Q: What is the difference between HITRUST and SOC 2? Do they work together? How are they different?
A: The main difference between HITRUST and SOC 2 is that SOC 2 is in an attestation report, while HITRUST is a certification.
Our management attests to our input to the information presented to the users within the report. And the independent party confirms these attestations. SOC 2 looks at whether the controls were appropriately designed and operated effectively during the time period for the report in accordance with the requirements stipulated by the SOC 2 criteria.
A HITRUST report comes with a certification. HITRUST is much more detailed with around five times the number of controls and incorporates requirements from various standards. HITRUST is also closely aligned with HIPAA. So it's relevant for those dealing with PHI.