How Do SOC 2 + HIPAA Overlay Engagements Actually Work for Auditors?

Most guidance on SOC 2 and HIPAA focuses on the buyer’s perspective: which controls overlap, how to prioritize Trust Services Criteria, where the Security Rule and SOC 2 Security criterion align. That content is useful for a healthcare company building its compliance program — see our buyer-side framework overlap and TSC↔HIPAA mapping table if that is what you need.

This article covers the other side of the table: what actually changes inside an auditor’s engagement when HIPAA work is added to a SOC 2 scope. How does the engagement letter change? Where does evidence collection for one framework end and the other begin? What signals tell you that a firm has real overlay capability rather than a marketing claim? And what does a bridge letter look like when two frameworks with different renewal cycles are running in parallel?

What does a SOC 2 + HIPAA overlay engagement actually mean from the auditor’s side?

The phrase “SOC 2 + HIPAA combined engagement” is widely used and widely misunderstood. Buyers often arrive expecting a single report that covers both. The auditor delivers something different: a SOC 2 Type 2 attestation report issued under AICPA AT-C 205 and SSAE 18, and separately a HIPAA Security Rule gap analysis, readiness assessment, or — if the firm holds the accreditation — a HITRUST CSF validated assessment. The two deliverables are typically packaged together and delivered in the same engagement cycle, but they are structurally distinct documents governed by different standards.

Why can’t they be a single report? The SOC 2 attestation must conform to AICPA report structure requirements — management’s assertion, the service auditor’s opinion, system description, tests of controls, and results. The HIPAA Security Rule, codified under the Department of Health and Human Services at 45 CFR Part 164, is a federal regulation with no corresponding AICPA attestation framework. HIPAA compliance cannot be “attested” the same way a SOC 2 opinion is issued. What an auditor can do is assess the organization’s controls against HIPAA Security Rule requirements and issue a findings document — a gap analysis or readiness report — that reflects their professional judgment. Blending this into a SOC 2 opinion would compromise the AICPA report’s integrity.

This matters practically because customers who ask for a “SOC 2 + HIPAA report” may accept the gap analysis as meeting their diligence requirement, or they may require something more formal — such as a HITRUST CSF validated assessment — once they understand what the HIPAA deliverable actually is. Setting expectations before the engagement letter is signed prevents misaligned scope assumptions mid-engagement.

How does the auditor structure the engagement to avoid double-billing for overlap?

The engagement structure question separates firms with genuine overlay capability from those that run two parallel processes and charge for both separately. Here is how the fee and structure models work in practice:

Combined fixed fee with explicit allocation. Most professional firms doing overlay work price the engagement as a single combined fee, then specify internally how that fee allocates between SOC 2 fieldwork and HIPAA assessment work. The contract may show a single number or a two-line breakdown. Either way, the engagement team is the same, the kickoff meeting is joint, and the evidence request list is unified. When encryption logs are collected for SOC 2 Security testing, the same logs flow into the HIPAA §164.312(a)(2)(iv) technical safeguard coverage analysis. The client provides them once.

T&M with a cap. Some specialist firms — particularly those doing this work for complex healthcare platforms with significant scope variation — run time-and-materials with a cap. This structure works when the HIPAA gap analysis scope is uncertain at kickoff (scope of PHI-handling systems, BAA chain complexity, number of subservice organizations touching ePHI). The cap prevents the client from absorbing unlimited overrun; the T&M allows the firm to adjust when scope proves larger than expected.

The evidence-reuse discount. The 15–25% reduction on the HIPAA assessment reflects real efficiency, not a negotiating concession. SOC 2 fieldwork generates evidence that directly satisfies HIPAA Security Rule coverage: access control matrices (§164.312(a)), audit log review evidence (§164.312(b)), workforce training records (§164.308(a)(5)), and vendor risk documentation (§164.308(b)). A firm running two separate teams — one for SOC 2, one for HIPAA — does not get this efficiency. The discount is a signal that the firm actually runs an integrated engagement.

