Free Assessment

Table of Contents

Reach SOC 2 Compliance in 6 Weeks or Less.

Request a Demo

Home

  / ,

  / SSAE 18 vs SOC 2: What’s the Difference and Which One Do You Need?

SSAE 18 vs SOC 2: What’s the Difference and Which One Do You Need?

Picture of Pedro Dias
Copy Link

The “SSAE 18 vs SOC 2” debate typically surfaces when buyers, vendors, and even internal teams are all talking about the same general assurance problem, but using the wrong labels.

A procurement team asks, “Do you have SSAE 18?” A founder says, “We’re going for SSAE 18 certification.” A customer security team asks for an “SSAE 18 SOC 2 report.” Everyone is circling the same planet, but not always landing on the right terminology.

SSAE 18 and SOC 2 are not competing things. They are related, but they are not interchangeable.

The AICPA defines SOC 2 as an examination and report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy. SSAE 18, by contrast, is the attestation standard framework under which these kinds of engagements are performed.

That distinction matters because buyers often ask for the wrong artifact. If you answer the wrong question, you can waste months preparing the wrong report.

Quick Answer: SSAE 18 Is a Standard; SOC 2 Is a Report

The simplest accurate explanation is this: SSAE 18 is the professional attestation standard; SOC 2 is the report deliverable. The standard tells the auditor how to perform the engagement. The report is what your customers actually read.

The AICPA states that SSAE No. 18 was issued as part of its attestation clarity project, which clarified and recodified attestation standards. The same organization also explains that SOC reports are part of the AICPA’s broader SOC suite of services used to communicate controls at service organizations.

So when someone says, “We need SSAE 18,” what they usually mean is one of two things: either they want a SOC 1 report for financial-reporting-related controls, or they want a SOC 2 report for security and broader system controls.

How SSAE 18 Relates to SOC 1, SOC 2, and SOC 3

SOC 1 addresses controls at a service organization that are relevant to a user entity’s internal control over financial reporting. The AICPA positions SOC 1 specifically for management of user entities and their financial statement auditors.

SOC 2 addresses controls relevant to the Trust Services Criteria (TSC): Security, Availability, Processing Integrity, Confidentiality, and Privacy. It is designed for customers and other specified users who need detailed information about system controls.

SOC 3 covers the same trust services subject matter as SOC 2, but in a general-use format with less detail, so it can be freely distributed. (Think of it as the marketing-friendly version.)

In plain English: SSAE 18 sits underneath the engagement methodology; SOC 1, SOC 2, and SOC 3 are the reporting formats and scopes that come out of it.

What Is SSAE 18?

SSAE 18 stands for Statement on Standards for Attestation Engagements No. 18. It is an AICPA-issued attestation standard used in examinations, reviews, and agreed-upon procedures for nonissuers. The AICPA describes SSAEs as applicable to the preparation and issuance of attestation reports for nonissuers, and specifically notes that SSAE No. 18 completed the attestation clarity project through clarification and recodification.

Who Issues SSAE 18 and Who Performs the Engagement

The AICPA Auditing Standards Board (ASB) issues SSAE standards. The actual engagement, however, is performed by an independent CPA firm or service auditor. That division of labor is important. Your company does not “self-issue” SSAE 18. A CPA firm performs an attestation engagement under that standard and then issues the related report.

Insider Tip

When a buyer asks whether you are "SSAE 18 certified," they are using market shorthand, not technical language. The better response is: "We have a SOC 2 Type 2 report issued by an independent CPA firm under the applicable attestation standards."

What SSAE 18 Replaced (SSAE 16 / SAS 70 Context)

Historically, the service-organization reporting world moved from SAS 70 to SSAE 16, and then to SSAE 18. The AICPA’s clarity and convergence work eliminated the old SAS 70 framing, established the SOC-branded reports, and recodified the underlying attestation standards into SSAE 18. The standard was introduced in 2016 and implemented in 2017 as part of this evolution. (For international context, SSAE 18’s closest equivalent is ISAE 3402, issued by the International Auditing and Assurance Standards Board.)

