SOC 2, HIPAA, and GDPR share a large security core — access control, encryption, audit logging, incident response, and vendor risk map cleanly across SOC 2 Common Criteria CC6–CC9, HIPAA 45 CFR 164.308/164.312, and GDPR Article 32. Most security evidence is reusable. But the three are different kinds of thing (a CPA attestation, a US statutory rule, an EU regulation), and each adds obligations the others don’t — HIPAA’s ePHI-scoped rules and Business Associate Agreements; GDPR’s data-subject rights, RoPA, DPIAs, and transfer mechanisms. Map the overlap once; treat the gaps as framework-specific overlays.
Key takeaways
- The security core cross-maps tightly. SOC 2 CC6–CC7, HIPAA 45 CFR 164.312, and GDPR Art. 32 all demand access control, encryption, logging, and incident response — one evidence set can satisfy all three.
- The gaps do not transfer. HIPAA needs Business Associate Agreements and ePHI-scoped risk analysis; GDPR needs a lawful basis, data-subject rights (Arts. 15–22), RoPA (Art. 30), DPAs (Art. 28), DPIAs (Art. 35), and transfer safeguards. Neither is covered by SOC 2 security.
- A SOC 2+ report maps SOC 2 to a second framework in one CPA examination — it is assurance of alignment, not a HIPAA attestation, a GDPR certificate, or an ISO 27001 certificate.
- Breach clocks differ. GDPR Art. 33 is “where feasible, within 72 hours of becoming aware”; HIPAA is “no later than 60 calendar days from discovery.” Build one incident process to the tighter clock.
- HIPAA rules may tighten. An HHS NPRM (published 6 Jan 2025) proposes to end the Required/Addressable distinction and mandate encryption and MFA — not finalized as of July 2026.
TL;DR — what overlaps, what doesn’t
If you already run a SOC 2 audit against the Trust Services Criteria, you have built most of the technical security controls that HIPAA and GDPR also demand. In our coordinated examinations, the reusable core is consistent: identity and access management, encryption in transit and at rest, centralized logging and monitoring, formal change management, vulnerability management, and vendor due diligence. That work carries over. What does not carry over is the paperwork and rights machinery unique to each regime — and that is exactly where teams over-claim coverage and get caught in enterprise diligence.
The honest framing is: SOC 2 gives you a large head start on HIPAA’s safeguards and on GDPR’s security of processing — but not on HIPAA’s Business Associate Agreements or GDPR’s privacy-governance duties. This guide gives you the control-by-control crosswalk, a shared-evidence matrix, and the specific gaps to flag rather than paper over.
The three frameworks are not the same kind of thing
Before mapping controls, separate the categories. A crosswalk fails the moment someone treats a SOC 2 report as if it “certifies” HIPAA. SOC 2 is a CPA attestation performed under the AICPA’s attestation standards (SSAE 18, with concepts in AT-C section 105 and the examination performed under AT-C section 205) that results in an independent auditor’s opinion. HIPAA is a US statutory rule enforced by HHS’s Office for Civil Rights — there is no government-issued HIPAA certificate; compliance is self-determined and demonstrable through documentation and, optionally, third-party assessment. GDPR is an EU regulation whose compliance is shown through accountability documentation, not a single certificate.
