How do I add HIPAA to my existing SOC 2 program?

What SOC 2 Already Covers for HIPAA

HIPAA Requirement	SOC 2 Coverage
Access controls (§164.312(a))	CC6.1-6.8 — fully covered
Audit controls (§164.312(b))	CC7.1-7.2 — fully covered
Integrity controls (§164.312(c))	CC8.1 — fully covered
Transmission security (§164.312(e))	CC6.7 — fully covered
Risk assessment (§164.308(a)(1))	CC3.1-3.4 — fully covered
Incident response (§164.308(a)(6))	CC7.3-7.5 — fully covered
Security training (§164.308(a)(5))	CC1.4 — fully covered
Contingency plan (§164.308(a)(7))	A1.2 — covered if Availability in scope

What You Need to Add

1. Business Associate Agreement (BAA)

A legal contract between you and your healthcare customers defining responsibilities for PHI. Have a healthcare lawyer draft a template. Cost: $2K-$5K.

2. PHI Data Mapping

Document where Protected Health Information flows through your system:

• Where PHI enters (API, upload, manual entry)
• Where PHI is stored (database, file storage, logs)
• Where PHI is transmitted (integrations, exports, backups)
• Who can access PHI (roles and access controls)

3. Breach Notification Process

HIPAA requires notification within 60 days of discovering a breach involving PHI. Add this to your incident response plan:

• How you determine if PHI was exposed
• Who you notify (affected individuals, HHS, media if 500+ affected)
• Documentation requirements

4. Privacy Controls

HIPAA Privacy Rule requirements beyond SOC 2:

• Minimum necessary access to PHI
• Patient rights (access, amendment requests)
• Uses and disclosures documentation

5. Subprocessor BAAs

Ensure every vendor that touches PHI has a BAA with you — database providers, hosting, email, analytics.

Timeline

Task	Time
BAA template (with lawyer)	1-2 weeks
PHI data mapping	1 week
Breach notification additions	2-3 days
Privacy controls	1-2 weeks
Subprocessor BAA collection	2-3 weeks
Total	4-8 weeks