That is why older buyers may still talk in legacy language. They remember SAS 70. Mid-generation buyers remember SSAE 16. Today’s market usually asks for SOC 1 or SOC 2, but sometimes with yesterday’s vocabulary still attached.

Which Engagements Fall Under SSAE 18

Within the SOC context, SSAE 18 governs how the practitioner performs examinations that lead to reports such as SOC 1, SOC 2, and SOC 3. The AICPA’s SOC suite overview frames these offerings as assurance reports used to help assess and address outsourcing risk.

What Is a SOC 2 Report?

A SOC 2 report is an independent attestation report on controls at a service organization relevant to the Trust Services Criteria. The AICPA defines SOC 2 around the five criteria categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

SOC 2 exists because businesses increasingly outsource critical systems to cloud and SaaS providers, and they want a way to evaluate whether those providers have appropriate controls in place. We’ve written an in-depth guide on what SOC 2 is, which you can read here.

What SOC 2 Evaluates (Controls Aligned to Trust Services Criteria)

SOC 2 evaluates whether the service organization’s system and controls are suitably designed—and, in a Type 2 engagement, whether they operated effectively over a review period—against the applicable TSC. Security is always part of SOC 2, while Availability, Processing Integrity, Confidentiality, and Privacy are included based on the nature of the service and customer commitments.

If you’re unsure which criteria apply to your organization, a gap analysis is a smart first step.

Reach SOC 2 Compliance in 6 Weeks or Less

Schedule Your Free SOC 2 Assessment Today

Schedule

SSAE 18 vs SOC 2: Side-by-Side Comparison

Category SSAE 18 SOC 2
What it is Attestation standard Report deliverable
Issued by AICPA Auditing Standards Board Independent CPA firm (after the engagement)
Primary purpose Governs how the engagement is performed Communicates results about controls relevant to TSC
Scope Broad attestation framework Security and system controls at a service organization
Main users Auditors and firms performing the work Customers, prospects, procurement, security reviewers
Output Professional standard / methodology Management assertion, system description, testing, opinion
Distribution Not the deliverable buyers request Restricted-use report in most cases

Standard vs Report Deliverable

This is the big one. SSAE 18 is not something you hand to a customer. A customer asks for the report, not the standard. If someone on your team is confused about this, that’s normal—and it’s worth correcting early.

Scope: Financial Reporting (SOC 1) vs Security/Compliance Controls (SOC 2)

SOC 1 and SOC 2 both live in the same general family, but they solve different problems. The AICPA states that SOC 1 is about controls relevant to financial reporting, while SOC 2 addresses the TSC categories tied to system security and reliability. Understanding this distinction is fundamental—if you’re also weighing other frameworks, the comparison between ISO 27001 and SOC 2 is worth reading.

Where “SSAE 18” Shows Up in a SOC 2 Report (What to Look For)

Auditor’s Report Section and Applicable Professional Standards

The report will identify the professional standards under which the examination was performed. In practical terms, this is where the “SSAE” connection shows up most clearly—you’ll see a reference to the applicable AT-C sections that originate from SSAE 18.

System Description Boundaries

A SOC 2 report includes a system description outlining the services, boundaries, infrastructure, software, people, procedures, and data relevant to the examination. Reading this section carefully is essential—it tells you exactly what is (and isn’t) covered by the report.

Subservice Organizations (Carve-Out vs Inclusive Method)

This is where many teams get surprised. If you rely on a cloud host, colocation provider, or other third party, the report needs to explain how those subservice organizations are handled. SSAE 18 places stronger emphasis on monitoring subservice organizations and on describing whether they are included in the scope of the examination or carved out.

  • Inclusive method: The subservice organization’s controls are tested as part of the engagement.

  • Carve-out method: The subservice organization’s controls are excluded, and the report states that the user entity should obtain and review the subservice organization’s own SOC report.

Complementary User Entity Controls (CUECs) and Why They Matter

CUECs are the controls the user entity is expected to implement for the overall control environment to work as intended. If the provider’s controls assume the customer will manage IAM, encryption choices, backups, or log review, those assumptions are documented here.

