The SOC 1 has a completely different purpose than HITRUST. Typically a company would perform both if they are a TPA processing medical claims and other claims, where, there is responsibility for financial reporting and maintaining security over the information being handled.
There are a lot of factors that go into responding to this question. There are audit, consulting, software, internal resources, and other factors to consider which can easily grow from
SOC 2 Type II audits should be performed annually, however, there are times you may choose to perform them twice a year. Additionally, if recently completing a SOC 2 Type
As of the latest SSAE 18 and SOC 2 updates, vendor management and review of any relevant compliance / audit reports (SOC 1, SOC 2, HITRUST, ISO 27001/2, PCI, etc.) has become
SSAE-18 is effective for all reports issued after May 1, 2017.
At a high-level, SOC1 is about financial controls, while SOC2 focuses on information security controls. They serve different end-user customers and stakeholders.
Assuming your Company is subject to GDPR, the level of effort depends a lot on the maturity of Organizational and Privacy controls. The Organizational will be mostly met by implementation
SOC Reporting Guide