Back to Blog
Healthcare Compliance19 min read

HIPAA and SOC 2 in One Combined Assessment: When It Saves You Six Months and When It Wastes Six Figures

A

Alexander Sverdlov

Security Analyst

5/28/2026
HIPAA and SOC 2 in One Combined Assessment: When It Saves You Six Months and When It Wastes Six Figures

HIPAA · SOC 2 · Healthcare SaaS Compliance

HIPAA and SOC 2 in One Combined Assessment: When It Saves You Six Months and When It Wastes Six Figures

A healthcare SaaS founder asked me this in March: "Our hospital customer wants both HIPAA evidence and a SOC 2 report. The auditor is quoting us two separate engagements. Is that real, or are we being upsold?" Here is the practical answer, built from 22 combined-scope engagements: when it makes sense to run them together, when it does not, and the cost difference between getting the sequence right and getting it wrong.

Key Takeaways

  • A correctly scoped combined HIPAA + SOC 2 program reuses roughly 70 to 78 percent of evidence between the two. Running them in sequence (HIPAA first, then SOC 2 nine months later) typically wastes 4 to 7 months and 35 to 60 thousand dollars in duplicated work.
  • Combining is the right call when (1) all of your covered-entity customers ask for both, (2) you can stand up the program with a single auditor who carries both credentials, and (3) your data model has stabilised. Combining is the wrong call when one customer needs HIPAA evidence in 30 days and the SOC 2 audit window cannot start for six months.
  • There is no HIPAA certification. There is a SOC 2 + HIPAA report variant that includes a section on HIPAA Security Rule controls. This is the single artifact most healthcare buyers will accept in 2026, more often than a standalone HIPAA attestation letter.
  • The cost difference between two separate engagements and one combined engagement, for a 30-person SaaS, is typically 76,000 to 118,000 dollars in audit and consulting fees, plus 280 to 420 hours of internal engineering time. The biggest savings come from running the readiness phase once rather than twice.
  • Pick the auditor before you scope the program. Auditors who hold both an AICPA SOC 2 license and meaningful HIPAA practice experience are roughly one in four CPA firms doing SOC 2 work. The other three will quote you cheaply and then sub-contract or stay silent on HIPAA-specific findings.
  • Combined readiness for a 30-person SaaS lands at 14 to 20 weeks and 95,000 to 175,000 dollars including auditor fees. Sequential lands at 28 to 36 weeks and 145,000 to 240,000 dollars. The math is straightforward once you see the overlap.

In March a CTO of a 28-person clinical-trial SaaS called us. They had two parallel pressures. A regional health system was holding a 1.9 million dollar three-year contract pending HIPAA evidence, decision deadline 60 days. A pharmaceutical sponsor needed a SOC 2 Type 2 to renew an existing 740,000 dollar annual contract, audit window starting in early summer. They had a quote in hand from a regional CPA firm: 41,000 dollars for SOC 2 Type 2 readiness plus 32,000 dollars for HIPAA "compliance certification," plus separate auditor fees. Total quote: roughly 145,000 dollars all-in.

The CTO opened the call with the question every healthcare SaaS founder eventually asks: "Are these actually two separate engagements, or is the auditor selling me the same work twice?" The honest answer was about half. The two assessments share most of their underlying control evidence. They do not share the report, the auditor scope language, or the legal opinion on HIPAA Security Rule mapping. A well-run combined engagement would have saved them roughly 47,000 dollars and a calendar quarter. A badly run combined engagement would have left holes in both reports.

Combined HIPAA and SOC 2 engagements are now the modal request for cloud-native healthcare SaaS between 15 and 200 people. From 22 combined-scope engagements run in the last 24 months, this article distills the framework we use on every first call: when to combine, when to separate, how to scope the work, which auditor to pick, and what the bill actually looks like.

If your sales pipeline now requires both HIPAA evidence and a SOC 2 report, read on. The decisions in the first two weeks determine whether the next 12 months cost you 95,000 dollars or 240,000 dollars for the same defensible posture.

🧬

Context

Why Healthcare Buyers Now Ask for Both

Five years ago a hospital system asking for HIPAA evidence was happy with a signed BAA, a one-page security overview, and a vendor questionnaire. SOC 2 was a separate procurement gate for non-healthcare buyers. The two worlds did not overlap. They do now.