For organizations implementing continuous monitoring for SOC 2, understanding CUECs is essential because many of these complementary controls need ongoing attention, not just a one-time setup.

Common Misconceptions (and the Correct Terminology)

“SSAE 18 Certification” vs “SOC 2 Report”

There is no formal thing called “SSAE 18 certification.” The more accurate language is that a company has obtained a SOC 2 report resulting from an examination performed under the applicable attestation standards. The AICPA does not issue certifications—it publishes the standards that CPA firms use to perform and report on engagements.

“SSAE 18 SOC 2” as Shorthand vs Formal Naming

People say it. Search engines love it. Procurement spreadsheets keep it alive. But formally, the better phrasing is simply “SOC 2 report” or “SOC 2 Type 2 report.”

“SOC 2 Compliant” vs Having an Issued SOC 2 Report

This phrase is common, but slippery. “SOC 2 compliant” can mean almost anything—from “we follow the spirit of the criteria” to “our report is in progress.” The stronger, more credible statement is: “We have an issued SOC 2 report.” That tells the buyer there is a real deliverable from a real CPA firm, not just an internal claim.

Which One Do You Need?

If a customer asks for “SSAE 18,” do not answer too quickly. Ask what they want to evaluate.

  • If they care about your impact on their financial reporting, they likely want SOC 1.

  • If they care about your security controls, availability commitments, or handling of sensitive information, they likely want SOC 2.

If customers ask for SOC 2, Type 2 is usually what they really expect once you are selling into mid-market or enterprise accounts, because that is the version showing operating effectiveness over time.

If you process transactions that affect customer financial statements, SOC 1 may be necessary—and SOC 2 may still be useful if security teams are also reviewing you.

Do You Ever Need Both SOC 1 and SOC 2?

Yes, absolutely.

Typical Scenarios for Dual Reporting

Organizations in payroll, payments, claims processing, benefits administration, and some fintech categories often need both. Finance wants SOC 1. Security and procurement want SOC 2.

How to Reduce Overlap

The efficient path is not running two totally separate universes. Smart teams align control narratives, evidence collection, and testing calendars where possible. Shared controls around access, change management, monitoring, and vendor management can support both engagements, even though the report objectives differ.

If you’re weighing compliance tooling to manage that workload, our comparison of Drata vs Vanta is a good starting point.

How to Choose the Right Path: A Practical Decision Framework

  1. Start with your services and system boundaries. What do you actually do? What systems are in scope? Which data do you touch?

  2. Identify customer and regulatory requirements. What are buyers asking for in security reviews, MSAs, and procurement portals?

  3. Select the applicable Trust Services Criteria categories for SOC 2. Security is mandatory; the other categories depend on your commitments and risk profile.

  4. Decide Type 1 vs Type 2 based on your sales motion and buyer expectations. Early-stage companies sometimes begin with Type 1 to accelerate initial deals, then move to Type 2. More mature B2B SaaS companies are increasingly expected to present Type 2.

Not sure where you stand? A gap analysis can clarify whether you need SOC 1, SOC 2, or a coordinated path to both. If you’d like to talk it through, click here to get in touch.

FAQ: SSAE 18 vs SOC 2

Is SSAE 18 the same as SOC 2?

No. SSAE 18 is the attestation standard; SOC 2 is the report. They are related—SOC 2 examinations are performed under the SSAE 18 framework—but they are not the same thing.

No. It is the professional standard used to perform attestation engagements. The SOC report is the output of an engagement performed under that standard.

Yes. SOC 2 Type 2 examinations are performed under the applicable attestation standards, and SSAE 18 is the foundational reference point in this context.

SOC 1 addresses controls relevant to financial reporting. SOC 2 addresses controls relevant to the Trust Services Criteria. Both engagements are performed under the SSAE 18 framework, but they serve different audiences and evaluate different control objectives.

That is the wrong comparison. For most SaaS vendors, the relevant deliverable is SOC 2. SSAE 18 is the standard behind the engagement, not the thing you choose instead of SOC 2. To learn more about what to expect from a SOC 2 engagement, we’ve laid out the process step by step.

