Navigating IT Compliance: HIPAA, PCI-DSS, and SOC 2 Explained

Compliance is one of those topics where the guidance online is either overly simple or written by lawyers. The reality sits somewhere else. I've helped clients achieve and maintain HIPAA, PCI-DSS, and SOC 2 for over a decade now, and I've watched a consistent set of mistakes trip up first-timers. This is my working explanation of what each framework actually requires, what people get wrong, and how I'd approach compliance if I were starting today with what I know now. For the source documents, I'd start with HHS HIPAA guidance, PCI SSC's official standards, and AICPA's SOC 2 resources.

HIPAA: What Actually Matters

Start with HIPAA, since it's the oldest and the most widely misunderstood. The Act applies to covered entities (healthcare providers, health plans, clearinghouses) and their business associates, which is anyone handling PHI on their behalf. The Privacy Rule covers how you can use and disclose PHI. The Security Rule specifically governs electronic PHI, which is what most of the technical obligations attach to. If you're storing, transmitting, or processing any ePHI, your world revolves around three categories of safeguards: administrative, physical, and technical.

Administrative safeguards are the people and policy work: assigned security responsibility, documented security management processes, workforce training, incident response procedures. Physical safeguards cover facility access, workstation security, and how you handle devices and media. Technical safeguards are where most of the spending happens: access controls, audit logging, data integrity, transmission security. People often think HIPAA is primarily technical. In practice, the audit findings I've seen cluster heavily in the administrative category. Policies that exist on paper but aren't followed cause more OCR headaches than missing encryption.

Risk assessments are the backbone of HIPAA and probably the most neglected component. OCR expects a documented annual risk assessment plus remediation plans for identified risks. If you can't produce one, the rest of your compliance story falls apart. Violations can run $100 to $1.9M per incident category per year, and willful neglect can include criminal penalties. I've watched organizations pay six-figure penalties not for a breach, but for failing to have done the assessment that would have found the breach risk in the first place.

Business Associate Agreements are the overlooked part. Anyone handling PHI on your behalf needs a signed BAA that specifies their obligations. Cloud providers, IT service providers, billing companies, transcription services, even the consultant who had temporary PHI access during a project. The covered entity stays liable if a business associate screws up, which means vendor risk management is an integral part of HIPAA, not an afterthought. Your BAA tracker needs to be as current as your risk register.

PCI-DSS: Scope Determines Everything

PCI-DSS applies to any organization that processes, stores, or transmits cardholder data, regardless of size. The standard organizes into six control objectives across 12 requirements, and the compliance level depends on your annual transaction volume. Level 1 merchants (over 6M transactions annually) need a Report on Compliance from a Qualified Security Assessor. Levels 2-4 usually self-assess with a Self-Assessment Questionnaire, but still need quarterly ASV scans and ongoing compliance with all 12 requirements. Non-compliance penalties stack fast: fines from $5K-$100K per month from card brands, increased transaction fees, and in the worst case, loss of your ability to process credit card payments at all.

The single most effective PCI strategy I recommend to clients is scope reduction. Every system that stores, processes, or transmits cardholder data is in scope. Every system that can affect the security of those systems is in scope. In a flat network, that's everything. Tokenization replaces card data with non-sensitive tokens your systems can reference without touching real card data. Point-to-point encryption encrypts at the payment terminal with keys your systems never see. Hosted payment pages mean the cardholder interacts with your payment processor's domain, not yours. Combined, these techniques typically reduce PCI scope 40-70% in the first engagement. Less scope means smaller audit, fewer systems to protect, and a smaller blast radius if something goes wrong.

SOC 2: The Enterprise Customer Requirement

SOC 2 is what I spend the most time on with modern clients because it's become the default enterprise customer requirement for SaaS and service organizations. AICPA developed the framework around five Trust Services Criteria: Security (always included), Availability, Processing Integrity, Confidentiality, and Privacy. Most first-time audits cover Security plus Availability. I'd add Confidentiality if you have contractual obligations around customer data confidentiality, Processing Integrity if you process financial or healthcare transactions, and Privacy only if you have specific privacy obligations not already covered by GDPR or CCPA. Broader scope means more expensive audits; scope creep is easy, scope reduction is hard.

SOC 2 has two types. Type I is a point-in-time design review: are the right controls in place? Type II evaluates whether those controls actually operated effectively over 6-12 months. Type II reports are what enterprise customers want, because they prove sustained control operation instead of a snapshot. Type I is a valid stepping stone to Type II, but I wouldn't pause at Type I as a destination. Most of my SaaS clients plan for Type II within 12-18 months of their first Type I.

Preparing for SOC 2 comes down to five areas of depth: access management (role-based access, regular access reviews, MFA, least privilege), change management (documented processes, testing, approval workflows), incident management (response procedures, communication plans, post-incident reviews), vendor management (third-party risk assessments, contract security terms), and monitoring (continuous security monitoring, vulnerability scanning, penetration testing). Each is simple to describe and harder to operate continuously, which is why SOC 2 Type II surfaces gaps that Type I missed.

The shift from periodic compliance to continuous compliance is the single most important trend I've seen in a decade. The old model was: scramble before the audit, remediate, hope nothing breaks, repeat. The new model: controls operate continuously, evidence is collected continuously, risk is evaluated continuously. GRC platforms like Vanta, Drata, Secureframe, and Hyperproof make this possible by automating evidence collection from your cloud providers, identity systems, and SaaS tools. The time savings are real. The bigger benefit is actually having better security, because control drift gets caught in days instead of quarters.

