Ready to discover the power of taking a multi-framework approach to compliance?

SOC 2 or (Service Organization Control Type 2) is a compliance framework developed by the AICPA (American Institute of Certified Public Accountants) and considered table stakes for US companies that store user data. 

SOC 2 is one of three types of SOC reports (including SOC 1 and SOC 3) and involves an audit to examine service providers and determine if they are securely managing 3rd party data. For example, if you’re dealing with personal health information (PHI), incorporating SOC 2 into your compliance program is key to building trust with investors and buyers. 

Fast Fact: Achieving SOC 2 Type 2 gets you 90% of the way to achieving HITRUST e1. That’s why a lot of Thoropass customers choose to do both at the same time.

HIPAA, or the Health Insurance Portability and Accountability Act, was developed to protect Protected Health Information (PHI) in any form like paper or stored in digital locations such as Electronic Health Records (EHR). 

HIPAA applies to two types of organizations:

Covered Entity (CE): Covered entities are health plans, healthcare clearinghouses, or healthcare providers who transmit any health information in electronic form in connection with a transaction. 

Business Associate (BA): A Business Associate is a service provider to a CE. A BA is an organization that receives, maintains, creates, or transmits protected health information (PHI) on behalf of a covered entity.

Complying with the laws set forth by HIPAA is not an option but a legal requirement for CEs and BAs to conduct business. Failing to comply can result in significant reputational and financial damage.

Fast Fact: While HIPAA may be legally required to launch products or services that handle PHI, the HITRUST r2 assessment may cover all HIPAA requirements (and then some.) for certain organizations—specifically, if you’re working with insurance carriers or hospital systems.

The HITRUST (CSF) is a globally utilized and recognized framework with dozens of authoritative sources covering multiple industries.

The HITRUST e1 (essentials one-year certification) is one of three HITRUST assessments. It’s the newest and most accessible certification with the fewest controls. It’s also significantly cheaper than the other HITRUST certifications. The e1 serves as a great foundation for achieving future HITRUST certifications. 

Fast Fact: For smaller companies and startups just setting off on their compliance journey, the e1 is a great stepping stone to HITRUST compliance as it’s faster and less expensive than the other two. The e1 includes just 44 HITRUST CSF requirements for year one and year two.

The HITRUST i1 (implementation one-year certification) and r2 (risk-based two-year certification) assessments offer considerably higher levels of protection and assurance than the e1, but they take much longer to achieve. If you’ve already achieved your e1 certification, you’ll have a substantial head start toward achieving your i1. 

The i1,  originally developed as the gateway to r2, tends to be the most commonly recommended version. The r2 is by far the most comprehensive of the three. The r2 is the original version of the certification and the most intensive (and expensive.)

Fast Fact: The HITRUST CSF is considered a gold standard as it’s regulated by a private body and unifies many authoritative sources, pre-existing security regulations, and frameworks—such as NIST, HIPAA, ISO 27001, FedRAMP, PCI DSS, GDPR, and more.  

Payment Card Industry Data Security Standards (PCI DSS) apply to any entity that processes, stores, or transmits credit card information. The payment card brands mandate the standards and enforce compliance. Merchants and service providers of all sizes are responsible for maintaining compliance with PCI DSS.

Fast Fact: When it comes to PCI DSS, one set of requirements or standards does not fit all. Your journey to PCI DSS compliance will change depending on the entity type, the number of transactions, and your organization’s customer requirements.

Plan on expanding your business across borders? ISO 27001 is an international standard for implementing an effective Information Security Management System (ISMS) that generally applies to companies wishing to pursue international deals.

ISO 27001 is an excellent certification for organizations who wish to prove an extra level of credibility with customers, partners, and regulators.

Fast Fact: ISO 27001 is most often sought after by companies in the EU because it has a privacy component that closely aligns with GDPR (General Data Protection Regulation). However, there is a growing interest in ISO for US-based companies that wish to expand globally.