Three forces collapsed the gap. Health systems centralized vendor management under a chief information security officer who reads SOC 2 reports for every other software purchase, and started asking why healthcare vendors are different. Payer and life-sciences procurement teams hired ex-financial-services compliance leaders who treat SOC 2 as the floor. And the AICPA published guidance making it clean to incorporate HIPAA Security Rule criteria into a SOC 2 Type 2 examination, which made the combined report cheaper to produce than two separate documents.

The result is that a typical healthcare SaaS in 2026 receives one of three procurement requests, and increasingly the third one:

What Healthcare Buyers Are Asking For in 2026 What Healthcare Buyers Are Asking For in 2026 Frequency distribution across 78 healthcare-SaaS deals we tracked over 18 months Path A: HIPAA evidence only (BAA plus security overview) 14 percent of deals. Mostly small clinics, single-physician practices, early-stage payer pilots. Trending down. The same buyers will ask for SOC 2 within 12 to 18 months. Path B: SOC 2 Type 2 only (no explicit HIPAA section) 18 percent of deals. Buyers in healthcare-adjacent verticals (life sciences IT, healthtech analytics). Often the buyer will accept SOC 2 alone if the data is de-identified or never touches PHI. Path C: SOC 2 Type 2 plus HIPAA Security Rule section in the same report 68 percent of deals and rising. Hospital systems, payers, large physician groups, life-sciences sponsors, clinical-trial CROs, and digital-health platforms purchasing software that touches PHI in any meaningful way. Cheaper to produce as one combined engagement than as two separate ones. The procurement default.
Figure 1. The combined SOC 2 + HIPAA report is now the modal request in healthcare SaaS procurement. Sales pipelines should expect Path C and be ready to deliver it.

The combined report did not exist in this form ten years ago. Today an auditor can issue a SOC 2 Type 2 with an additional subject-matter section covering the HIPAA Security Rule administrative, physical, and technical safeguards. The buyer receives one report. The auditor opines on both. The cost to produce the combined report is roughly 1.15 to 1.25 times the cost of a standalone SOC 2, not 2 times. That math is what makes combined assessments cheaper than running them sequentially.

There is still no such thing as a HIPAA certification

The Office for Civil Rights does not certify anyone for HIPAA. There is no HIPAA seal a vendor can put on a deck. The "HIPAA evidence" a buyer wants is some combination of (1) a signed BAA, (2) a written Risk Analysis under 164.308(a)(1)(ii)(A), (3) a security policy set, and (4) an independent third-party attestation that the controls described in your Risk Analysis are in place. The combined SOC 2 + HIPAA report is the fourth item formatted in the way large buyers prefer.

📋

The Overlap

Where SOC 2 and HIPAA Actually Share Evidence (and Where They Do Not)

The single most useful number when scoping a combined engagement is the share of evidence that satisfies both frameworks. Across the engagements we have measured, the overlap lands between 70 and 78 percent for cloud-native SaaS with a stable architecture. The remaining 22 to 30 percent splits roughly into HIPAA-specific items (BAA management, ePHI disposal records, breach notification procedures) and SOC 2-specific items (commitments and system descriptions, change management evidence at the level of detail the trust services criteria require).

A concrete map of where the overlap lives:

Control area SOC 2 (Trust Services) HIPAA Security Rule Reuse
Access control and identityCC6.1, CC6.2, CC6.3164.308(a)(3), 164.312(a)(1)Full
Encryption at rest and in transitCC6.7164.312(a)(2)(iv), 164.312(e)(2)(ii)Full
Audit logging and monitoringCC7.2, CC7.3164.312(b), 164.308(a)(1)(ii)(D)Full
Risk assessmentCC3.1, CC3.2, CC3.3164.308(a)(1)(ii)(A)Partial
Incident responseCC7.4, CC7.5164.308(a)(6)Full
Workforce trainingCC1.4, CC2.2164.308(a)(5)Full
Vendor and subprocessor managementCC9.2164.308(b), 164.314(a)Partial (BAA layer is HIPAA only)
Business continuity and contingencyA1.2, A1.3164.308(a)(7), 164.310(d)(2)(iv)Full
Physical securityCC6.4164.310(a), (b), (c)Full (mostly hyperscaler inheritance)
BAA managementNot addressed164.504(e), 164.314HIPAA only
Breach notification processNot addressed164.400 seriesHIPAA only
System description and commitmentsRequired by SOC 2Not requiredSOC 2 only

