SOC 2 & HIPAA for AI Platforms
What compliance actually looks like for healthcare AI governance platforms
The Compliance Confusion
Most AI platforms claim to be "HIPAA-ready" or "HIPAA-compliant." These terms sound similar but mean very different things.
Buyers also blur SOC 2 and HIPAA together, as if "SOC 2 HIPAA compliant" were a single stamp. They are two separate things. HIPAA is the healthcare privacy law that governs protected health information. SOC 2 is an independent security audit any software vendor can pursue. A healthcare AI platform needs both, and neither one on its own proves the other.
Understanding the difference, and what actual compliance requires, is critical for healthcare organizations evaluating AI platforms.
HIPAA-Ready vs. HIPAA-Compliant
One is marketing language. The other is actual compliance.
HIPAA-Ready
"We have some security features, and if you configure everything correctly, you might be able to use this in a HIPAA-compliant way."
- Basic security features exist (encryption, access controls)
- YOU configure everything for compliance
- YOU implement PHI protection yourself
- YOU ensure BAAs exist with every vendor
- YOU maintain and prove compliance over time
- Homework disguised as a solution
You do all the compliance work yourself and hope you didn't miss anything.
HIPAA-Compliant
"This platform is architected specifically for HIPAA compliance. PHI protection is automatic, BAAs are in place, and compliance is the default."
- Designed from the ground up for healthcare
- PHI protection happens automatically
- BAAs with all AI vendors included
- Audit trails built-in from day one
- Compliance is the default, not an add-on
- Governance infrastructure already built
Compliance is the default, not an add-on you have to build yourself.
What HIPAA Compliance Actually Requires
8 non-negotiable requirements for AI platforms handling PHI
Automatic PHI Detection & Redaction
Platform must automatically identify and cleanse all 18 HIPAA identifiers before data reaches AI models. Manual removal doesn't scale and fails 100% of the time.
Must have:
- Real-time PHI detection using NLP/pattern matching, automatic redaction, data rehydration for output
Business Associate Agreements (BAAs)
Platform provider AND all AI model vendors (OpenAI, Anthropic, Google) must have executed BAAs. No BAA = HIPAA violation if PHI is shared.
Must have:
- Signed BAAs with platform and all underlying model providers, available for audit
Complete Audit Logs
Every AI interaction must be logged with timestamp, user, model, and data shared. Logs must be immutable and retained per HIPAA requirements (6 years).
Must have:
- Tamper-proof audit logs, searchable/exportable, long-term retention, SIEM integration
Encryption in Transit & At Rest
All data sent to/from AI models must be encrypted during transmission and when stored. Minimum TLS 1.2 for transit, AES-256 for rest.
Must have:
- End-to-end encryption, certificate management, encrypted storage
Access Controls & Authentication
Role-based access control (RBAC), multi-factor authentication (MFA), and session management. Only authorized users can access AI tools.
Must have:
- RBAC, MFA, SSO/SAML integration, session timeouts, user provisioning/deprovisioning
Breach Notification Procedures
Platform must have documented procedures for detecting, reporting, and responding to PHI breaches. Breach notification within 60 days required by HIPAA.
Must have:
- Breach detection monitoring, notification workflows, incident response plan
Data Residency & Retention Controls
Ability to control where PHI is stored/processed (US-only for most BAAs) and how long data is retained.
Must have:
- Data residency options, retention policy configuration, data deletion capabilities
Security Risk Assessment
Platform provider must conduct regular security risk assessments per HIPAA Security Rule. Third-party validation demonstrates this.
Must have:
- SOC 2 Type II certification, penetration testing, vulnerability management program
SOC 2 Type II: What It Means
The gold standard for SaaS security and compliance validation
SOC 2 Type II is an independent third-party audit of a company's security controls over a period of time (typically 6-12 months). It validates that the company doesn't just have security controls; they actually work and are consistently followed.
SOC 2 Type I vs. Type II
Type II is the one that matters
SOC 2 Type I
- "We have these security controls in place" (point-in-time snapshot)
- Proves controls exist at a single moment
- A starting point, not proof of operating effectiveness
A snapshot that shows controls exist but doesn't prove they work over time.
SOC 2 Type II
- "We have proven these controls work over time and are audited" (operating effectiveness)
- Validates controls over 6-12 months of continuous operation
- The gold standard. Proves security is sustained, not just implemented
Proof that security controls actually work and are consistently followed.
