When I ask home health administrators what evidence they have collected from their vendors to verify their security posture, the most common answer is: "They told us they are HIPAA compliant." This answer is the vendor security assessment equivalent of a job applicant saying "I'm very responsible" without providing references. Self-attestation of security compliance by technology vendors is not verification — it is a claim. A SOC 2 Type 2 report is independent verification, produced by a licensed CPA firm that examined the vendor's actual security controls over a defined period and reported on whether those controls operated as described.
For home health agencies managing vendor relationships with EHR providers, billing companies, scheduling software vendors, and cloud service providers, understanding what a SOC 2 report is, what it contains, and how to read it is one of the most practical compliance skills a HIPAA Security Officer can develop.
What a SOC 2 Report Is — The Non-Technical Explanation
SOC stands for Service Organisation Control. SOC 2 reports are produced under attestation standards issued by the American Institute of Certified Public Accountants (AICPA). A SOC 2 audit is conducted by an independent CPA firm that examines the service organisation's — your vendor's — internal controls related to security, availability, processing integrity, confidentiality, and privacy. The CPA firm issues an opinion on whether those controls are suitably designed (in a Type 1 report) or whether they actually operated effectively over a defined period, typically 6–12 months (in a Type 2 report).
Type 1 vs. Type 2: The Critical Distinction
A SOC 2 Type 1 report examines controls as of a specific point in time and opines on whether they are suitably designed. It is essentially a snapshot: as of this date, these controls existed and appear to be appropriately designed. A SOC 2 Type 2 report examines controls over a period of time and opines on whether they actually operated effectively throughout that period. Type 2 is meaningfully more rigorous than Type 1 — a vendor can design beautiful controls for a Type 1 audit and then never actually operate them. Type 2 examines the operation, not just the design.
For home health vendor management purposes, always request the Type 2 report. A vendor that offers only a Type 1 report has not yet demonstrated that its controls actually work in practice. A vendor that refuses to share any SOC report should be treated with significant scrutiny — the absence of a report is itself a signal about the vendor's security programme maturity.
The Five Trust Service Criteria
SOC 2 reports are organised around one or more of five Trust Service Criteria (TSC). Every SOC 2 report covers Security (the foundation). Reports may also cover Availability, Processing Integrity, Confidentiality, and Privacy, depending on which criteria the vendor elected to include. For home health vendor assessments, the most relevant criteria are:
- Security (CC): covers logical and physical access controls, system operations monitoring, change management, and risk mitigation. This is the most directly HIPAA-relevant criterion and is required in every SOC 2 report.
- Availability (A): covers system availability and performance against commitments — relevant for EHR vendors where uptime affects clinical operations.
- Confidentiality (C): covers how the vendor handles information designated as confidential — directly relevant for ePHI in HIPAA terms.
How to Read a SOC 2 Report as a Non-Accountant
The most important section of a SOC 2 Type 2 report is the description of exceptions — instances where the auditor found that a control did not operate effectively during the review period. Navigate directly to the section titled "Results of Tests of Controls" or "Description of Tests of Controls and Results." Look for any finding described as an "exception" or "deviation." Each exception should have a management response describing how the issue was addressed.
A report with no exceptions means the controls operated as designed throughout the review period — this is the ideal outcome. A report with a small number of minor exceptions with documented remediation is still acceptable. A report with significant exceptions, or a vendor that cannot provide a current report, warrants serious additional scrutiny before extending ePHI access.
Protecting your home health agency starts with understanding exactly where you stand today. ShieldForce delivers a free, no-obligation HIPAA Risk Assessment — thirty minutes with a healthcare cybersecurity expert who has spent three decades inside this industry. You will leave with a clear picture of your gaps, your priorities, and what a fully managed security programme looks like for an organisation exactly like yours.
→ Schedule Your Free HIPAA Risk Assessment — shieldforce.io/hipaa-assessment
→ Explore Home Healthcare Cybersecurity — shieldforce.io/home-healthcare
→ View Transparent Pricing from $35/user/month — shieldforce.io/pricing-comparison

