What evidence does a healthcare SaaS need beyond SOC 2?

Evidence Beyond SOC 2

Evidence Type	SOC 2 Covers?	HIPAA Requires?	What to Provide
Access controls	Yes	Yes	Already have from SOC 2
Encryption	Yes	Yes	Already have from SOC 2
Audit logging	Yes	Yes	Already have from SOC 2
Business Associate Agreements	No	Yes	Signed BAAs with customers and vendors
PHI data flow map	No	Yes	Diagram showing where PHI enters, is stored, and exits
Breach notification process	Partial	Yes (60-day rule)	Specific process for PHI breaches
Minimum necessary access	No	Yes	Documentation showing PHI access limited to need
Patient rights procedures	No	Yes	How patients request data access, amendments
Subprocessor BAAs	Partial	Yes	BAAs with every vendor touching PHI
Privacy impact assessment	No	Yes	Assessment of privacy risks for PHI handling

HIPAA-Specific Evidence Checklist

Business Associate Agreements

• Template BAA reviewed by healthcare lawyer
• Signed BAA with each healthcare customer
• Signed BAA with each vendor handling PHI (database, hosting, analytics)

PHI Data Mapping

• Data flow diagram showing PHI lifecycle
• List of all systems storing PHI
• Documentation of PHI encryption methods
• Data retention and disposal policies for PHI

Privacy Controls

• Minimum necessary access policy
• Patient data access request process
• PHI de-identification procedures (if applicable)
• Marketing use restrictions for PHI

Breach Response

• HIPAA-specific breach notification procedure (60-day timeline)
• HHS notification process for breaches affecting 500+ individuals
• Media notification process (if required)
• Breach risk assessment methodology

The Healthcare SaaS Compliance Stack

1. SOC 2 Type II (security foundation)
2. HIPAA compliance (PHI-specific requirements)
3. HITRUST (if selling to large health systems — optional)
4. State privacy laws (California, Texas, New York have additional requirements)