| Dimension | SOC 2 | HIPAA (Security Rule) | GDPR | ISO 27001:2022 (ref.) |
|---|---|---|---|---|
| Governing body / standard | AICPA — SSAE 18 / TSP section 100 | HHS OCR — 45 CFR Part 164 | EU / EDPB — Reg. (EU) 2016/679 | ISO/IEC — 27001:2022 + Annex A |
| Legal status | Voluntary attestation | Statutory rule (mandatory for covered entities/BAs) | Regulation (mandatory) | Voluntary certification |
| Output | Independent CPA opinion report | No certificate — self-determined (+ optional 3rd-party) | Accountability documentation | Accredited certificate |
| Scope of data | Any system data in scope | Electronic protected health information (ePHI) | Personal data of EU/EEA data subjects | Information in the ISMS scope |
| Assessor | Licensed CPA firm | Self or third-party assessor | Controller/processor; DPA on enforcement | Accredited certification body |
| Renewal cadence | Annual (rolling observation periods) | Ongoing; risk analysis kept current | Ongoing accountability | 3-year cycle + annual surveillance |
| Breach clock | Not applicable | ≤ 60 calendar days from discovery | 72 hours where feasible, from awareness | Not prescribed |
| Territorial trigger | Buyer/contract driven | US covered entities & business associates | Processing EU personal data / targeting EU | Organizational choice |
This matters commercially. A buyer’s security team may accept your SOC 2 report as evidence of your control environment, but their legal team will still want a signed Business Associate Agreement (for PHI) or a Data Processing Agreement (for EU personal data). Those are contractual obligations that no attestation replaces. For financial-reporting controls, note that SOC 1 / ICFR is a separate report and is out of scope for this security-focused crosswalk.
The master crosswalk: SOC 2 TSC ↔ HIPAA 45 CFR 164 ↔ GDPR Article
The table below is the centerpiece. It maps each control domain to its SOC 2 Trust Services Criteria identifier, the corresponding HIPAA Security Rule section in 45 CFR 164, and the relevant GDPR article, then states the shared control and the single reusable evidence artifact. The final column flags the framework-specific overlay you still owe.
A note on methodology: defensible crosswalks route through a neutral control spine rather than asserting one-to-one matches. NIST SP 800-53 and the NIST Cybersecurity Framework 2.0 are the common anchors most GRC tooling uses; ISO/IEC 27001:2022 Annex A is the credential many EU processors present for GDPR. Where a mapping is approximate, we say so. HIPAA implementation specifications marked † Addressable are currently addressable (not optional — you must implement or document why an alternative is reasonable); see the regulatory-status note after the table.
| Control domain | SOC 2 TSC | HIPAA (45 CFR) | GDPR | Shared control & reusable evidence | Framework-specific overlay |
|---|---|---|---|---|---|
| Access control | CC6.1 | 164.312(a)(1) | Art. 32; Art. 5(1)(f) | Logical access restricted to authorized users — access-control policy + system config export | HIPAA scopes to ePHI systems specifically |
| Unique user IDs | CC6.1 | 164.312(a)(2)(i) (Required) | Art. 32 | Every user has a unique identifier — IdP user list | — |
| Authentication / MFA | CC6.1, CC6.2 | 164.312(d) | Art. 32 | Identity verified before access — MFA configuration screenshot | Proposed HIPAA rule would mandate MFA (not final) |
| User provisioning / de-provisioning | CC6.2, CC6.3 | 164.308(a)(4) (info access mgmt) | Art. 32 | Access granted/revoked on role change — onboarding/offboarding tickets | — |
| Least privilege / RBAC | CC6.3 | 164.308(a)(4); 164.312(a)(1) | Art. 5(1)(c); Art. 32 | Access limited to job need — periodic access review export | GDPR adds data-minimisation intent |
| Encryption in transit | CC6.7 | 164.312(e)(1); (e)(2)(ii)† | Art. 32(1)(a) | TLS enforced on data in motion — TLS/endpoint config | † Addressable under current rule |
| Encryption at rest | CC6.1, C1.1 | 164.312(a)(2)(iv)† | Art. 32(1)(a) | Stored data encrypted — storage/KMS encryption config | † Addressable; proposed rule would mandate |