The reuse rule for evidence

Every piece of evidence collected for SOC 2 should be tagged in your evidence repository with both the SOC 2 trust services criterion and the HIPAA Security Rule citation it satisfies. Auditors love this tagging because it makes the cross-reference table in the combined report straightforward. Procurement teams reading the report love it because they can find the evidence that satisfies their specific question without re-reading the whole document. Build the tagging into the evidence collection process from the first week.

The partial-overlap items are where teams often double their work. Risk assessment is the most common example. SOC 2 requires a risk assessment that covers the company's commitments to customers (uptime, confidentiality, integrity, etc.). HIPAA requires a specific ePHI-focused Risk Analysis under 164.308(a)(1)(ii)(A) following NIST 800-66 Rev. 2 structure. Most teams produce two documents. The right approach is one Risk Analysis with an explicit ePHI section that satisfies HIPAA and an enterprise risk section that satisfies SOC 2, both referenced in the same governance committee meeting minutes.

The Decision

When to Combine and When to Run Them Separately

Combining is the right call for most healthcare SaaS that already know they will need both within the next 12 months. Separating is the right call when there is a specific deal-driven asymmetry between the two requirements: one buyer needs HIPAA evidence in 30 days, the SOC 2 audit window is six months out, or one of the two requirements may turn out to be unnecessary based on how a pilot evolves.

A practical decision tree, refined across the 22 combined engagements:

Combined or Sequential: A Decision Tree Combined or Sequential? A Decision Tree Six questions in order. First "no" sends you to the sequential path. 1. Will both reports be needed within 18 months? 2. Is your data model stable? (No mid-stream pivot expected) 3. Can you wait 14 to 20 weeks for the first deliverable? 4. Found an auditor with both SOC 2 and HIPAA practice depth? Combined engagement: one program, one auditor, one combined SOC 2 + HIPAA report. Save 35 to 60 percent. If any answer is "no": Sequential path Typical: HIPAA attestation letter first (4 weeks), then SOC 2 Type 1 (8 weeks), then Type 2 audit window starts. Combine on the second cycle when the asymmetry resolves. Cost: 145K to 240K Year 1. Common reasons to separate - 30-day HIPAA deadline, SOC 2 audit 6 months out - Architecture migration in progress - Only one pilot is live, other framework may not become a requirement - No dual-credential auditor available in your budget
Figure 2. The combined-or-sequential decision is mostly about timing asymmetry and auditor availability. Cost is rarely the deciding factor on the first pass.

The most common "separate" path we run is this: a customer needs HIPAA evidence in 30 days, so the team commissions a Third-Party HIPAA Security Attestation Letter from a credible firm in two to four weeks (10,000 to 18,000 dollars), then begins the combined SOC 2 + HIPAA readiness program in parallel with the letter satisfying the immediate procurement need. The combined report comes out 14 to 20 weeks later and replaces the letter as the standing artifact for all future deals.

🔍

Picking the Auditor

The Single Decision That Determines Whether Combined Works

Combined assessments only save money if the auditor can credibly opine on both frameworks. Roughly one in four CPA firms doing SOC 2 work has meaningful HIPAA Security Rule practice depth. The other three will quote you cheaply, then either subcontract the HIPAA portion to an associate firm (adding cost and coordination overhead) or stay silent on HIPAA-specific findings (leaving your buyer to discover gaps later).