That wording is not technically accurate. Say you have a SOC 2 report, ideally specifying Type 1 or Type 2. The AICPA does not issue “certifications”—it provides the standards under which CPA firms perform and report on examinations.

Final Thoughts

The cleanest takeaway is this: SSAE 18 is the standard. SOC 2 is the report. Once you separate those ideas, the rest of the decision tree gets much easier.

If your buyers are asking for “SSAE 18,” clarify whether they really need SOC 1 or SOC 2. If you are a SaaS or cloud service organization, the answer is very often SOC 2 Type 2. If your services affect customer financial statements, you may need SOC 1, and in some cases both.

If you are planning your next move, now is the right time to book a SOC readiness assessment, request an audit scoping review, or a gap analysis so you can confirm whether you need SOC 1, SOC 2, or a coordinated path to both.

Axipro Author

Picture of Pedro Dias

Pedro Dias

Pedro has been writing online for over 10 years. With experience in all things programming, cyber security, and compliance, he is our editor-in-chief at Axipro.
Copy Link

Blog Highlights

Explore More Articles

Read More Blogs

The EU AI Act in 2026: What It Means for Businesses

The world’s first comprehensive AI law is not a single switch that flips on in August 2026. It is a layered regulation that has been activating in stages since February 2025. As of May 2026, it is already being rewritten to give companies more time on the hardest parts. Anyone trying to plan around a single deadline is working from a map that no longer matches the territory. The law’s reach is also global. Just as GDPR exported European privacy norms worldwide, the EU AI Act is producing a Brussels Effect for artificial intelligence: a regulation drafted in Europe that becomes the de facto global standard. Companies in the US, the UK, Bahrain, and anywhere else with EU customers or EU-facing outputs are already in scope, whether or not they have a European office. This guide cuts through the noise. It explains what the EU AI Act actually requires, who it applies to, which rules are already live, which were just pushed back by the EU’s recent simplification deal, and what the penalties really look like for companies of different sizes. What Is the EU AI Act? The EU AI Act (Regulation (EU) 2024/1689) is a horizontal law that sets harmonised rules for developing, placing on the market, and using artificial intelligence systems across the European Union. It is the first comprehensive AI law passed by any major regulator anywhere in the world, and it entered into force on 1 August 2024. The Act takes a risk-based approach. Rather than regulating AI as a single category, it sorts AI systems into tiers based on the harm they could cause to health, safety, or fundamental rights. The higher the risk, the stricter the obligations. Prohibited uses are banned outright. High-risk uses are heavily regulated. Most everyday AI — like spam filters and product recommenders — is left alone. The law also creates a separate, parallel regime for general-purpose AI (GPAI) models, the foundation models behind systems like ChatGPT, Claude, and Gemini. That regime is enforced at the EU level rather than at the national level. Why Was the EU AI Act Created? The official answer is to foster trustworthy AI in Europe. The real answer is broader: the EU watched generative AI go mainstream in late 2022 and concluded that existing law — particularly GDPR — was not enough to address the specific risks AI systems pose. Opacity in decision-making, bias in hiring tools, biometric surveillance, and the