| Boundary / threat protection | CC6.6, CC6.8 | 164.308(a)(5)(ii)(B) (malware) | Art. 32 | Perimeter and anti-malware controls — firewall/EDR config | — |
| Audit logging & monitoring | CC7.1, CC7.2 | 164.312(b) (audit controls) | Art. 32; Art. 5(2) | Activity logged and reviewed — SIEM/log sample + review record | — |
| Integrity controls | PI1.x, CC7.1 | 164.312(c) | Art. 5(1)(f); Art. 32 | Data protected from improper alteration — integrity/hashing config | — |
| Incident detection & response | CC7.3, CC7.4 | 164.308(a)(6) (security incident procedures) | Art. 32; Art. 33/34 | Incidents detected, evaluated, responded — IR plan + incident postmortem | Breach-notice triggers & clocks differ (see below) |
| Breach notification | — (not a TSC) | 164.400–414 (≤ 60 days) | Art. 33 (72h) / Art. 34 | Notification workflow — breach register + notice templates | SOC 2 has no notification requirement; run to the 72h clock |
| Change management | CC8.1 | 164.308(a)(8) (evaluation) | Art. 32(1)(d) | Changes reviewed, tested, approved — change tickets w/ approvals | — |
| Vulnerability mgmt & pen testing | CC4.1, CC7.1 | 164.308(a)(8) (evaluation) | Art. 32(1)(d) “regularly testing” | Regular testing/evaluation of effectiveness — pen test report + scan output | Proposed HIPAA rule would mandate annual pen test / scans |
| Risk assessment | CC3.1–CC3.4 | 164.308(a)(1)(ii)(A) (risk analysis) | Art. 32; Art. 35 (DPIA) | Documented risk assessment — risk analysis report | GDPR DPIA is triggered by high-risk processing (Art. 35) |
| Workforce training | CC1.4, CC2.2 | 164.308(a)(5) (awareness & training) | Art. 39 (awareness) | Security training delivered & tracked — training completion log | — |
| Vendor / subprocessor risk | CC9.2 | 164.308(b)(1) (BA contracts) | Art. 28 (processor / DPA) | Third parties assessed & contracted — vendor register + signed BAA/DPA | BAA (HIPAA) and DPA (GDPR) are distinct legal instruments |
| Availability & resilience | A1.1–A1.3 | 164.308(a)(7) (contingency plan) | Art. 32(1)(b),(c) | Backups & recovery tested — backup restore test record + BCP/DR plan | — |
| Physical security | CC6.4 (physical access) | 164.310 (physical safeguards) | Art. 32 | Facility/device access controlled — data-center attestation / badge logs | Cloud shifts this to provider CUECs |
| Data retention & disposal | C1.2, CC6.5 | 164.310(d)(2) (media disposal) | Art. 5(1)(e); Art. 17 | Data retained & destroyed per policy — retention schedule + disposal record | GDPR adds storage-limitation & erasure duty |
| Confidentiality classification | C1.1 | — (implicit) | Art. 5(1)(f) | Data classified & handled by sensitivity — data classification policy | — |
| Data subject rights | P5.x (partial) | — (HIPAA has its own patient rights) | Arts. 15–22 | Process to fulfil access/erasure/portability requests | GDPR-specific — not covered by SOC 2 Security |
| Records of processing (RoPA) | P1.x (partial) | — | Art. 30 | Inventory of processing activities | GDPR-specific — no SOC 2/HIPAA analogue |
| Lawful basis / consent | P2.x, P3.x (partial) | — | Art. 6; Art. 7 | Documented lawful basis & consent capture | GDPR-specific |
| International transfers | — | — | Arts. 44–49 | Transfer mechanism in place (DPF or SCCs + TIA) | GDPR-specific (see divergence section) |
Regulatory-status note (dated July 1, 2026). The rows above reflect the HIPAA Security Rule as currently in force: technical safeguards live at 45 CFR 164.312 and several implementation specifications — including encryption/decryption and automatic logoff — are Addressable, meaning you must implement them or document a reasonable alternative. HHS published a Notice of Proposed Rulemaking on 6 January 2025 that would eliminate the Required/Addressable distinction and make measures such as encryption at rest and in transit, MFA, and network segmentation mandatory. As of this update the NPRM is not finalized, it missed its spring-2026 target, and more than 100 provider groups have asked HHS to withdraw it, citing (among other things) HHS’s own roughly $9 billion first-year cost estimate. Treat the † Addressable cells as current law, but design toward the proposed baseline, because encryption and MFA are best practice regardless.
