HIPAA isn't a certification you earn — it's an operating posture you have to prove at any moment. OCR doesn't schedule audits; breaches trigger them. We run the Security Rule as a live program — risk analysis on cadence, BAAs tracked continuously, and breach response runbooks rehearsed instead of improvised.
HIPAA is a regulation, not a certification. There's no government-issued HIPAA certificate — only documented evidence that you're operating in compliance with the Security Rule, Privacy Rule, and Breach Notification Rule. When OCR investigates (usually triggered by a breach or a complaint), that documentation is what determines the outcome.
The Security Rule covers technical, administrative, and physical safeguards for ePHI. The Privacy Rule covers permitted uses and disclosures. The Breach Notification Rule covers what happens when things go wrong. All three have to be operating simultaneously and demonstrable on demand.
The Security Rule requires an ongoing risk analysis process — not a document, a process. New systems, new vendors, new threats all need to flow through it. OCR looks for evidence the risk analysis is actually running, not a stale PDF from three years ago.
Every vendor who processes, stores, or transmits ePHI on your behalf needs a Business Associate Agreement — signed, current, and demonstrable. Missing or expired BAAs are one of the most common findings in OCR investigations. Ours are tracked with renewal dates and scope changes flagged automatically.
Most HIPAA programs fail not because the safeguards are absent, but because they can't be demonstrated on demand. OCR asks "when did you last update your risk analysis?" and the honest answer is "we can't remember." When the auditor arrives — or worse, when a breach happens — the compliance posture becomes visible for the first time, and it's usually messier than anyone thought.
The risk analysis exists — as a Word document from 2022. It was thorough at the time. It hasn't been updated since. New systems, new vendors, new data flows have all happened without ever going through the risk process. This is OCR's most common finding.
BAAs signed at vendor onboarding, then forgotten. Some vendors expanded scope without a BAA amendment. Some BAAs expired. Some vendors changed corporate structure. When OCR asks "show me the current BAA for every vendor touching PHI," most teams can't produce it in under a week.
The breach notification runbook exists in a Confluence page. It's never been drilled. When a breach happens, the response is improvised — with a 60-day clock ticking. Late notifications and incomplete disclosures compound the original breach into a regulatory event.
Our Managed Program treats HIPAA as continuous operations — because that's how OCR judges it. Risk analysis is a live process, BAAs are tracked with automated renewal cadences, and breach runbooks are rehearsed on a schedule. If OCR knocks, we can produce the compliance record in minutes.
HIPAA compliance is a posture — one that must be provable to OCR on demand. This is the live coverage view for a healthcare client program, including the BAA and risk-analysis drift that our platform surfaces automatically. What OCR would see if they walked in tomorrow.
Northwind Health, Inc. · March 2026
| Safeguard | Finding | Detected | Status |
|---|---|---|---|
| §164.308 | Administrative safeguards · BAA expired for Twilio (renewal in progress) | 2026-03-11 | Tracked |
| §164.308 | Risk analysis update pending — new PHI-processing vendor onboarded | 2026-03-06 | Assigned |
| §164.312 | Technical safeguards · encryption audit for one legacy DB pending | 2026-02-22 | Remediating |
No. HIPAA is a regulation, not a certification scheme — there's no government-issued HIPAA certificate. What exists are HIPAA compliance attestations from third-party assessors (like HITRUST) and self-attestations backed by documented risk analysis, policies, and controls. Many of our clients pursue HITRUST for the credibility, or layer HIPAA controls into their SOC 2 (using the HIPAA-aligned Trust Services Criteria) for efficiency.
Possibly. HIPAA applies to covered entities (providers, plans, clearinghouses) and business associates (any vendor that handles PHI on behalf of a covered entity). If you're a SaaS company whose product touches PHI — patient data, claims data, ePHI of any kind — you're likely a business associate and need to comply. If you're not sure, the right starting point is mapping your data flows; we do this as part of the Posture Scan.
HIPAA requires notification within 60 days for breaches affecting fewer than 500 individuals, or without unreasonable delay (and to HHS and the media) for larger breaches. The clock starts when you discover the breach or should have discovered it. The response — investigation, notification letters, HHS reporting, mitigation — is intense and must happen alongside ongoing operations. We help clients build incident response runbooks that map directly to HIPAA breach notification requirements, so the response is rehearsed rather than improvised.