We started getting the same compliance question from DSO operators about 18 months ago. Not from the CEOs. From the COOs and VPs of Operations who were doing vendor diligence.
The question was always some version of: “Are you SOC 2 Type II certified, or just HIPAA compliant?”
At first, we didn’t understand why HIPAA wasn’t enough. HIPAA is the legal requirement. It’s what the government mandates. Isn’t that the standard?
Then we realized something: the DSO operators asking weren’t confused about compliance. They were smart. They understood that their PE investors had been through enough data breaches and vendor failures to know that HIPAA compliance is a baseline, not a security posture.
We want to explain why SOC 2 Type II matters for DSO executives, and why it should be a question you’re asking every AI vendor.
The Difference Between HIPAA and SOC 2
HIPAA Compliance
HIPAA (Health Insurance Portability and Accountability Act) sets legal requirements for how protected health information (PHI) must be handled. If you’re a healthcare provider or a vendor serving healthcare providers, you have legal obligations:
- Patient data must be encrypted in transit and at rest
- You must implement access controls so only authorized people can access patient data
- You must maintain audit logs of who accessed what and when
- You must have a breach notification process
- You must implement physical security for data centers
HIPAA is a checklist. It’s a set of technical and operational requirements that you either implement or you don’t.
SOC 2 Type II
SOC 2 (Service Organization Control) is an auditing standard developed by the American Institute of CPAs. It’s designed to verify that a service provider has implemented controls that protect customer data — and that those controls are actually working over time.
SOC 2 Type II, specifically, means:
- An independent third-party auditor has examined your entire security infrastructure — not just whether encryption is enabled, but how it’s configured, who has access, how you manage keys
- That auditor has evaluated your operational processes — your incident response procedures, your staff training, your vendor management, your change control process
- The auditor has tested your systems over time (typically 6 months) to verify that controls are not just documented but actually functioning
- You’ve received a formal report certifying that your security posture meets the SOC 2 Type II standard
SOC 2 Type II is proof. It’s not just a checklist. It’s a third-party verification that your security infrastructure is real and working.
Why HIPAA Alone Is Insufficient
HIPAA is a legal floor. Every healthcare vendor is supposed to be HIPAA compliant. But as anyone in healthcare knows, being compliant on paper and actually maintaining security are different things.
Consider a concrete example. A vendor could theoretically be HIPAA-compliant and still have:
- Weak password policies, so employees use “Password123” and share accounts
- Poor access controls, so a junior engineer can access production patient data without proper approval
- No encryption key management, so encryption keys are stored in the same database as encrypted data (technically encrypted, but practically useless)
- Inadequate vendor management, so they’re using third-party services that haven’t been audited for security
- No incident response plan, so if there’s a breach, they discover it six months later
- Inadequate staff training on security practices
These are all real security failures we’ve seen in other healthcare vendors. And most of them technically meet HIPAA’s checklist.
SOC 2 Type II audits catch these gaps because they’re not checking boxes. They’re testing actual security controls in a real environment. This is especially important for DSOs using multiple AI vendors — compliance risk multiplies across vendor fragmentation.
Why PE Investors Care About SOC 2
If your DSO has PE backing, your investors have done diligence on enough vendor failures to understand this distinction. They know that HIPAA is necessary but insufficient. They want SOC 2 Type II because it’s proof.
Here’s how the conversation usually goes: A DSO’s compliance officer or CIO is evaluating a new AI vendor. The vendor says, “We’re HIPAA compliant.” The compliance officer mentions it to the PE firm. The PE firm’s IT security team says, “That’s fine, but is there a SOC 2 Type II report?” If there isn’t, the PE firm’s risk score goes up. Suddenly, implementing this vendor requires additional security reviews, insurance, or attestations.
PE firms have been through healthcare data breaches. They know how expensive those are — not just in direct costs but in liability, insurance, and reputation. A vendor without SOC 2 Type II certification is a security question that PE investors would rather avoid.
What SOC 2 Type II Actually Covers
A SOC 2 Type II audit typically covers five “trust service criteria”:
Security: Is customer data protected from unauthorized access? Are encryption, access controls, and intrusion detection all functioning? Are keys managed securely?