Where the frameworks diverge — the gaps you cannot map away
The most common and most damaging mistake is assuming that because the security core overlaps, the whole framework is covered. It is not. In real coordinated examinations, the controls that most often fail to transfer are the governance and rights obligations that live entirely outside SOC 2’s security scope. The table below is the object to reference when a questionnaire asks “does your SOC 2 cover HIPAA/GDPR?”
| Requirement area | SOC 2? | HIPAA? | GDPR? | Why it does / doesn’t transfer |
|---|---|---|---|---|
| Access control, encryption, logging | Yes (CC6/CC7) | Yes (164.312) | Yes (Art. 32) | Same technical intent — evidence is fully reusable |
| Risk assessment | Yes (CC3) | Yes (164.308(a)(1)) | Yes (Art. 32/35) | Reusable, but HIPAA must be ePHI-scoped and GDPR high-risk processing triggers a DPIA |
| Incident response | Yes (CC7.3/7.4) | Yes (164.308(a)(6)) | Yes (Art. 33/34) | Same control; notification triggers/clocks differ (72h vs 60d) |
| Vendor management | Yes (CC9.2) | Yes (164.308(b)(1)) | Yes (Art. 28) | Due diligence transfers; the contract (BAA vs DPA) does not |
| Business Associate Agreement | No | Yes | No (DPA instead) | HIPAA-specific legal instrument for PHI handling |
| ePHI-scoped safeguards | Partial | Yes | No | HIPAA applies to a defined data class; SOC 2 scope is broader/optional |
| Data subject rights (access/erasure) | Partial (P5) | No (own patient rights) | Yes (Arts. 15–22) | GDPR grants individuals enforceable rights SOC 2 security doesn’t address |
| Lawful basis & consent | No | No | Yes (Arts. 6–7) | Uniquely GDPR — a legal ground for processing |
| Records of Processing (RoPA) | No | No | Yes (Art. 30) | Documentation duty with no analogue elsewhere |
| DPIA | No | No | Yes (Art. 35) | Triggered by high-risk processing; SOC 2 risk assessment isn’t a substitute |
| International data transfers | No | No | Yes (Arts. 44–49) | Requires an adequacy/DPF or SCCs + transfer impact assessment |
HIPAA-only: ePHI and the BAA chain
HIPAA’s safeguards apply specifically to electronic protected health information, and its Privacy Rule (45 CFR Part 164, Subpart E) governs uses and disclosures that SOC 2 never touches. If you handle PHI on behalf of a covered entity, you are a business associate and must sign a Business Associate Agreement under 164.308(b)(1) — and flow equivalent terms down to your own subprocessors. A SOC 2 report can evidence the safeguards behind that BAA, but it cannot be the BAA.
GDPR-only: rights, records, and transfers
GDPR’s privacy-governance obligations have no SOC 2 or HIPAA equivalent. You need a documented lawful basis (Art. 6), a way to honour data-subject rights (Arts. 15–22), Records of Processing Activities (Art. 30), Data Processing Agreements with processors (Art. 28), and Data Protection Impact Assessments for high-risk processing (Art. 35). On transfers, the 2026 reality is that the EU-US Data Privacy Framework (the European Commission’s July 2023 adequacy decision, upheld by the EU General Court on 3 September 2025) lets a US organisation that self-certifies to the DPF receive EU personal data without additional safeguards. For recipients not DPF-certified, Standard Contractual Clauses plus a transfer impact assessment remain the fallback (Arts. 44–49). The DPF’s durability carries residual risk tied to US surveillance law (Section 702 FISA), so many teams keep SCCs ready as a backstop.
How much of a head start does SOC 2 give you?
A mature SOC 2 (Security) program covers a large share of HIPAA’s technical and administrative safeguards, because CC6–CC8 map closely to 45 CFR 164.312 and 164.308. Vanta states that organisations already SOC 2 compliant “may be up to 65% of the way toward HIPAA compliance, based on controls cross-mapped in Vanta.” That is a useful directional benchmark — but it is a Vanta-tool-specific estimate, not an independent industry figure, so treat it as a competitor claim rather than a law of nature. The defensible way to talk about overlap is by safeguard family, not a single blended percentage.