manipulation potential of generative models all sat uneasily in the regulatory gap between data protection law and product safety law. The EU’s stated goals are to protect health, safety, and fundamental rights, while preserving innovation and the single market. The political subtext is the Brussels Effect: do for AI what GDPR did for privacy, and let European rules become the global default by virtue of market access. Brazil, Canada, the UK, several US states, and Gulf jurisdictions, including Bahrain, are already drafting AI rules that borrow heavily from the EU framework. For a broader view of how AI governance is likely to evolve through the end of the decade, the trajectory is already becoming clear. Who Does the EU AI Act Apply To? The Act does not apply to AI itself. It applies to people and organisations that build, sell, or use AI systems. Article 3 defines those roles without reference to company size, so a two-person startup is in scope on the same legal basis as a Fortune 500 enterprise. Providers and Developers A provider is anyone who develops an AI system — or has one developed — and places it on the EU market or puts it into service under their own name or trademark. Providers carry the heaviest load of obligations, particularly for high-risk systems: risk management, technical documentation, conformity assessment, post-market monitoring, and incident reporting. A provider is distinct from a downstream developer who simply integrates a third-party AI component. But the line moves: if you take a general-purpose model and put your name on the resulting product, you can become a provider yourself. Deployers and Operators A deployer is anyone using an AI system in a professional capacity. If you are a bank running a credit-scoring model you bought from a vendor, you are a deployer. Deployers have lighter obligations than providers but still carry real ones: ensuring human oversight, monitoring system behaviour, informing affected individuals, and conducting fundamental rights impact assessments where required. The term operator in the Act is an umbrella that covers providers, deployers, importers, distributors, and authorised representatives. Application Outside the EU This is where many non-EU companies get caught. The AI Act applies extraterritorially. A US LLC training a model in Texas, a UK firm running an AI hiring tool, or a Bahrain-based fintech using AI for credit scoring is in scope the moment the output affects someone in the EU. If a US company develops an AI hiring tool and a German employer uses it on German candidates, the US provider is in scope — even with no EU office. The trigger is whether the system’s output is used in the Union, not where the company sits. Pro Tip: Selling AI tools to EU customers outside the EU. If you sell AI tools to EU customers from outside the EU, you must appoint an authorised representative established in a Member State before placing high-risk systems on the market. This is not optional and is one of the most commonly missed obligations for non-EU providers. The Risk-Based Approach: How the EU AI Act Classifies AI Systems The framework sorts AI systems into four tiers. The obligations scale with the tier. Unacceptable Risk: Prohibited AI Practices Article 5 prohibits eight categories of AI practice outright. These prohibitions became enforceable on 2 February 2025, well before the rest of the Act. The banned practices are: Subliminal or manipulative techniques are designed to distort behaviour and cause significant harm. Exploitation of vulnerabilities related to age or disability. Social scoring by public or private actors —