Availability: Is the service available when customers need it? What’s your uptime? How do you handle outages?
Processing Integrity: Is all data processing accurate and complete? If you’re syncing patient data with a PMS, is that sync reliable?
Confidentiality: Is customer data kept confidential? Who has access to patient information? How is access logged and monitored?
Privacy: Is customer data collected, used, retained, and disposed of in accordance with privacy regulations and commitments?
A full SOC 2 Type II report covers all five. Some vendors get audited on just security and availability (a narrower scope). Full SOC 2 Type II is stronger.
The Reality of Getting SOC 2 Type II
This is important to understand: getting SOC 2 Type II certified is expensive and time-consuming. A full audit costs $50,000–$150,000. You need to document your entire infrastructure, implement formal processes if you don’t have them, undergo 6 months of audit monitoring, and then deal with whatever findings come back.
Because it’s expensive, vendors that are serious about enterprise customers pursue it. Vendors that are just starting out or focused on single-practice sales don’t bother. It’s too much cost and complexity for a $2,000/month market.
That means SOC 2 Type II certification is a signal. If a vendor has it, they’ve made a material investment in security and compliance. They’re not a bootstrapped startup. They’re built for enterprise customers.
If a vendor doesn’t have SOC 2 Type II certification and you ask them why, listen carefully to the answer. If they say, “We’re on the roadmap,” that’s fine — they might be working on it. If they say, “Our customers haven’t asked for it,” that’s a red flag. It means they’re not selling to enterprise customers with mature compliance requirements.
Questions to Ask About SOC 2
If you’re a DSO COO or VP of Operations evaluating AI vendors, here’s what to ask:
“Do you have a current SOC 2 Type II certification?”
Listen for a yes or no. If yes, ask to see the report (or at least a summary). You don’t need to understand all the details, but you want to confirm that an independent auditor has actually verified their claims.
“If you have SOC 2 Type II, how recent is it?”
SOC 2 reports cover a specific audit period (usually 6 months). A report from 2024 is current. A report from 2022 is outdated. Ask them to explain what’s changed in their infrastructure since then.
“If you don’t have SOC 2 Type II, why not?”
There are legitimate reasons for a younger company. But if a vendor is selling to enterprise customers and doesn’t have SOC 2 Type II, understand why. Is it cost? Timeline? Lack of maturity in their infrastructure?
“Can you provide a summary of your SOC 2 findings and remediation?”
No vendor will have zero findings. Real audits always surface things that need to be fixed. What matters is whether the vendor has a plan to remediate findings and can articulate what they found and what they’re doing about it.
“What insurance do you carry for data breaches?”
This is separate from SOC 2 but related. Does the vendor carry cyber insurance? What’s the policy limit? This matters because even with great security, breaches happen. Cyber insurance is a financial backstop.
The Cost of Not Asking
A DSO with PE backing that implements an AI vendor without SOC 2 Type II certification carries unquantified security risk. If there’s ever a breach, the PE investors will ask: “Why did you implement an unaudited vendor?” The answer becomes an expensive conversation.
A DSO without PE backing still carries risk. If a vendor experiences a breach and patient data is exposed, your DSO faces liability, notification costs, and regulatory scrutiny. An unaudited vendor makes that situation worse.
SOC 2 Type II certification doesn’t guarantee that a vendor won’t be breached. But it materially reduces your risk. It proves that an independent auditor has examined their security infrastructure and found it credible.
The Competitive Moat of Strong Compliance
For the AI vendors who have pursued SOC 2 Type II certification, it’s becoming a competitive advantage. It’s a signal that says, “We’re built for enterprise. We’re serious about security. We’re not cutting corners.”
As the dental AI market matures, we think this will become table stakes. DSO executives will stop asking, “Are you HIPAA compliant?” and start asking, “Show me your SOC 2 Type II report.” Vendors without that certification will find themselves at a disadvantage when competing for enterprise contracts.
If you’re implementing an AI vendor at your DSO, make SOC 2 Type II certification a requirement — especially if you have PE backing. It’s not just a checkbox. It’s proof that your vendor takes your data security seriously enough to undergo independent audit. For more context on how compliance fits into broader platform evaluation, see our buyer’s guide.