| Your situation | Recommended first | What it unlocks toward the others | Head-start (with caveat) |
|---|---|---|---|
| US SaaS selling to enterprise | SOC 2 (Security) | Builds the security core reused by HIPAA 164.312/308 and GDPR Art. 32 | Large on security safeguards; none on BAAs or GDPR privacy duties |
| Healthtech handling PHI | SOC 2 + HIPAA (SOC 2+) | One examination maps CC6–CC8 to 164.312/308; adds BAA + ePHI risk analysis | Vanta cites up to ~65% toward HIPAA from SOC 2 (tool estimate) |
| EU-facing / EU personal data | SOC 2 + GDPR readiness | Art. 32 security satisfied by CC6/CC7; layer on RoPA, DPAs, DSR, transfers | Strong on security; privacy governance is net-new |
| All three at once | Coordinated SOC 2+ examination | Single control library + shared evidence; framework overlays added once | Biggest efficiency gain; still needs each framework’s unique docs |
For a stage-by-stage view of sequencing as you grow, see our compliance roadmap from seed to Series C. If you are weighing dual financial-plus-security reporting, our note on when you need SOC 1 and SOC 2 together covers that adjacent decision.
What a SOC 2+ report is — and what it does not replace
A SOC 2+ report is an AICPA “SOC 2 report with additional subject matter”: one CPA examination that maps your SOC 2 Trust Services Criteria to an additional framework (commonly the HIPAA Security Rule, ISO 27001, or NIST) and reports on both in a single deliverable. It provides assurance of alignment from a licensed CPA — it is not a HIPAA attestation, a GDPR certification, or an ISO 27001 certificate, and it does not by itself produce a BAA or GDPR privacy documentation.
The value is efficiency and credibility: one scoping exercise, one evidence set, one fieldwork window, one report your buyers can read. Rather than running three disconnected projects, a coordinated examination tests the shared security core once and layers the framework-specific mappings on top. That is how a well-run audit methodology avoids the “audit fatigue” of collecting the same access review three times.
The guardrail matters because the central over-claim in this space is treating a SOC 2+ report as a HIPAA “certification.” There is no such thing — HIPAA is a statutory obligation with no government certificate. A SOC 2+ demonstrates that your controls align with HIPAA’s safeguards; you remain responsible for the BAA chain, ePHI-scoped risk analysis, and breach-notification obligations. For EU stakeholders who prefer an international assurance standard, the closest equivalent examination is ISAE 3000.
Build your unified control library in five steps
The mechanics of “map once, satisfy three” come down to a single control register that is framework-tagged and evidence-keyed. Here is the sequence we run in coordinated engagements.
- Scope the systems and data. Name the systems, cloud environments, and subprocessors in scope, and classify the data each touches (general data, ePHI, EU personal data). Scope drives everything downstream — getting it wrong cascades into the wrong controls and wrong evidence.
- Build one control register. Create a single list of controls with a stable ID and a role-based owner for each. Do not maintain separate SOC 2, HIPAA, and GDPR lists — that is where drift starts.
- Map each control to all three frameworks. Tag every control with its SOC 2 criterion, HIPAA CFR section, and GDPR article using the master crosswalk above. Flag the framework-specific overlays (BAA, RoPA, DSR, transfers) as their own controls so nothing is silently assumed “covered.”
- Define shared evidence and cadence. For each control, name the single reusable artifact, its collection frequency, and its system of record — the shared-evidence matrix above is the template. Add a pre-submission quality gate.
- Run coordinated audit cycles. Schedule one examination that tests the shared core once, then layers framework-specific testing. Feed findings back into the register so the next cycle is faster.
Common mapping mistakes
The failure modes below recur in nearly every first coordinated engagement. Each maps to a specific gap in the crosswalk.
- Mapping only 164.312 and ignoring 164.308/164.310. HIPAA is broader than technical safeguards — administrative safeguards (risk analysis, workforce security, BA contracts) at 164.308 and physical safeguards at 164.310 must be mapped too, or your crosswalk covers a third of the rule.
- Assuming SOC 2’s Privacy category equals GDPR. SOC 2 Privacy (P1.0–P8.0) only partially addresses GDPR. Data-subject rights (Arts. 15–22), lawful basis, RoPA (Art. 30), DPIAs (Art. 35), and transfers (Arts. 44–49) remain GDPR-only.