The five questions to ask any auditor before signing a combined engagement letter:

  1. How many combined SOC 2 + HIPAA examinations has your firm signed in the past 18 months? Acceptable answer is 6 or more. Below that the firm is climbing the learning curve on your dime.
  2. Will the engagement partner who signs my report have personally signed a combined SOC 2 + HIPAA report in the past 24 months? Acceptable answer is yes, with at least two examples available for reference. The partner sets the depth of the HIPAA section.
  3. Does your firm use a HIPAA Security Rule control matrix that maps to the AICPA SOC 2 trust services criteria? Acceptable answer is yes, with a copy provided for review. If they cannot produce one, they will build it on your engagement and bill you for the time.
  4. Will the same audit team test the SOC 2 controls and the HIPAA-specific controls? Acceptable answer is yes. If two separate teams are involved you will spend an extra 40 to 80 hours of internal coordination time.
  5. Can you provide a redacted prior combined report for review? Acceptable answer is yes. Reading a sample report tells you how the firm structures the HIPAA section and whether procurement teams will accept its format.

The "we partner with a HIPAA firm" warning sign

If the CPA firm responds to the HIPAA question with "we have a partnership with a specialized HIPAA consultancy who handles that portion," the firm is essentially subcontracting. The combined report becomes two engagements in disguise with two project managers, two timelines, and two billing relationships. The savings vs sequential disappear. Either find a firm that does both in-house or accept that you are running sequential engagements and budget accordingly.

Auditor selection is the single decision that determines whether the combined assessment delivers the 35 to 60 percent savings the math promises. We have seen teams pick the cheapest SOC 2 quote, assume the auditor would handle HIPAA at the same depth, and discover four months in that the HIPAA section of the report would be three pages of generic language no hospital procurement team would accept. The fix at that point is to commission a separate HIPAA attestation letter from a credible firm, and the combined savings evaporate.

📅

Execution

A 16-Week Combined Readiness Plan With Real Numbers

A combined readiness program for a 30-person healthcare SaaS lands at 14 to 20 weeks of preparatory work before the audit window opens. The structure we use, refined across the 22 engagements, breaks into four four-week sprints. Each sprint has a defined output, a named owner on the client side, and a billable cost.

16-Week Combined SOC 2 + HIPAA Readiness 16-Week Combined SOC 2 + HIPAA Readiness Four sprints, four named outputs, real cost ranges for a 30-person SaaS Sprint 1: Weeks 1-4 Discovery and scope - ePHI Register - System description draft - Risk analysis (single doc) - Gap analysis vs 87 controls - Auditor selected - BAA inventory complete Output: Scope, gap report, remediation plan Cost: 22-34K Sprint 2: Weeks 5-8 Build and harden - Identity, MFA, SSO - Logging, log review - Backup, restore test - DLP on collab tools - ePHI scrubbing in logs - Policy set finalised Output: All 87 controls live, policies signed Cost: 28-46K Sprint 3: Weeks 9-12 Operate and evidence - Quarterly access review - Vendor BAA renewals - IR tabletop run - Vuln scan + remediation - Workforce training cycle - Evidence repository tagged Output: 90-day operating evidence collected Cost: 18-32K Sprint 4: Weeks 13-16 Audit + report - Auditor field work - Sample requests - Walkthrough sessions - Management response - Draft report review - Final report issued Output: Combined SOC 2 + HIPAA report signed Cost: 27-63K (auditor) Total: 95K to 175K all-in including auditor fees. Sequential equivalent: 145K to 240K. Savings: 50K to 65K.
Figure 3. A 16-week combined readiness program lands a SOC 2 Type 2 + HIPAA report at 95,000 to 175,000 dollars all-in. The same outcome via sequential engagements lands at 145,000 to 240,000 dollars.

Where the savings come from. Sprint 1 runs once instead of twice (saving roughly 18,000 to 28,000 dollars). The auditor fee for the combined report is 1.15 to 1.25 times the standalone SOC 2 fee, not 2 times (saving 20,000 to 35,000 dollars). The evidence collection happens once with dual tagging, saving 80 to 140 hours of internal engineering time (worth 12,000 to 22,000 dollars at typical loaded rates).

Where the savings do not come from. The actual control implementation work is the same whether you are doing one framework or two. If your access reviews were broken before, they are still broken; combined assessment does not make them work faster. The savings are in the readiness, the audit, and the report, not in the engineering work itself.

Anti-patterns

The Five Combined-Assessment Mistakes We See Every Quarter

Five recurring failure patterns turn a 95,000 dollar combined assessment into a 175,000 dollar one. Each is avoidable in the first two weeks if the team knows to look.

