Enrich with knowledge. Empower to make decisions.

If you work in healthcare compliance, you have probably heard this line in a meeting: "We have a SOC 2 - we're good on HIPAA attestation."

This is one of the most common misunderstandings in healthcare compliance. AT-C 315 and SOC 2 are both third-party attestations, both involve CPA firms, and both create trust signals. But they are not interchangeable, and choosing the wrong one can delay procurement, contracts, and payer approvals.

Here is what each report is, why they differ, and when each one is required.

---

What Is AT-C 315, Really?

AT-C 315 is part of the AICPA attestation standards under SSAE 18. Section 315 covers compliance attestations.

In a HIPAA-focused AT-C 315 engagement, a licensed CPA firm examines whether your organization complied with HIPAA requirements over a defined period, usually 12 months. The evaluation scope can include the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

The output is a formal attestation report with a professional opinion about compliance. This is often requested by payers, CMS-related programs, state Medicaid programs, large covered entities, and healthcare procurement teams that require HIPAA-specific evidence.

---

What Is SOC 2, and How Does It Relate to Healthcare?

SOC 2 evaluates a service organization's controls against the AICPA Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy).

SOC 2 Type I is point-in-time. SOC 2 Type II examines control operation over a period (typically 6 to 12 months).

SOC 2 is valuable for technology vendor risk and enterprise security reviews. But SOC 2 does not directly attest to HIPAA compliance against federal HIPAA regulatory criteria.

---

The Difference That Actually Matters

A SOC 2 report demonstrates that controls align to the Trust Services Criteria. An AT-C 315 HIPAA examination demonstrates whether your organization complied with HIPAA requirements during the examination period.

Those are related outcomes, but not the same attestation objective.

• AT-C 315 basis: HIPAA regulations (45 CFR)
• SOC 2 basis: AICPA Trust Services Criteria
• AT-C 315 purpose: demonstrate HIPAA compliance attestation
• SOC 2 purpose: demonstrate security and operational control maturity
• AT-C 315 audience: payers, covered entities, regulatory and healthcare contract stakeholders
• SOC 2 audience: enterprise tech buyers and vendor risk teams

---

When You Need Each One

You likely need AT-C 315 if:

• Covered entities or payers explicitly require HIPAA attestation
• You support CMS or Medicaid-related programs with attestation requirements
• You are pursuing healthcare contracts that call for HIPAA-specific independent evidence
• Counsel or risk stakeholders require formal HIPAA compliance attestation

SOC 2 may be sufficient if:

• Buyers primarily evaluate broad security posture and control operations
• Procurement and vendor risk programs use SOC 2 as their baseline requirement
• You are building early-stage enterprise trust before healthcare-specific attestation expansion

Practical summary: SOC 2 helps with security credibility. AT-C 315 is what stakeholders ask for when they specifically need HIPAA attestation evidence.

---

Can You Do Both?

Yes, and many healthcare technology organizations should. You do not need two completely separate compliance programs if controls are designed correctly from the start.

A unified control framework can map to both HIPAA safeguards and SOC 2 criteria. With shared controls, evidence collection, and documentation, dual-attestation execution becomes much more efficient.

---

A Note on "HIPAA Certification"

There is no federal "HIPAA certification" issued by HHS. HIPAA compliance is an ongoing operational state, not a permanent badge.

AT-C 315 provides independent attestation for a defined period and should be renewed on a recurring basis as systems, vendors, and operations evolve.

---

Frequently Asked Questions

Is AT-C 315 required by HIPAA?
No. HIPAA requires compliance; AT-C 315 is one accepted mechanism to demonstrate compliance to third parties.

Can SOC 2 replace AT-C 315?
Generally no, when a payer or healthcare stakeholder explicitly requests HIPAA attestation.

How long does an AT-C 315 examination take?
Often around 3 to 6 months, depending on evidence readiness and control maturity.

Do we need to renew annually?
Yes. Attestation reports cover defined periods and should remain current.

---

Ready to build one compliance program that supports both AT-C 315 and SOC 2 audiences?

Iron Fort's unified control approach helps teams map once and demonstrate to multiple healthcare and enterprise stakeholders.

This article is for informational purposes only and does not constitute legal advice. Consult qualified counsel for your organization's specific obligations.