditors expect.
The most common gaps for HIPAA-compliant companies pursuing SOC 2 are: formal change management documentation, a quarterly access review cadence with auditor-ready evidence, a written vendor risk management program that goes beyond BAAs, and a formal system description document. Most of these are documentation and process gaps rather than technical control gaps.
For a HIPAA-compliant company with mature controls, the path to SOC 2 Type II typically takes 9–11 months total: 1–3 months to close documentation and process gaps, followed by a 6-month observation period, then 6–8 weeks for the auditor to issue the report. Companies starting from a strong HIPAA foundation often find the gap closure phase takes 4–8 weeks rather than months.
No — you extend them. Your HIPAA policies are a solid foundation. The main task is uplifting them to explicitly address SOC 2 Common Criteria requirements where HIPAA language doesn't cover it. Specifically: your access management policy likely needs a change management section, and your vendor management policy likely needs to cover risk tiering and annual review cadence beyond what BAA requirements dictate.
Yes, and it's often the most efficient approach. Many CPA firms with SOC 2 practices also offer HIPAA assessments. A combined engagement means shared evidence collection, one set of interviews, and lower total cost. If you already have a HIPAA auditor or assessor, ask whether they are AICPA-licensed for SOC 2 — if so, a combined engagement is worth exploring.
Security (CC) is always required. For healthcare SaaS companies, Availability is almost always expected by enterprise customers. Confidentiality is worth adding given the sensitivity of health data and the fact that your HIPAA controls already support most of it. The Privacy TSC is optional but can be a differentiator when selling to privacy-conscious buyers.
No. SOC 2 and HIPAA serve different purposes and different audiences. HIPAA is a legal obligation enforced by HHS Office for Civil Rights — you cannot substitute SOC 2 compliance for HIPAA compliance. SOC 2 is a voluntary market credential that satisfies enterprise customer procurement requirements. You need both, and they must be maintained independently even when the underlying controls overlap.
SOC 2 auditors typically want more structured, time-stamped operational evidence than HIPAA assessors require. Specifically: evidence of quarterly logical access reviews, a change management log showing approval workflows for system changes, vendor risk assessments with risk ratings, and monitoring alert logs showing your team is actually reviewing security events. HIPAA assessors often accept policy documentation; SOC 2 auditors want to see the evidence that controls ran throughout the observation period.