Read more

CMMC Level 1 Requirements: A Complete Guide

Phase 1 of the Cybersecurity Maturity Model Certification program went live on November 10, 2025. From that date, the Department of Defense can write CMMC requirements directly into new solicitations, and contractors who handle even basic government data cannot win awards without a current CMMC status in the Supplier Performance Risk System (SPRS). For roughly 63 percent of the Defense Industrial Base, that means Level 1: 15 foundational safeguards, an annual self-assessment, and a signed affirmation from a senior official. Level 1 is the smallest version of CMMC. It is also the one most contractors are about to encounter first, and the one with the highest false-confidence rate. This guide covers every requirement, every assessment objective, and every step from scoping to SPRS submission. What Is CMMC Level 1? CMMC Level 1 (Foundational) is the entry tier of the Cybersecurity Maturity Model Certification program, codified in 32 CFR Part 170. It requires defense contractors who handle Federal Contract Information (FCI) to implement 15 basic safeguarding practices and to confirm that implementation through an annual self-assessment. The 15 practices come directly from FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, a clause that has technically applied to federal contractors since 2016. What CMMC added is an assessment methodology and a verification mechanism. Until CMMC, no one was checking whether contractors actually did the 15 things they were contractually obligated to do. Under the final CMMC Program Rule, effective December 16, 2024, that gap is closed. Earlier CMMC drafts described Level 1 as a 17-practice framework because three physical-protection requirements were listed separately. The final rule consolidates them, and the official count now sits at 15 practices with 17 underlying assessment objectives drawn from NIST SP 800-171A. Both numbers are correct, depending on which level of granularity you are working at. What Is the Purpose of CMMC Level 1? The purpose is narrow and specific: to protect FCI from unauthorized disclosure.  FCI is information the federal government either generates or receives during contract performance that is not intended for public release. Think proposal correspondence, delivery schedules, performance reports, and routine contract communications. None of it is classified. None of it is even particularly sensitive in the traditional sense. But aggregated across thousands of contractors and exposed to adversaries, it gives a meaningful picture of what the U.S. government is buying, from whom, and on what timeline. Level 1 exists because too much of the Defense Industrial Base was failing to apply even basic hygiene to that data. CMMC Level 1 turns inconsistent expectations into a yearly verification cycle. CMMC Level 1 Scope The CMMC Assessment Scope for Level 1 is defined in the official DoD CMMC Level 1 Scoping Guide. It covers every information system that processes, stores, or transmits FCI, along with the people, processes, and physical facilities that interact with those systems. In practical terms, scope includes workstations and servers that handle FCI, cloud services used to store or transmit FCI, email systems used to send or receive FCI, file-sharing platforms holding FCI documents, network infrastructure carrying FCI traffic, physical facilities where any of the above are located, and personnel with access to any of the above. Anything that does not touch FCI is out of scope. This is the simplest scoping model in CMMC, and it is also where most contractors trip up. The temptation is to declare a narrow scope (“just the one folder on the file server”) and ignore the email, the laptops, and the backups. Auditors and primes will not accept it. CMMC Level 1 Requirements: All 15 Practices Explained The 15 practices fall across six domains. Each is mapped to a NIST SP 800-171 control identifier, but Level 1 only assesses the subset of objectives relevant to FCI. Access Control (AC) AC.L1-B.1.I – Authorized Access Control Practice: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices. Maintain a current list of users, processes, and devices authorized to access systems holding FCI. This means active user-account management: unique identifiers for each user, accounts disabled promptly when employment ends, and a documented process for reviewing who has access and why. Shared credentials are not acceptable. This is the foundation every other access control practice is built on, and it is where many contractors have their first reckoning with how loosely their environments have actually been managed. AC.L1-B.1.II – Transaction and Function Control Practice: Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Apply the principle of least privilege. A user with access to read FCI does not automatically get access to delete it, share it externally, or modify system configurations. Role-based access controls (RBAC) satisfy this requirement. In practice, this means auditing what each role can actually do in your systems and trimming permissions down to what is genuinely necessary for the job function. AC.L1-B.1.III – External Connections Practice: Verify and control or limit connections to and use of external information systems. Know what external systems your in-scope environment connects to — cloud storage, partner networks, contractor laptops on home Wi-Fi — and apply controls to those connections. Acceptable Use Policies, VPN requirements, and explicit allow-lists for external sharing all map here. The key word is verify: you need documented evidence that external connections are inventoried and controlled, not just assumed to be fine. AC.L1-B.1.IV – Control Public Information Practice: Control information posted or processed on publicly accessible information systems. Make sure FCI does not end up on your public website, your company blog, or any other publicly accessible system. This is mostly a process control: establish who is allowed to publish to public-facing systems and what review happens before anything goes live. It sounds obvious, but incidents involving inadvertent FCI disclosure through company websites and public repositories are more common than the industry likes to admit. Identification and Authentication (IA) IA.L1-B.1.V – Identification Practice: Identify information system users, processes acting on behalf of users, or devices. Every user,

