Question 1

Is HIPAA a certification?

Accepted Answer

No. HIPAA is a U.S. federal law enforced by HHS Office for Civil Rights. There is no government-issued HIPAA certificate. Vendors commonly demonstrate readiness via a HIPAA-aligned SOC 2 + Privacy report, a third-party HIPAA gap assessment, or a HITRUST CSF certification that maps to HIPAA controls.

Question 2

Does a SOC 2 report cover HIPAA?

Accepted Answer

Not automatically. A SOC 2 with the Confidentiality and Privacy Trust Services Criteria can be scoped to map to the HIPAA Security Rule, but the auditor must explicitly include HIPAA-specific controls in the engagement. Ask your auditor for a SOC 2 + HIPAA mapping deliverable if your buyers expect both.

Question 3

Do I need a Business Associate Agreement (BAA) with my SOC 2 vendor?

Accepted Answer

Yes, if the platform processes PHI on your behalf. Most major SOC 2 platforms (Vanta, Drata, Secureframe) sign BAAs on enterprise plans. Confirm BAA availability in writing before the platform touches any PHI.

HIPAA

Key controls