Here is the short version. "HIPAA compliant" is a self-declaration, not a certification — HHS does not endorse or recognize any private organization's HIPAA "certification," and holding one does not absolve anyone of their legal obligations. SOC 2 is an audit report, produced by a CPA firm, describing whether a service organization's controls were suitably designed and (in a Type 2) operating effectively over a period. HITRUST is a certification against a proprietary control framework that maps to many standards including HIPAA. All three tell you something. None of them tells you the vendor is safe, and none of them transfers your liability.
The three claims, decoded
| "HIPAA compliant" | SOC 2 | HITRUST certified | |
|---|---|---|---|
| What it is | A vendor's own assertion | An attestation report by a CPA firm | A certification against the HITRUST CSF |
| Who grants it | Nobody — the vendor says it | An independent CPA firm | HITRUST, via an authorized external assessor |
| Government recognized? | No — HHS explicitly does not recognize private HIPAA certifications | No — it is a private professional standard | No — it is a private framework |
| Scope fixed? | Undefined | Chosen by the vendor (which criteria, which systems) | Scoped to a defined assessment (e1, i1, r2) |
| Point-in-time or period? | Neither — it is a statement | Type 1 = point-in-time; Type 2 = over a period | Certification with a defined validity term |
| Does it satisfy your HIPAA duty? | No | No | No |
"HIPAA compliant" — the claim with no issuing body
This is the single most important thing a health-tech buyer can internalize: there is no such thing as a government HIPAA certification. HHS has said so directly. In its official FAQ, HHS states that there is no standard or implementation specification requiring a covered entity to "certify" compliance, and that "HHS does not endorse or otherwise recognize private organizations' 'certifications' regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule." It adds that a certification performed by an external organization does not preclude HHS from later finding a security violation.
What the Security Rule does require is an evaluation — a periodic technical and non-technical assessment of how well your safeguards meet the rule's requirements. That evaluation can be done internally or by an outside firm. But the outcome is your evidence, not a badge.
What you should ask for instead: a Business Associate Agreement. A BAA is a contract, it is legally required before a business associate creates, receives, maintains, or transmits ePHI on your behalf, and it is enforceable. A vendor that will sign a BAA has skin in the game. A vendor that displays a HIPAA badge but hedges on the BAA has told you everything.
SOC 2 — a real report, but read the fine print
A SOC 2 examination is a report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy — the Trust Services Criteria. It is a genuine independent examination performed under AICPA professional standards, and it is far more substantive than a self-declared badge.
But two variables decide whether it means much:
- Type 1 vs. Type 2. A Type 1 assesses whether controls are suitably designed at a point in time. A Type 2 assesses whether they actually operated effectively across a period. A Type 1 is a snapshot of intentions; a Type 2 is evidence of behavior. Ask which one you are being shown, and for a Type 2, ask the length of the observation period.
- Scope. The vendor chooses which Trust Services Criteria are in scope and which systems are covered. A SOC 2 covering only "Security" for a single product line tells you nothing about the confidentiality of the module you are actually buying.
And the part almost nobody reads: exceptions. A SOC 2 report can contain qualified opinions and noted control failures and still be handed to you as "our SOC 2." Ask for the full report under NDA, not the certificate image. Then read the auditor's opinion, the scope section, the complementary user entity controls (things you must do for their controls to work), and the exceptions table.
HITRUST — the most rigorous, and the most often misdescribed
HITRUST is different in kind. The HITRUST CSF is a control framework that, per HITRUST, harmonizes over 70 standards and regulations — including ISO/IEC, NIST, HIPAA, PCI, and GDPR — into a single control library. Unlike SOC 2, it produces an actual certification with defined assessment tiers. HITRUST describes three: e1 (foundational, 43 core controls, one-year validity), i1 (threat-adaptive, 182 control requirements, one-year validity), and r2 (tailored, the highest level of control requirements, two-year validity).
Those tiers matter enormously and vendors rarely lead with them. "We're HITRUST certified" is a meaningfully different statement if it means e1 versus r2. Ask which assessment, ask the date, and ask when it expires.
It is still, however, a private certification. It is not government-recognized, and by the HHS logic above, it does not absolve you or the vendor of Security Rule obligations. It is strong evidence of a mature program. It is not a legal shield.
What none of them do
- None transfers your liability. You remain responsible for your own risk analysis and safeguards regardless of what your vendor holds.
- None substitutes for a BAA. The contract is the mechanism that binds the vendor to safeguard ePHI and report incidents to you.
- None is self-updating. Every one of them describes a past state. A two-year-old report describes a company that may no longer exist in the same form.
- None covers everything the vendor sells. Scope is chosen. Always ask what was excluded.
- None guarantees the subcontractors are safe. Ask who the vendor's subprocessors are and what flows down to them.
The questions that cut through it
- Will you sign our BAA? (If no, the conversation is over.)
- Which is it — a self-attestation, a SOC 2 Type 1, a SOC 2 Type 2, or a HITRUST certification? Show me the document, not the logo.
- For SOC 2: what period, which Trust Services Criteria, which systems, and what exceptions were noted?
- For HITRUST: e1, i1, or r2? Issued when? Expires when?
- What are the complementary user entity controls — what do we have to do for your controls to work?
- Who are your subprocessors, and do they hold equivalent assurances?
- When was your last penetration test, and will you share the summary?
- What is your contractual breach-notification window to us, in days?
The takeaway
Rank the claims honestly: a signed BAA plus a current SOC 2 Type 2 or HITRUST r2, with the full report in your hands, is real assurance. A logo on a marketing page is not. The vendor who says "we are not certified, but here is our BAA, our SOC 2 Type 2 with two exceptions we have remediated, and our pen-test summary" is telling you far more — and is far more trustworthy — than the one whose homepage says "100% HIPAA compliant." Compliance is a posture you maintain, not a trophy someone hands you.
Common questions
Is there an official HIPAA certification?
No. HHS states that no standard or implementation specification requires a covered entity to certify compliance, and that HHS does not endorse or recognize private organizations' certifications regarding the Security Rule. Such certifications do not absolve covered entities of their legal obligations, and a certification does not preclude HHS from later finding a violation.
Is SOC 2 better than a HIPAA compliance claim?
It is more substantive. SOC 2 is an independent examination by a CPA firm of controls relevant to security, availability, processing integrity, confidentiality, or privacy. A self-declared HIPAA badge involves no independent examination at all. But SOC 2 scope and type are chosen by the vendor, so a report still has to be read rather than trusted on its cover.
What is the difference between SOC 2 Type 1 and Type 2?
A Type 1 evaluates whether controls are suitably designed at a single point in time. A Type 2 evaluates whether those controls actually operated effectively across a defined period. Type 2 is significantly stronger evidence because it observes behavior over time rather than design on one day.
Does a vendor's HITRUST certification make my organization HIPAA compliant?
No. HITRUST is a private certification against a proprietary control framework. It is meaningful evidence of a mature security program, but it is not government-recognized and does not transfer or discharge your own obligations under the HIPAA Rules, including your own risk analysis and your requirement to have a Business Associate Agreement in place.