Read more

Drata HIPAA Compliance: PHI Safeguards in 2026

Risk analysis failures sit behind 76% of HIPAA enforcement actions in 2025, according to The HIPAA Journal’s annual breach report. That single statistic explains why healthcare organizations and their business associates are rethinking how they manage HIPAA. Its no longer enough to conduct an annual policy review, it is now a continuous control problem. Drata fits that shift. It is a security and compliance automation platform that connects to the systems where PHI lives, maps controls to the HIPAA Privacy, Security, and Breach Notification Rules, and keeps evidence current between formal assessments. This guide covers what Drata actually does for HIPAA: which rules it addresses, how the automation works in practice, what it leaves to humans, and how readiness compares to running parallel frameworks like SOC 2. What Is HIPAA and Why Does Compliance Matter? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the U.S. federal law governing the protection of protected health information (PHI). It applies to two categories of organizations: covered entities (health plans, healthcare clearinghouses, and most providers) and business associates, a category that captures any vendor, SaaS company, or service provider that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Enforcement is led by the HHS Office for Civil Rights (OCR). Penalties scale with culpability, capped at roughly $2.1 million per violation category per year after inflation adjustments. OCR’s 2025 enforcement priorities were almost entirely focused on the Security Rule, particularly the requirement to conduct a thorough, organization-wide risk analysis. The agency has confirmed that 2026 will follow the same playbook, with risk management evidence (proof that identified risks are being actively reduced) becoming a separate focus area in its own right. Healthcare also remains the most expensive sector for breaches. IBM’s 2024 Cost of a Data Breach Report put the average healthcare breach at $9.48 million, more than double the cross-industry average. The cost is not abstract: in 2025, OCR penalties for risk analysis failures ranged from $25,000 against small practices up to $3 million against a national medical supplier following a phishing-driven breach. What Is Drata and How Does It Support HIPAA Compliance? Drata is a GRC automation platform that integrates with cloud infrastructure, identity providers, HRIS systems, ticketing tools, and endpoint management to continuously collect evidence and test controls against more than 30 compliance frameworks. HIPAA was added in late 2021 as Drata’s third framework, joining SOC 2 and ISO 27001. For HIPAA specifically, Drata does not certify anyone; there is no formal HIPAA certification anyway, but it operationalizes the work that OCR expects to see when an investigation lands. That includes mapped controls for administrative, physical, and technical safeguards; policy templates for HIPAA-specific requirements like the Business Associate Agreement; embedded workforce training; an integrated risk management module; and an evidence library that auditors and counsel can access during a review. Worth Knowing: There is no government-issued HIPAA certification. Any vendor claiming to make you “HIPAA certified” is using marketing language. What auditors and OCR investigators actually look for is documented, ongoing compliance with the three HIPAA Rules. Drata’s value sits in producing that documentation continuously rather than retroactively. For a deeper look at what formal certification actually involves in adjacent frameworks, see our guide to HIPAA certification. Key HIPAA Requirements Drata Helps You Address HIPAA consists of three operative rules, each with distinct compliance obligations. Drata’s control library maps to all three. HIPAA Privacy Rule The Privacy Rule governs the use and disclosure of PHI in any form: electronic, paper, or verbal. It defines 18 specific identifiers that constitute PHI, sets the minimum necessary standard, and gives patients rights of access, amendment, and accounting of disclosures. Drata supports this through policy templates (notice of privacy practices, minimum necessary use, patient rights procedures), access tracking through integrations with identity providers, and workforce training that covers permissible uses and disclosures. HIPAA Security Rule The Security Rule is where most enforcement activity happens. It applies specifically to electronic PHI (ePHI) and requires three categories of safeguards: administrative, physical, and technical. According to HHS, the Security Rule “requires implementation of appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information.” Drata’s control library maps directly to the 45 CFR Part 164 implementation specifications, both required and addressable. HIPAA Breach Notification Rule The Breach Notification Rule requires notification to affected individuals, HHS, and, for breaches affecting 500 or more residents of a state, the media, no later than 60 days after discovery. Drata supports breach response through incident management workflows, policy templates that codify the four-factor risk assessment, and audit trails for breach documentation. The platform does not file your OCR breach report for you; that remains a human task, but it keeps the underlying evidence organized. Important: OCR has explicitly stated that breach notification failures were the second most common reason for a financial penalty in 2025. More than one-fifth of enforcement actions included a breach notification violation. The 60-day clock starts at discovery, not at confirmation, so detection latency directly increases legal exposure. How Drata Automates HIPAA Compliance Automation in Drata operates on four layers: evidence collection, control monitoring, gap detection, and integration with healthcare-relevant tools. The combination is what produces the continuous compliance posture that OCR is now effectively demanding through its risk management initiative. Automated Evidence Collection for HIPAA Audits Drata reports that its platform automates roughly 80% of evidence collection across frameworks. For HIPAA, that means pulling configuration data from AWS, Azure, or GCP; enrollment status from MDM tools like Jamf or Intune; SSO and MFA enforcement from Okta or Entra ID; and onboarding/offboarding records from HRIS platforms. Instead of screenshotting these on demand for an auditor, the platform timestamps and stores them on a continuous basis. Real-Time HIPAA Compliance Monitoring The platform runs automated tests against connected systems daily. If MFA is disabled on an administrator account that has access to a system holding ePHI, the relevant control flips to failing status and the owner

Read more