One engagement letter vs. two. Independence considerations apply differently depending on whether the HIPAA work constitutes an advisory or assessment service versus the attest engagement. Most firms issue one combined engagement letter covering both scopes, with separate statement-of-work sections for each deliverable. Some issue two letters — one for the SSAE 18 attest engagement, one for the HIPAA advisory — to maintain clean independence boundaries. Ask the firm explicitly which approach they use and why.

For a broader view of how fee structures and engagement shapes differ across firm tiers, see Big Four vs. specialist SOC 2 auditor pricing.

Where does the SOC 2 evidence file end and the HIPAA gap analysis begin?

This is the technical distinction that trips up buyers and, occasionally, auditors who haven’t run many overlay engagements.

The SOC 2 evidence file contains control descriptions, evidence of control design (walkthroughs, system configuration screenshots, policy documentation), and tests of operating effectiveness over the observation period — typically 3 to 12 months. Testing is sampling-based: the auditor selects a population (access review events, change tickets, vendor assessments) and tests a statistical or judgment-based sample to form an opinion about whether the control operated effectively during the period. An exception in the sample affects the opinion; a control area not included in scope has no bearing on the opinion.

The HIPAA Security Rule gap analysis maps the organization’s controls against the required and addressable specifications across all five safeguard categories: administrative safeguards (§164.308), physical safeguards (§164.310), technical safeguards (§164.312), organizational requirements (§164.314), and policies and procedures (§164.316) as enumerated at hhs.gov. This is not a sampling exercise — it is a coverage exercise. Every applicable specification must be addressed. The gap analysis identifies where specifications are unmet, partially met, or addressed by compensating controls. It does not assign a pass/fail opinion the way a SOC 2 does.

Where they share evidence:

• Encryption controls — SOC 2 Security tests encryption configuration; HIPAA §164.312(a)(2)(iv) and §164.312(e)(2)(ii) require encryption of ePHI at rest and in transit. Same logs, same configuration evidence.
• Access control reviews — SOC 2 CC6.1–CC6.3 test access provisioning, periodic review, and deprovisioning. HIPAA §164.312(a)(1) requires access controls for ePHI. The access review evidence collected for SOC 2 sampling informs the HIPAA gap analysis coverage.
• Workforce training — SOC 2 CC1.4 and CC2.2 test security awareness training. HIPAA §164.308(a)(5) requires a security awareness and training program. Training completion records serve both.
• Vendor management — SOC 2 CC9.2 tests vendor risk assessments. HIPAA §164.308(b) requires Business Associate Agreements. Vendor risk files collected for SOC 2 feed into HIPAA BAA coverage analysis.

Where they diverge:

SOC 2’s Processing Integrity criterion — testing that system processing is complete, valid, accurate, timely, and authorized — has no direct HIPAA analog. A HealthTech company running claims processing workflows or lab result routing may be tested under Processing Integrity for SOC 2 purposes; HIPAA’s §164.312(c) integrity specification is narrower, focused specifically on ePHI integrity rather than general system processing accuracy.

HIPAA’s Breach Notification Rule (45 CFR Part 164, Subpart D) has no direct SOC 2 analog. The requirement to notify individuals and HHS within specified timeframes following a breach of unsecured ePHI is a HIPAA-specific obligation that the gap analysis must address but that falls outside SOC 2 Trust Services Criteria.

Understanding where the two frameworks share evidence and where they diverge is the test of whether an auditor has genuine overlay methodology or is running two separate assessments with a shared cover sheet. For the firm-qualification context on how SOC 2 firms map controls to HIPAA / ISO / PCI, see the auditor certification overview.

Which SOC 2 firms in our directory offer the HIPAA overlay (and how do you tell)?

The key distinction the SERP does not make: industry served is not the same as overlay capability. A firm that has audited healthcare SaaS companies has experience in the vertical. A firm that holds HITRUST CSF Assessor accreditation has been vetted by the HITRUST Alliance against rigorous quality and methodology requirements to perform HITRUST CSF assessments — and the HITRUST CSF is a superset of HIPAA Security Rule requirements. A HITRUST-accredited firm has, by definition, operationalized the HIPAA coverage mapping that a SOC 2 + HIPAA overlay requires.

