Background
A health technology company developing a cloud-based patient engagement and telehealth platform had grown rapidly during the post-pandemic expansion of digital health services. Their platform was being adopted by outpatient clinics, specialty practices, and community health centers across the Caribbean and southeastern United States — processing Protected Health Information (PHI) for tens of thousands of patients.
The company faced a dual compliance requirement that was creating a significant bottleneck in their sales process. Healthcare clients required HIPAA compliance as a baseline, it was non-negotiable under federal law. But their larger health system prospects and hospital network targets were additionally requiring SOC 2 Type II certification as proof of security controls maturity beyond HIPAA’s minimum requirements. Prospects were asking for both, simultaneously, before signing.
The company had a signed Business Associate Agreement template and a basic HIPAA Privacy Policy on their website. Beyond that, their compliance posture was largely theoretical. They had no formal risk analysis, no documented technical safeguard inventory, no SOC 2 controls in place, and no audit trail infrastructure. They needed to build both programs simultaneously, efficiently, without duplicating effort, in a compressed timeline driven by a health system contract with a compliance deadline attached.
Challenge
Running SOC 2 and HIPAA compliance simultaneously is complex because the two frameworks, while overlapping in many areas, have distinct requirements, different governing bodies, different documentation standards, and different audit processes. Organizations that approached them independently often did redundant work, create conflicting documentation, and exhaust their teams in the process, creating additional cybersecurity GRC challenges.
The health tech company had attempted to map the two frameworks themselves using publicly available resources. They quickly discovered that while SOC 2’s Trust Services Criteria and HIPAA’s Security Rule share conceptual ground, both address access controls, audit logging, encryption, and incident response, the specific requirements, evidence standards, and documentation formats are different enough that a naive unified approach creates gaps in both programs simultaneously.
Additionally, as a telehealth platform, their technical environment included patient-facing mobile applications, third-party video conferencing integrations, cloud infrastructure across multiple providers, and API connections to electronic health record systems — each representing a distinct component of their compliance scope that required individual analysis.
Action
Armour designed a unified compliance program, a single integrated workstream that addressed SOC 2 and HIPAA requirements simultaneously, deliberately sequencing work to avoid duplication and build controls that satisfied both frameworks with a single implementation.
The program was structured across three phases:
Phase 1 — Foundation (Weeks 1–4)
- Conducted a combined SOC 2 readiness assessment, vulnerability assessment, and HIPAA Security Rule gap analysis in a single engagement, producing a unified gap report that mapped each finding to both framework requirements.
- Defined the SOC 2 audit scope and HIPAA compliance boundary in a coordinated scope document
- Conducted the formal HIPAA Risk Analysis, a mandatory Security Rule requirement, structured to also serve as the SOC 2 risk assessment, eliminating the need for two separate risk assessment processes
- Identified all systems, applications, and data flows involving PHI and mapped them to SOC 2 in-scope systems
Phase 2 — Remediation & Control Implementation (Weeks 5–14)
- Developed a unified policy suite, 19 policies written to satisfy both SOC 2 Trust Services Criteria and HIPAA Security Rule requirements simultaneously, each policy cross-referenced to both frameworks
- Implemented technical controls across the platform’s cloud infrastructure: encryption at rest and in transit for all PHI, MFA enforcement across all staff and administrative access, role-based access controls with quarterly review, centralized audit logging with 12-month retention, and automated vulnerability scanning
- Established a formal Business Associate Agreement management program, inventoried all 31 vendors with access to PHI, reviewed existing BAAs for adequacy, and obtained updated agreements from 14 vendors with inadequate or missing documentation
- Built the evidence collection infrastructure for both programs, automated log aggregation, access review workflows, and monthly compliance reporting dashboards
Phase 3 — Audit Preparation & Execution (Weeks 15–20)
- Conducted SOC 2 internal readiness review and mock audit, identified and remediated 6 control gaps before the observation period concluded
- Delivered comprehensive HIPAA workforce training to all 52 employees with documented completion records
- Coordinated and managed the SOC 2 Type II external audit, managing all auditor communications, evidence submissions, and real-time responses throughout fieldwork
- Produced final HIPAA compliance documentation package, Risk Analysis, Risk Management Plan, Policies & Procedures, Training Records, and BAA inventory, structured for ongoing annual review
Impact
- SOC 2 Type II certification achieved clean report, zero exceptions
- HIPAA Security Rule compliance documented and auditable full compliance package delivered
- Target health system contract signed within 3 weeks of SOC 2 report issuance
- 31 vendor BAAs reviewed and brought into compliance
- 19 unified policies addressing both frameworks zero redundant documentation
- 52 employees HIPAA-trained with documented completion records
- Combined program delivered 40% faster than running SOC 2 and HIPAA sequentially would have required
Conclusion
Healthcare technology companies face a compliance burden that most other software companies don’t and the cost of getting it wrong isn’t just a failed audit. It’s HIPAA penalties, patient trust, and the clinical reputation of every healthcare provider that chose to rely on your platform.
This company didn’t just pass two compliance audits. They built a security and compliance program that is now a core part of their sales narrative and demonstrates the value of skilled professionals pursuing cybersecurity careers.