Skip to content

Vanta — HIPAA / SOC 2 / HITRUST Compliance Checklists

Vanta. Three compliance-process checklists covering HIPAA, SOC 2, and HITRUST certification, captured 2024. These are vendor-produced guides summarizing the structure of each framework, not authoritative regulatory documents.

Key findings used in wiki

HIPAA — Health Insurance Portability and Accountability Act

  • HIPAA is the U.S. regulatory regime for protecting protected health information (PHI) held by covered entities and business associates.
  • The checklist structures HIPAA compliance around nine practical steps:
  • Determine required annual audits and assessments
  • Conduct required compliance audits and assessments
  • Use an automated compliance platform for documentation
  • Appoint a HIPAA Compliance Officer (named security/compliance point person)
  • Schedule annual HIPAA training for all employees
  • Document employee trainings and other compliance activities
  • Establish and communicate breach-report processes
  • Institute an annual review process
  • Continuously assess and manage risk year-round
  • The U.S. Department of Health and Human Services Office for Civil Rights (OCR) publishes the authoritative Audit Protocol that governs HIPAA audits.

SOC 2 — AICPA Trust Services Criteria

  • SOC 2 is an AICPA framework used by service organizations to demonstrate controls over customer data. Reports come in two forms: Type 1 (point-in-time control design) and Type 2 (operating effectiveness over a period of time).
  • Every SOC 2 engagement must cover the Security Trust Service Criteria. Four additional criteria — Availability, Processing Integrity, Confidentiality, Privacy — are scoped in based on business context.
  • The Common Criteria (CC1–CC9) cover: control environment, communication and information, risk assessment, monitoring activities, control activities, logical and physical access controls, system operations, change management, and risk mitigation.
  • SOC 2 reports are audited by independent CPAs and are widely required for B2B/enterprise sales in health, finance, and SaaS.

HITRUST — HITRUST CSF Certification

  • HITRUST is a cybersecurity assurance framework widely used in U.S. healthcare. It maps across HIPAA, NIST, ISO 27001, PCI, and other regimes.
  • HITRUST offers three levels of Validated Assessments: e1 (entry-level), i1 (moderate risk), and r2 (high-rigor, full risk-based assessment).
  • Certification involves a Readiness assessment (performed with an external Validated Assessor such as A-LIGN, Prescient Assurance, or Insight Assurance), remediation, a Validated Assessment with evidence submission, HITRUST QA review, and issuance of the certification report through the HITRUST MyCSF platform.
  • HITRUST certification is a common purchasing requirement for health-system, payer, and hospital partnerships.

Why the three frameworks interact

  • HIPAA is the regulatory floor for organizations handling PHI — not optional, and not a certification so much as a compliance posture.
  • SOC 2 is the trust signal commonly required by B2B/enterprise customers across industries.
  • HITRUST is a healthcare-specific assurance layer that encompasses HIPAA and extends into a more rigorous certification regime for health-system partnerships.
  • Organizations operating in caregiver-facing healthcare-adjacent spaces typically need HIPAA compliance operationally, SOC 2 for enterprise sales, and HITRUST if they seek direct health-system, payer, or hospital-network integration.

Why it matters for the wiki

  • Gives a concise, citable structural reference for the three compliance regimes that shape caregiver-facing healthcare-adjacent product architecture.
  • Anchors architecture/compliance.md without needing to reproduce the framework content inline.
  • Vanta is a common automation-platform choice in this space; its checklists also serve as a reasonable structural proxy for what partnership-facing compliance conversations expect.