Of the 126 firms in our directory, 74 list healthcare as a served industry. Of those, only 17 hold HITRUST CSF Assessor accreditation. These 17 are the firms whose methodology signal is strongest for overlay engagements:

• 360 Advanced — explicitly markets a “SOC 2+ hybrid assessment” combining SOC 2 with additional framework coverage including HIPAA
• A-LIGN — one of the better-known healthcare compliance practices among specialists; holds HITRUST accreditation and publishes healthcare-specific SOC 2 content
• Armanino LLP — mid-tier firm with broad HITRUST practice and established healthcare audit division
• Barnes Dennig — regional firm with HITRUST accreditation; strong in Midwest healthcare market
• BARR Advisory — specialist-tier firm well-regarded for healthcare scope depth and combined HIPAA/SOC 2 engagements
• CBIZ (formerly Marcum LLP) — national mid-tier firm following the Marcum acquisition; maintains HITRUST assessor accreditation
• Coalfire — cybersecurity-focused specialist firm with deep HITRUST CSF practice and published SOC 2 + HIPAA methodology
• Compliance Point — specialist firm with HITRUST accreditation; focuses on healthcare and life sciences clients
• Frazier & Deeter — regional/national CPA firm with established HITRUST practice and healthcare audit experience
• IS Partners — specialist firm that operates prominently in the HIPAA assessment space with SOC 2 bundled options
• KirkpatrickPrice — specialty firm that explicitly publishes documented $25,000–$30,000 bundled SOC 2 + HIPAA packages; among the most transparent on combined-engagement pricing in the directory

The remaining six HITRUST-accredited firms in the directory are available via the directory filtered by HITRUST accreditation.

For firms with healthcare experience but without HITRUST accreditation, the evaluation question changes: ask them explicitly what methodology they use for the HIPAA assessment component (HITRUST CSF, NIST 800-66, AICPA HIPAA Security Rule guide, or their own proprietary framework) and whether they have issued standalone HIPAA gap analysis reports previously. Healthcare experience is relevant context; HITRUST accreditation is a verifiable quality signal.

To explore all 74 healthcare-serving firms, use the healthcare-filtered directory view. To narrow to those with HITRUST accreditation, use the HITRUST-filtered view. For the full 126-firm set, see the complete directory.

Before evaluating overlay capability, confirm AICPA standing first — the AICPA membership verification guide covers the four-step check that applies to every firm regardless of vertical specialization.

How does a HIPAA-overlay engagement change the bridge letter and renewal cadence?

A SOC 2 bridge letter addresses the period between the end of the observation window and the date a customer or prospect is relying on the report — for example, the 90-day gap between a December 31 observation period end-date and a March closing due-diligence review. For the mechanics of how bridge letters work in a standard SOC 2 context, see the SOC 2 bridge letter deep-dive.

When HIPAA work is in scope, the bridge letter question becomes more complex.

What the bridge letter needs to address for HIPAA: The customer receiving your SOC 2 + HIPAA package is relying on both documents. The SOC 2 bridge letter covers trust services control continuity for the gap period — your auditor is attesting that no material changes to controls have occurred since the observation period ended. If the customer’s diligence also relies on the HIPAA gap analysis, they may need assurance that HIPAA Security Rule controls have also remained substantially unchanged through the bridge period. Some firms build this into a single bridge letter. Others issue separate bridge letters for each deliverable. Many do neither unless specifically asked.