- Treating a SOC 2+ report as a HIPAA certification. It is assurance of alignment, not a certificate, and never a substitute for a signed BAA.
- Running one breach playbook that misses the 72-hour clock. A single incident-response control can satisfy both regimes only if it defaults to GDPR’s tighter “where feasible, within 72 hours of awareness” standard while also meeting HIPAA’s 60-day-from-discovery rule.
- Citing SCCs as the only transfer mechanism. In 2026 the EU-US Data Privacy Framework is the primary route for DPF-certified US recipients; SCCs plus a transfer impact assessment are the fallback.
Frequently asked questions
Do SOC 2, HIPAA, and GDPR share the same controls?
They share a large security core but not everything. SOC 2’s Common Criteria (CC6–CC7), HIPAA’s 45 CFR 164.312 technical safeguards, and GDPR Article 32 all require access control, encryption, audit logging, and incident response, so most security evidence is reusable. HIPAA adds ePHI-specific rules; GDPR adds privacy obligations neither other framework covers.
How much of HIPAA does SOC 2 cover?
A SOC 2 (Security) program covers much of HIPAA’s technical and administrative safeguards because CC6–CC8 map closely to 45 CFR 164.312 and 164.308. Vanta estimates you may be up to 65% of the way toward HIPAA “based on controls cross-mapped in Vanta,” but SOC 2 alone does not satisfy Business Associate Agreements, ePHI-scoped risk analysis, or breach notice within 60 days.
Can one audit cover SOC 2, HIPAA, and GDPR?
Partly. A SOC 2+ report (an AICPA “SOC 2 report with additional subject matter”) lets one CPA examination map SOC 2 controls to HIPAA and GDPR criteria and share evidence, reducing duplicate work. It provides assurance of alignment but is not a HIPAA attestation, GDPR certification, or ISO 27001 certificate; GDPR still needs privacy-specific documentation.
Which GDPR requirements are NOT covered by SOC 2 or HIPAA?
GDPR-only obligations include lawful basis and consent, data subject rights (Articles 15–22), Records of Processing Activities (Article 30), Data Processing Agreements (Article 28), Data Protection Impact Assessments (Article 35), and international transfer mechanisms such as the EU-US Data Privacy Framework and SCCs (Articles 44–49). SOC 2 and HIPAA focus on security, not these privacy-governance duties.
What is the difference between HIPAA and GDPR breach notification timelines?
GDPR Article 33 requires notifying the supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of a personal data breach. HIPAA’s Breach Notification Rule (45 CFR 164.400–414) requires notice without unreasonable delay and no later than 60 calendar days from discovery. A shared incident-response control satisfies both if it tracks the tighter 72-hour clock.
How do you map one control to SOC 2, HIPAA, and GDPR at once?
Build a single control library keyed to a shared evidence artifact, then tag each control with its SOC 2 criterion, HIPAA CFR section, and GDPR article. For example, MFA and access reviews satisfy SOC 2 CC6.1, HIPAA 45 CFR 164.312(a)(1) and (d), and GDPR Article 32 simultaneously, so one access-review export becomes evidence for all three.
Sources & references
- AICPA & CIMA — 2017 Trust Services Criteria (With Revised Points of Focus — 2022), TSP section 100.
- eCFR — 45 CFR 164.312, Technical safeguards, and 45 CFR Part 164, Subpart C (Security Rule).
- HHS.gov — Breach Notification Rule (45 CFR 164.400–414) and the 2025 HIPAA Security Rule NPRM fact sheet.
- gdpr-info.eu (Regulation (EU) 2016/679) — Article 32 (security of processing), Article 33, Article 28, and Article 30.
Run one coordinated audit instead of three
Auditsuisse is a US & Swiss licensed CPA firm. We map your controls once across SOC 2, HIPAA, and GDPR, reuse a single evidence set, and issue a coordinated report — see our compliance audit services or book a scoping call to size a SOC 2+ examination.
Request Consultation