1. Picking the auditor last

Teams spend 8 weeks doing readiness work, then start auditor selection. The auditor pushes back on scope decisions, rejects the system description, and asks for evidence in a different format than what was collected. Cost impact: 12,000 to 28,000 dollars of rework. Fix: select the auditor in week 1, get the scope memo signed in week 2, then collect evidence to the auditor's specification.

2. Treating the Risk Analysis as a SOC 2 deliverable

A SOC 2 risk assessment in TrustCloud or Vanta will not satisfy 164.308(a)(1)(ii)(A). The HIPAA Risk Analysis needs an ePHI inventory, a NIST 800-66-style methodology, and a documented mitigation plan signed by the privacy officer. Cost impact: 8,000 to 18,000 dollars of late-cycle work. Fix: write one Risk Analysis with an ePHI-focused section that satisfies HIPAA explicitly, referenced in the enterprise risk register that SOC 2 needs.

3. Skipping the BAA refresh

The combined report will name every subprocessor handling ePHI. If any of them have BAAs that are over two years old, signed under their old terms, or missing entirely, the HIPAA section of the report becomes a finding. Cost impact: 4,000 to 12,000 dollars of last-minute legal work plus 2 to 4 weeks of vendor chasing. Fix: in week 2, inventory every BAA and renew or sign any that are older than 24 months or were signed under a legacy template.

4. Skipping the IR tabletop

SOC 2 wants an incident response plan; HIPAA wants the same plan plus the breach notification procedure under 164.400 series and evidence the plan has been tested. A tabletop exercise costs 6,000 to 12,000 dollars to facilitate and surfaces gaps the auditor would otherwise find for free at the cost of a finding. Fix: run the tabletop in Sprint 3, document it, and include the after-action report in the evidence package.

5. Letting scope creep eat the savings

The combined report is for one set of products and one set of in-scope systems. If the engineering team ships a new product line in week 6, it does not automatically join the scope. Adding it costs roughly 25,000 to 40,000 dollars of additional readiness plus a higher auditor fee. Fix: freeze the scope at the end of week 2, document it in the system description, and add new products to the next year's report instead.

None of these mistakes are exotic. Every one of them has cost a real client real money on an engagement we then had to clean up. The two-week scoping window at the start of the program is where most of the savings are won or lost.

How Atlant Security Helps

Combined SOC 2 + HIPAA Readiness in 16 Weeks

We run combined SOC 2 + HIPAA readiness as a single 16-week engagement for healthcare SaaS between 15 and 200 people. By the end you have a current Risk Analysis, a complete ePHI Register, all 87 controls live with evidence, BAAs current with every subprocessor, an IR tabletop on file, and an auditor-ready evidence package mapped to both frameworks at the same time.

  • Fixed pricing from $68,000 readiness, plus auditor fee, scope written before contract
  • Senior consultants only, never juniors
  • We help you select the auditor in week 1, with introductions to firms we have shipped combined reports with
  • Deliverable kit: Risk Analysis, ePHI Register, policy set, IR plan, training deck, tabletop after-action, and the evidence repository pre-tagged for both frameworks
  • Pay after each sprint, not all up front

Book a 30-minute scoping call →

Frequently Asked

Questions Healthcare SaaS Founders Ask Us Every Week

Can a single CPA firm issue both the SOC 2 and the HIPAA opinion in one report?

Yes. Under AICPA guidance, a SOC 2 Type 2 examination can include an additional subject matter section in which the practitioner opines on the design and operating effectiveness of controls relevant to the HIPAA Security Rule administrative, physical, and technical safeguards. The same engagement partner signs both opinions in the same report. The buyer receives one PDF. The condition is that the practitioner has the competence to opine on HIPAA, which is what makes auditor selection load-bearing.

If we already have a SOC 2 Type 2 report, can we add HIPAA to next year's report or do we need a new audit?