Renewal cadence misalignment: SOC 2 Type 2 is annual by convention — most organizations renew on a 12-month observation period cycle. HIPAA reviews do not have a mandated annual cycle; organizations often conduct annual HIPAA Security Rule risk analyses under §164.308(a)(1), but the review cadence is flexible. HITRUST CSF validated assessments run on a 24-month cycle, with an interim 1-year surveillance. This means a SOC 2 + HIPAA overlay portfolio may look like this:

• Month 1: SOC 2 observation period begins; HIPAA gap analysis conducted
• Month 12: SOC 2 observation period ends; report issued; HIPAA gap analysis is 12 months old
• Month 13–15: Bridge letter covers SOC 2 gap; HIPAA analysis is aging
• Month 24: SOC 2 Year 2 observation ends; HIPAA gap analysis refreshed

If the HIPAA component is a HITRUST validated assessment rather than a gap analysis, the 24-month cycle creates an even larger misalignment: in Year 2 of the SOC 2 program, the HITRUST assessment is being renewed rather than refreshed annually, which changes the nature of what the bridge letter can attest to.

The practical resolution: negotiate the HIPAA review cadence with your auditor at the start of the engagement, document it in the engagement letter or statement of work, and confirm explicitly what bridge letter language will cover for HIPAA control continuity. Customers who ask for a bridge letter will almost certainly be asking about the SOC 2 half; if they need HIPAA continuity assurance, it must be scoped intentionally.

For standalone HIPAA audit cost comparisons that help frame how HIPAA assessment pricing changes when bundled versus separate, see the dedicated cost guide.

What questions should you ask the auditor before signing a combined SOC 2 + HIPAA engagement?

These questions are designed to surface methodology gaps, pricing transparency, and deliverable clarity before you are contractually bound. A firm with real overlay experience will answer all of them without hesitation.

1. “Will you deliver one combined report or two separate deliverables — a SOC 2 attestation report and a separate HIPAA gap analysis or HITRUST assessment?”

The correct answer is two separate deliverables. Any response suggesting a single “SOC 2 + HIPAA report” warrants follow-up on what that document actually contains and whether the SOC 2 opinion conforms to AICPA AT-C 205.

2. “Is the HIPAA portion an attestation, a gap analysis, or a HITRUST CSF assessment? What standard or methodology does it follow — HITRUST CSF, NIST 800-66, AICPA HIPAA Security Rule guide, or your own framework?”

This separates firms with documented methodology from those improvising. The HITRUST CSF methodology is the most rigorous and most widely accepted. NIST 800-66 is a recognized mapping guide. A proprietary methodology is acceptable if the firm can produce documentation and examples of prior reports.

3. “What is the fee allocation between SOC 2 and HIPAA work? Is there a discount applied for evidence reuse?”

A firm with integrated methodology will be able to articulate this. If the firm cannot explain the fee structure — or if the HIPAA fee is the same as a standalone HIPAA assessment despite SOC 2 evidence collection running concurrently — the engagement is likely two parallel tracks, not an integrated overlay.

4. “Do you hold HITRUST CSF Assessor accreditation? If yes, can you also issue HITRUST i1 or r2 validated assessments as an alternative or supplement to the gap analysis?”

The 17 firms in our directory with HITRUST accreditation can answer yes. For firms without it, the follow-on question is whether they intend to pursue accreditation — and whether the HIPAA deliverable will be accepted by your customers who may expect HITRUST format.

5. “Will the engagement team include a practitioner with explicit HIPAA Security Rule assessment experience? Or will the SOC 2 team also cover the HIPAA scope?”

The concern here is competence allocation, not headcount. A SOC 2 team unfamiliar with HIPAA regulatory specifics — breach notification requirements, BAA obligation coverage, addressable vs. required specification distinctions — will produce a surface-level HIPAA gap analysis that does not satisfy healthcare buyer scrutiny. Ask for the relevant team member’s background and prior HIPAA assessment engagements.

6. “What does the bridge letter cover for HIPAA — Security Rule controls, breach notification readiness, or only the SOC 2 trust services?”

The right answer depends on your customer requirements, but the firm should be able to tell you what their standard bridge letter covers and what requires additional scope. If the answer is “bridge letters only cover SOC 2,” that is a known limitation to plan around before the observation period ends.

7. “If our customer is a Covered Entity that asks for a Business Associate Agreement review as part of the HIPAA work, is that in scope or a separate engagement?”

