These three claims are not interchangeable, and only one of them is a real certification. "HIPAA compliant" is not a certification at all — the HHS Office for Civil Rights states plainly that HHS and OCR "do not certify any persons or products as 'HIPAA compliant.'" SOC 2 is an independent auditor's attestation report about a service organization's controls; the useful version (Type II) tests whether those controls actually operated over a period of time. HITRUST is a private, certifiable framework: an assessor evaluates an organization against a defined control set and a certification can be issued. So: one is marketing language, one is an audit report you should read, and one is a certification against a proprietary framework. Buyers get burned by treating all three as a single checkbox.
There is no HIPAA certification
This is the most important sentence in this article, so here it is directly from OCR's own guidance page on misleading marketing claims: HHS and OCR "do not endorse any private consultants' or education providers' seminars, materials or systems, and do not certify any persons or products as 'HIPAA compliant.'"
What that means in practice:
- A "HIPAA compliant" badge on a vendor's website is a self-declaration. It carries whatever weight the vendor's own integrity gives it, and nothing more.
- A certificate from a private company saying a product is "HIPAA certified" is a statement by that private company. It is not a government approval, and no government body stands behind it.
- HIPAA compliance is an ongoing obligation of covered entities and business associates — not a status a product can hold. Software can support your compliance. It cannot be your compliance.
What SOC 2 actually is
SOC 2 is an examination performed by an independent CPA firm, reporting on a service organization's controls relevant to security and, optionally, availability, processing integrity, confidentiality, and privacy. The output is a report, not a badge — and the report is the point.
Two distinctions decide whether a SOC 2 means anything to you:
- Type I vs. Type II. Type I says the controls were suitably designed at a point in time. Type II says an auditor tested whether they actually operated effectively across a period. Type II is the one that tells you something about how the vendor behaves on an ordinary Tuesday.
- Scope. A SOC 2 covers the systems and criteria the vendor chose to put in scope. A report can be perfectly clean and simply not cover the product you're buying, or not include the confidentiality criterion at all.
And read the exceptions section. A SOC 2 Type II report that lists exceptions the vendor has since remediated is far more informative — and often more trustworthy — than a report with no findings and a suspiciously narrow scope.
What HITRUST actually is
HITRUST maintains a control framework (the HITRUST CSF) that maps a wide set of security and privacy requirements — drawn from regulations and standards, including HIPAA-related requirements — into one prescriptive control set. An authorized external assessor evaluates an organization against it, and a certification can be issued.
Two things to hold in mind:
- It is a private framework, not a government program. A HITRUST certification is meaningful evidence of a mature control environment; it is still not a government finding of HIPAA compliance, because no such finding exists.
- Scope again. Certification applies to a defined scope — specific systems, specific facilities. "We're HITRUST certified" is a company-level sentence about a system-level fact. Ask which systems.
"ONC certified" is a different thing entirely
You'll also see "ONC certified" or "certified health IT." This one is a government program — and it is measuring something else. The ONC Health IT Certification Program ensures that certified health IT meets the technological capability, functionality, and security requirements adopted by HHS in the certification criteria. Developers demonstrate conformance to those criteria through authorized testing labs and certification bodies, and certified modules are listed publicly on the Certified Health IT Product List.
So certification tells you the product met a defined set of federal criteria — things like standardized APIs and data export. It does not tell you the vendor runs a mature security program, and it is not a HIPAA compliance seal. It's a useful, verifiable data point about capabilities, published in a public list you can check yourself.
The comparison, side by side
| Claim | What it is | Who says so | What it proves | What it doesn't |
|---|---|---|---|---|
| "HIPAA compliant" | A marketing statement | The vendor, usually | Nothing on its own | No government body certifies products as HIPAA compliant |
| SOC 2 Type I | Attestation report on control design at a point in time | An independent CPA firm | Controls were designed suitably as of a date | That they actually worked over time |
| SOC 2 Type II | Attestation report on control operating effectiveness over a period | An independent CPA firm | Tested evidence that controls operated | Anything outside the report's scope |
| HITRUST certification | Certification against a private control framework | An authorized external assessor | A mature, assessed control environment in a defined scope | A government finding of compliance |
| ONC certified health IT | Conformance to HHS-adopted certification criteria | ONC-authorized certification bodies | Specific functional, interoperability, and security capabilities | The strength of the vendor's overall security program |
Questions that cut through the marketing
Put these in your security questionnaire and watch what comes back:
- "Send us the full SOC 2 Type II report, not the summary or the badge." Under NDA is fine. A vendor that will only send a one-page certificate is telling you something.
- "What period does it cover, and what was in scope?" A report covering a period that ended eighteen months ago is a historical document.
- "What exceptions were noted, and what did you do about them?" The remediation answer is more revealing than the finding.
- "If you're HITRUST certified, which systems are in the certified scope?"
- "Will you sign our BAA?" The only non-negotiable one. If a vendor that touches PHI won't sign a business associate agreement, no certification anywhere makes up for it.
- "Who are your subcontractors that will touch our data, and are they bound to the same terms?"
A note on the proposed Security Rule updates
You may hear vendors reference sweeping new HIPAA Security Rule requirements as a reason to buy now. Be careful with the framing: HHS OCR issued a notice of proposed rulemaking in December 2024 to update the Security Rule. Those changes are proposed, not final, and a proposed rule is not in effect. Any vendor selling you something on the basis that a proposed requirement is already binding has just told you how carefully they read regulations.
The takeaway
Treat "HIPAA compliant" as a claim, not a credential — no federal agency certifies products that way. Treat SOC 2 as a document to read, and insist on Type II with a current period and a scope that includes what you're buying. Treat HITRUST as real evidence of a mature control program, bounded by the scope it covers. Treat ONC certification as a verifiable statement about capabilities, checkable in a public list. Then get the BAA signed, because that's the piece that actually binds anyone to anything.
Common questions
Is there such a thing as HIPAA certification for software?
No. The HHS Office for Civil Rights states that HHS and OCR do not certify any persons or products as "HIPAA compliant." Any certificate making that claim comes from a private company, not the government.
Is SOC 2 Type I good enough?
Usually not. Type I only says the controls were suitably designed at a point in time. Type II involves an auditor testing whether the controls actually operated effectively over a period, which is what you want to know.
Does HITRUST certification mean a vendor is HIPAA compliant?
It means an authorized assessor evaluated the organization against a private control framework within a defined scope and issued a certification. That is meaningful evidence of a mature control program, but it is not a government finding of HIPAA compliance, because no such finding exists.
What does "ONC certified health IT" actually certify?
That the product met the technological capability, functionality, and security requirements adopted by HHS in the certification criteria, as demonstrated through authorized testing and certification bodies. Certified modules are listed publicly on the Certified Health IT Product List. It is not a HIPAA compliance seal.