HIPAA · Security Rule Compliance

HIPAA,
run continuously.

HIPAA isn't a certification you earn — it's an operating posture you have to prove at any moment. OCR doesn't schedule audits; breaches trigger them. We run the Security Rule as a live program — risk analysis on cadence, BAAs tracked continuously, and breach response runbooks rehearsed instead of improvised.

01 /

What HIPAA actually requires.

The reality behind the regulation

HIPAA is a regulation, not a certification. There's no government-issued HIPAA certificate — only documented evidence that you're operating in compliance with the Security Rule, Privacy Rule, and Breach Notification Rule. When OCR investigates (usually triggered by a breach or a complaint), that documentation is what determines the outcome.

01
Three Rules, one operating posture

The Security Rule covers technical, administrative, and physical safeguards for ePHI. The Privacy Rule covers permitted uses and disclosures. The Breach Notification Rule covers what happens when things go wrong. All three have to be operating simultaneously and demonstrable on demand.

02
An active risk analysis

The Security Rule requires an ongoing risk analysis process — not a document, a process. New systems, new vendors, new threats all need to flow through it. OCR looks for evidence the risk analysis is actually running, not a stale PDF from three years ago.

03
BAAs with every vendor touching PHI

Every vendor who processes, stores, or transmits ePHI on your behalf needs a Business Associate Agreement — signed, current, and demonstrable. Missing or expired BAAs are one of the most common findings in OCR investigations. Ours are tracked with renewal dates and scope changes flagged automatically.

02 /

Why most HIPAA programs fail on inspection day.

The predictable OCR finding pattern

Most HIPAA programs fail not because the safeguards are absent, but because they can't be demonstrated on demand. OCR asks "when did you last update your risk analysis?" and the honest answer is "we can't remember." When the auditor arrives — or worse, when a breach happens — the compliance posture becomes visible for the first time, and it's usually messier than anyone thought.

Risk analysis theater

The risk analysis exists — as a Word document from 2022. It was thorough at the time. It hasn't been updated since. New systems, new vendors, new data flows have all happened without ever going through the risk process. This is OCR's most common finding.

BAA sprawl

BAAs signed at vendor onboarding, then forgotten. Some vendors expanded scope without a BAA amendment. Some BAAs expired. Some vendors changed corporate structure. When OCR asks "show me the current BAA for every vendor touching PHI," most teams can't produce it in under a week.

Untested breach response

The breach notification runbook exists in a Confluence page. It's never been drilled. When a breach happens, the response is improvised — with a 60-day clock ticking. Late notifications and incomplete disclosures compound the original breach into a regulatory event.

03 /

How we run HIPAA differently.

Demonstrable posture, on demand

Our Managed Program treats HIPAA as continuous operations — because that's how OCR judges it. Risk analysis is a live process, BAAs are tracked with automated renewal cadences, and breach runbooks are rehearsed on a schedule. If OCR knocks, we can produce the compliance record in minutes.

/ 01
Living risk analysis
New systems, vendors, and data flows trigger a risk analysis update as they happen — not at annual review. The risk register is a live artifact with owners, mitigation plans, and residual risk accepted by the right person. OCR-ready every day.
/ 02
BAA lifecycle management
Every BAA tracked with renewal dates, scope, and vendor risk tier. Renewals surface 60 days before expiry. Scope changes at the vendor flag automatically. No more "we thought we had one on file" moments.
/ 03
Rehearsed breach response
Breach notification runbooks tied to actual roles, actual escalation paths, and actual OCR reporting workflows. Tabletop exercises on a cadence. When a breach happens, the response is a drill you've run, not a fire drill you're inventing.
04 /

What HIPAA looks like on our platform.

Sample deliverable · Anonymized

HIPAA compliance is a posture — one that must be provable to OCR on demand. This is the live coverage view for a healthcare client program, including the BAA and risk-analysis drift that our platform surfaces automatically. What OCR would see if they walked in tomorrow.

Sample

Framework Coverage · Live

Northwind Health, Inc. · March 2026

Frameworks Tracked · 5
Controls Mapped · 487
Last Sync · 7 min ago
SOC 2 TYPE II
94%
ISO 27001:2022
81%
HIPAA SEC. RULE
68%
NIST CSF 2.0
76%
PCI DSS 4.0
59%
HIPAA Drift & Exceptions · Last 14 Days
SafeguardFindingDetectedStatus
§164.308 Administrative safeguards · BAA expired for Twilio (renewal in progress) 2026-03-11 Tracked
§164.308 Risk analysis update pending — new PHI-processing vendor onboarded 2026-03-06 Assigned
§164.312 Technical safeguards · encryption audit for one legacy DB pending 2026-02-22 Remediating
05 /

HIPAA questions we hear most.

Straight answers
Is HIPAA a certification?+

No. HIPAA is a regulation, not a certification scheme — there's no government-issued HIPAA certificate. What exists are HIPAA compliance attestations from third-party assessors (like HITRUST) and self-attestations backed by documented risk analysis, policies, and controls. Many of our clients pursue HITRUST for the credibility, or layer HIPAA controls into their SOC 2 (using the HIPAA-aligned Trust Services Criteria) for efficiency.

Does HIPAA apply to us if we're not a healthcare provider?+

Possibly. HIPAA applies to covered entities (providers, plans, clearinghouses) and business associates (any vendor that handles PHI on behalf of a covered entity). If you're a SaaS company whose product touches PHI — patient data, claims data, ePHI of any kind — you're likely a business associate and need to comply. If you're not sure, the right starting point is mapping your data flows; we do this as part of the Posture Scan.

What happens if we have a breach?+

HIPAA requires notification within 60 days for breaches affecting fewer than 500 individuals, or without unreasonable delay (and to HHS and the media) for larger breaches. The clock starts when you discover the breach or should have discovered it. The response — investigation, notification letters, HHS reporting, mitigation — is intense and must happen alongside ongoing operations. We help clients build incident response runbooks that map directly to HIPAA breach notification requirements, so the response is rehearsed rather than improvised.

See All HIPAA FAQs

Ready to run HIPAA continuously?

Book a Walkthrough