BAA review is a legal service, not an audit service — CPA firms cannot provide legal advice. Some firms have affiliated legal practices or referral arrangements; others do not. Knowing this boundary upfront prevents scope confusion when a healthcare customer’s legal team asks for BAA documentation as part of the HIPAA review.

8. “If we later want to upgrade from a HIPAA gap analysis to a HITRUST i1 or r2 validated assessment, how does pricing and timeline change? Can we use the same engagement team?”

This is a forward-planning question for organizations that start with a gap analysis and may need HITRUST certification as they grow into larger health system customers. A firm with a HITRUST practice will have a clear answer on the gap analysis-to-validated-assessment upgrade path. A firm without one will not.

For context on what AICPA membership and peer review standing you should verify before any of these questions become relevant, see the AICPA membership verification guide. For how firm tier and pricing shape the overlay conversation differently at Big Four vs. specialist firms, see Big Four vs. specialist auditor comparison.

The soc-2-auditors-healthcare directory hub lists healthcare-vertical firms with filtering by HITRUST accreditation for side-by-side comparison.

Frequently asked questions

What does a SOC 2 + HIPAA overlay engagement mean from the auditor’s side?

The auditor performs the SOC 2 attestation under SSAE 18 and a HIPAA Security Rule assessment in the same engagement window, delivering two separate documents: a SOC 2 Type 2 report and a HIPAA gap analysis or HITRUST CSF assessment. There is no single “SOC 2 + HIPAA combined report” because HIPAA has no AICPA-promulgated attestation framework. Firms that describe issuing a “combined report” typically mean they deliver both documents packaged in one engagement binder — the underlying deliverables remain structurally distinct.

How does the auditor avoid double-billing when SOC 2 and HIPAA evidence overlaps?

Firms with integrated overlay methodology run one engagement team collecting evidence once. Access reviews, encryption logs, training completion records, and vendor risk documentation are gathered once and applied to both SOC 2 sampling and HIPAA regulatory coverage mapping. This typically produces a 15–25% reduction on what the HIPAA assessment would cost as a standalone engagement. Firms without integrated methodology run two parallel teams — and the bill reflects both.

Where does the SOC 2 evidence file end and the HIPAA gap analysis begin?

SOC 2 evidence is sampling-based over an observation period. HIPAA gap analysis is coverage-based against all applicable Security Rule specifications. They share evidence at the intersection of access control, encryption, training, and vendor management — but they diverge on HIPAA-specific requirements (breach notification, BAA chain) and SOC 2-specific criteria (processing integrity). For the buyer-side control overlap detail and the TSC-to-HIPAA Security Rule mapping table, see SOC 2 for healthcare companies.

Which firms in the directory have HIPAA overlay capability?

17 of 126 firms hold HITRUST CSF Assessor accreditation — the strongest proxy for overlay capability. 74 firms list healthcare as a served industry, but industry listed is not accreditation held. The HITRUST-accredited group includes 360 Advanced, A-LIGN, BARR Advisory, Coalfire, KirkpatrickPrice, Frazier & Deeter, and others. Browse the full directory with HITRUST and healthcare filters to compare.

How does the bridge letter change when HIPAA is in scope?

A standard SOC 2 bridge letter covers trust services control continuity through the gap period. With HIPAA in scope, you may also need HIPAA Security Rule control continuity addressed in the bridge letter or a parallel document. Many firms do not include HIPAA continuity in their default bridge letter — confirm scope in writing before the observation period closes. Misaligned renewal cycles (SOC 2 annual, HITRUST validated biennial) require deliberate planning in the engagement letter.

Should the SOC 2 and HIPAA engagement produce one combined report or two deliverables?

Almost always two deliverables. The SOC 2 attestation report must conform to AICPA AT-C 205 structure. The HIPAA component — gap analysis, readiness report, or HITRUST validated assessment — follows different standards and cannot be formally merged with the SOC 2 opinion without compromising the integrity of both. “Combined engagement” means one team, one observation window, shared evidence — not one blended document.