SOC26101. "Trust Me, I’m an Auditor": SOC 2 Privacy Criteria and HIPAA Compliance Explained

Part 1: Decode the SOC 2 Privacy category—when to apply it, what controls matter, and how to audit effectively.

Part 2: Navigate HIPAA compliance for CPAs serving healthcare clients, with practical guidance on risk, rules, and remediation."

Learning Objectives:

• Apply the AICPA Privacy Criteria (P1–P8) by translating each criterion into audit objectives, control expectations, and evidence requirements for a SOC examination.
• Distinguish privacy roles by classifying an organization as a controller, processor, or joint party, and determine the resulting implications for scope, responsibilities, and testing.
• Evaluate privacy control design and operating effectiveness by identifying what auditors test across notice, consent, collection, retention/disposal, access, disclosure, and incident response, and selecting defensible evidence.
• Evaluate the HIPAA Security Rule requirements and how they overlap with SOC 2 Common Criteria and the AICPA Privacy Criteria, and identify where additional HIPAA-specific controls or documentation are required beyond SOC reporting.