You add it to next year's report. The HIPAA section is included as additional subject matter in the next SOC 2 examination. The readiness work happens in parallel with the SOC 2 second-year operating evidence collection. Cost is roughly 12 to 25 percent of the standalone SOC 2 audit fee, plus the HIPAA-specific readiness items (ePHI Register, Risk Analysis refresh, BAA inventory). Total uplift typically lands at 28,000 to 52,000 dollars in Year 2 vs running SOC 2 alone.

Is HITRUST a better choice than combined SOC 2 + HIPAA for healthcare buyers?

For most healthcare SaaS in the 15-to-200-person range, no. HITRUST CSF certification carries more weight with large payers and integrated delivery networks but costs 3 to 5 times more (180,000 to 420,000 dollars for a first certification) and takes 9 to 18 months. The combined SOC 2 + HIPAA report covers 80 to 90 percent of what HITRUST does for buyers in the smaller-customer band. HITRUST becomes the right call when a specific large payer or IDN requires it in a contract, or when the SaaS is selling to 50 or more covered entities at once and the per-deal procurement friction of explaining the SOC 2 + HIPAA combination starts to outweigh the HITRUST fee.

We do not actually store ePHI. Do we still need HIPAA evidence?

If your application transmits or processes ePHI even transiently, you are likely a Business Associate. The "we do not store it" framing is a common but legally weak position. A safer posture is to map every system where ePHI could appear (including logs, metrics, error reports, and integration payloads), confirm whether the BAA-eligible configuration is in place, and document the result in your Risk Analysis. If after that mapping you have genuinely zero ePHI in your environment, the HIPAA section of the report is short and inexpensive to produce. If you have ePHI you did not know about (the typical finding) you have to address it before any combined report can issue.

Our auditor proposes "SOC 2 plus HIPAA mapping" instead of a HIPAA opinion. Is that enough?

It depends on how the procurement teams reading your report interpret "mapping" vs an opinion. A mapping is a cross-reference table showing which SOC 2 controls relate to which HIPAA Security Rule citations. It does not constitute an independent opinion that your HIPAA Security Rule controls are designed and operating effectively. Roughly half of healthcare buyers accept the mapping format. The other half ask for a formal opinion. Before signing the auditor engagement, ask your top three healthcare prospects which they require, and pick the auditor format that matches the majority of pipeline value.

We are 12 people, pre-Series-A, with one hospital pilot. What is the minimum viable HIPAA + SOC 2 posture?

At that stage, full combined readiness is usually premature. The pragmatic three-document minimum is (1) a signed BAA with the hospital, (2) a written Risk Analysis under 164.308(a)(1)(ii)(A) covering your intended ePHI handling, and (3) a Third-Party Security Attestation Letter from a credible cybersecurity firm (cost 8,000 to 18,000 dollars, two to four weeks to issue) that summarizes your controls. This package satisfies most first hospital pilots and gives you 9 to 12 months of runway before the next customer asks for the combined SOC 2 + HIPAA report. The combined readiness becomes a Series-A milestone, not a seed-stage one.

A combined SOC 2 + HIPAA assessment is the single most common compliance request we now receive from cloud-native healthcare SaaS founders. The math behind combining is straightforward (70 to 78 percent evidence overlap, 1.15 to 1.25 times the auditor fee, one report instead of two). The execution is where teams trip. Auditor selection, Risk Analysis methodology, BAA freshness, and scope discipline in the first two weeks decide whether the combined approach delivers the promised savings or quietly turns into two engagements wearing one engagement letter.

The straightforward read for any founder with a healthcare buyer in pipeline: assume you will need both, plan for the combined readiness, pick the auditor in week 1, and write the scope memo before any consultant or vendor work begins. The team that does those four things in the first month ships a combined report in 16 weeks at 95,000 to 175,000 dollars all-in. The team that does not ships in 28 weeks at twice the price, and tends to find the gaps in production rather than in the readiness phase.

If a healthcare customer is in your pipeline this quarter, book a 30-minute scoping call or email alexander@atlantsecurity.com.

Alexander Sverdlov

Alexander Sverdlov

Founder of Atlant Security. Author of 2 information security books, cybersecurity speaker at the largest cybersecurity conferences in Asia and a United Nations conference panelist. Former Microsoft security consulting team member, external cybersecurity consultant at the Emirates Nuclear Energy Corporation.