GDPR and US Privacy Law

GDPR creates both leverage and friction when you're already compliant with other frameworks. Much of what GDPR requires (data minimization, access controls, breach notification) is addressed by HIPAA, PCI-DSS, or SOC 2. But the details diverge. GDPR requires breach notification within 72 hours of becoming aware; HIPAA allows up to 60 days; PCI-DSS requires immediate notification to your acquirer. GDPR's right to be forgotten creates data deletion obligations that other frameworks don't. GDPR applies based on where the data subject is, not where you are, which means US companies with EU customers are in scope whether they realize it or not.

Cross-Framework Control Mapping

For organizations subject to multiple frameworks, the right approach is cross-framework control mapping. A single well-designed MFA control can satisfy SOC 2 CC6.1, ISO 27001 A.9.4.2, HIPAA 164.312(d), PCI-DSS 8.4, NIST CSF PR.AC-7, and CMMC AC.L2-3.5.3 simultaneously. One control, six frameworks. When you design around the strictest requirement and map it back to each framework's specific language, adding a new framework becomes 15-25% incremental work, not a whole new program.

US state privacy laws have multiplied to the point that compliance is now a matrix problem. California started with CCPA and CPRA. Virginia, Colorado, Connecticut, Utah, Texas, and a growing list have added their own variants with different thresholds, different rights, and different enforcement. If you operate across states, you need a single privacy operations capability that meets the strictest requirement across all applicable states. Privacy management tooling like OneTrust, TrustArc, or DataGrail handles the consumer rights requests and data mapping. The alternative is trying to manage twelve different state compliance programs with spreadsheets, which doesn't scale.

GRC Platform Selection

GRC platform selection matters more than most buyers realize. Vanta has the deepest SOC 2 and ISO 27001 automation and the widest integration library, which makes it good for cloud-native, engineering-led organizations pursuing first-time certifications. Drata covers more frameworks simultaneously and tends to win where clients pursue SOC 2, ISO 27001, and HIPAA in parallel. Secureframe has strong auditor relationships that can compress time to audit. Hyperproof is more enterprise-oriented for organizations with complex existing control inventories. AuditBoard is the enterprise-control-management play. Expect $15K-$100K per year depending on scope.

Compliance Program Maturity

Compliance program maturity runs through four levels. Reactive, where everything happens before an audit. Basic, where policies exist and owners are assigned. Managed, where GRC automates evidence collection and controls operate continuously. Optimized, where multi-framework compliance runs at scale with predictive risk analytics. Most organizations I work with sit at Level 1-2 when we start. Level 3 is achievable within 18-24 months of deliberate investment. Level 4 is typical of enterprise compliance programs or managed compliance services where the burden is professionally operated. You don't need Level 4 to pass audits. You do need Level 2 at minimum, and Level 3 if you want audits to stop being painful.

Working with a compliance-focused partner who has built and operated the frameworks themselves changes the economics. EFROS holds ISO 27001 and SOC 2 Type II. We've been through every OCR investigation, PCI SAQ, and SOC 2 observation period we assist clients through. The pattern we see: clients running compliance programs alone spend 3-5x more internal time on audit preparation than clients with a managed compliance partner, and they find more surprises during fieldwork. That's not because compliance is secret knowledge. It's because continuous operation of controls, evidence collection, and auditor relationships are skills that compound with practice, and most organizations don't do enough audits for their internal team to develop them.

One pattern I've seen consistently: compliance programs that start as an audit response stay stuck as audit responses. They exist to satisfy an annual review, they produce the evidence the auditor asks for, they go quiet in between. Compliance programs that start as risk management programs evolve differently. They use the frameworks as scaffolding for real security improvement. They treat audits as validation checkpoints, not the goal. The output is the same certification in year one, but the trajectory diverges completely. The audit-driven program plateaus. The risk-driven program compounds. If you're starting a compliance journey, decide which you're building before you pick tooling, hire people, or scope your first framework. The decision is easier to make upfront than to reverse later.

One frequent question: when do you bring in outside help versus building compliance in-house? The answer depends on cadence. If you expect to pursue multiple frameworks over several years, maintaining them continuously, in-house investment eventually pays off as your team builds expertise. If you're pursuing one or two frameworks and want to operate them for customer requirements without becoming a compliance-led organization, outside help is cheaper and faster. The worst middle path is hiring one compliance person who becomes a single point of failure and burns out. Compliance is a team discipline, not a solo role. If you can't staff a real team, a managed partner is usually the right answer.

The conversation I wish I had with every first-time compliance buyer: certification is the easy part, operational maturity is the hard part. Getting through a SOC 2 Type II audit, a PCI assessment, or a HIPAA risk assessment in year one is achievable with focused effort and the right tooling. Operating those controls continuously in year three, through staff turnover, product changes, acquisitions, and customer expansion, is a different problem. The organizations that do compliance well build the operational habits into how they work: every change has a compliance review, every hire has a security onboarding, every vendor has a risk assessment, every exception is documented and reviewed. That's not exciting. It's the difference between compliance programs that produce value and compliance programs that produce anxiety every audit cycle.

One last note on vendor selection for compliance tooling. The market is crowded and the differences matter less than the marketing suggests. For most mid-market organizations, any of the top four (Vanta, Drata, Secureframe, Hyperproof) will do the job. The selection decision should come down to: which platform does your auditor prefer or have experience with (this matters more than features), which integrations do you need for your specific stack, and what's your total cost including implementation services. Don't spend three months evaluating. Pick one, implement, and focus your energy on operating the controls well. The tooling is a force multiplier, not a strategy.