What SOC 2 Type II Validates
The five Trust Service Criteria
-
Security Trust Principle
Infrastructure, software, people, and procedures are protected against unauthorized access
-
Availability Trust Principle
System is available for operation and use as committed or agreed
-
Processing Integrity Trust Principle
System processing is complete, valid, accurate, timely, and authorized
-
Confidentiality Trust Principle
Confidential information is protected as committed or agreed
-
Privacy Trust Principle
Personal information is collected, used, retained, disclosed, and destroyed per privacy policy
Compliance Red Flags
Warning signs that a platform isn't truly compliant
🚩 Uses "HIPAA-Ready" Instead of "HIPAA-Compliant"
HIPAA-ready is marketing speak for 'you have to do all the compliance work yourself.'
🚩 No SOC 2 Type II Report Available
SOC 2 Type I is a starting point. Type II proves controls actually work over time.
🚩 Can't Provide BAAs with AI Model Providers
Platform might have a BAA with you, but if they don't have BAAs with OpenAI/Anthropic/Google, PHI is still exposed.
🚩 Relies on Manual PHI Removal
If the platform tells users to 'remember to remove PHI,' it's not a governance platform, it's a liability.
🚩 No Audit Logs or Limited Logging
If you can't prove what data was sent where, you can't demonstrate compliance during an audit.
🚩 Claims 'AI-Generated BAAs Are Fine'
BAAs are legal contracts that require lawyers, not ChatGPT. Vendor-generated templates need legal review.
Questions to Ask AI Platform Vendors
SOC 2 and HIPAA for AI Platforms: Common Questions
Is SOC 2 the same as HIPAA compliance?
No. They are two separate frameworks that healthcare buyers often confuse. HIPAA is a US healthcare law that governs how protected health information can be used and disclosed, and it applies to covered entities and their business associates. SOC 2 is a voluntary security attestation, audited by an independent firm against five trust criteria, that any software vendor can pursue. A platform can hold a SOC 2 report and still not be set up to handle PHI lawfully, and it can meet its HIPAA obligations without ever completing a SOC 2 audit. For a healthcare AI platform you want both: SOC 2 Type II as evidence the security controls actually operate, and a HIPAA-compliant architecture with signed BAAs so PHI is handled within the law.
Does an AI platform need both SOC 2 and HIPAA to be safe for healthcare?
For most healthcare buyers, yes. HIPAA is the legal requirement the moment protected health information touches the tool. SOC 2 Type II is the independent proof that the platform's security controls are real and consistently followed, not just claimed. HIPAA tells you the platform is allowed to handle PHI. SOC 2 Type II gives you third-party evidence that it can be trusted to. Asking for both, plus BAAs with every underlying AI model provider, is the fastest way to separate a serious platform from a consumer tool with a healthcare label.
Can a platform be HIPAA compliant without SOC 2?
Technically yes. HIPAA does not require a SOC 2 report, and SOC 2 does not require HIPAA. But in practice, a healthcare AI vendor that has not completed a SOC 2 Type II audit is asking you to take its security claims on trust. SOC 2 Type II is how a serious vendor proves, through an independent auditor, that the controls behind its HIPAA posture actually work over time. Its absence is a reason to ask more questions, and most healthcare security teams treat it as table stakes.
What is the difference between "HIPAA-ready" and "HIPAA-compliant"?
"HIPAA-ready" usually means the platform has some security features and that you can configure it to be compliant if you do the work correctly. The compliance burden sits with you. "HIPAA-compliant" means the platform is architected for healthcare from the start: PHI protection is automatic, business associate agreements are already in place, and audit trails exist by default. If a vendor only ever says "HIPAA-ready," treat it as marketing language and ask exactly what you would still be responsible for.
Do the underlying AI models like OpenAI, Anthropic, and Google need to be covered by a BAA?
Yes. If protected health information can reach an underlying model, HIPAA requires a business associate agreement with whoever runs that model, not just with the platform in front of it. A platform can hold a BAA with you and still expose PHI if it has no BAA with the model providers it sends data to. Ask the vendor to confirm executed BAAs with every model it uses, or to show exactly how PHI is redacted before it ever leaves the platform.
Is SOC 2 Type I enough, or do we need Type II?
Type II is the one that matters for healthcare. SOC 2 Type I is a point-in-time snapshot that says the controls existed on a given day. SOC 2 Type II is an audit of whether those controls operated effectively over a period of six to twelve months. For a platform that will handle PHI, you want Type II, because sustained, audited operation is the evidence that security is a practice and not a one-time setup.
What should we ask a vendor to prove SOC 2 and HIPAA compliance?
Ask for four things in writing: the current SOC 2 Type II report rather than Type I, sample business associate agreements including ones with the underlying AI model providers, a live demonstration of automatic PHI detection and redaction, and an export of complete audit logs. A platform that is genuinely SOC 2 and HIPAA compliant can produce all four. Hesitation on any of them tells you where the gaps are.
See the Difference
AuthenTech AI is SOC 2 Type II certified and designed for HIPAA compliance from the ground up. Not "HIPAA-ready," actually compliant