HIPAA

HIPAA is a U.S. law whose Security, Privacy, and Breach Notification Rules govern how covered entities and business associates protect electronic protected health information (ePHI).

Get a demo All frameworks

Governed by U.S. Department of Health & Human Services (HHS)

What it is

What HIPAA is, in plain terms

HIPAA (the Health Insurance Portability and Accountability Act) is U.S. law that governs how protected health information is safeguarded. Its Security Rule requires administrative, physical, and technical safeguards for electronic protected health information (ePHI); its Privacy Rule governs use and disclosure of PHI; and its Breach Notification Rule sets reporting obligations. It applies to covered entities and to business associates that handle PHI on their behalf.

Typical effort & timeline

HIPAA has no certification or fixed deadline; it is an ongoing legal obligation. Effort centers on completing a risk analysis, implementing safeguards, and keeping documentation and remediation current.

Who needs it

Is this framework for you?

Healthcare providers, plans, and clearinghouses (covered entities).
Vendors and SaaS companies that handle PHI for healthcare clients (business associates).
Any organization required to sign a Business Associate Agreement.

About the framework

Key facts about HIPAA

The Security Rule requires administrative, physical, and technical safeguards for ePHI.
The Privacy Rule governs the use and disclosure of protected health information (PHI).
The Breach Notification Rule sets requirements for reporting breaches of unsecured PHI.
Applies to covered entities and their business associates under a Business Associate Agreement.

Public information about the framework itself. We don't claim certifications, assessment status, or authorizations for our own product.

With this platform

How we help with HIPAA

Map the Security Rule safeguards to tests and evidence.
Track risk analyses and remediation activities over time.
Organize policies and evidence for the administrative safeguards.
Reuse overlapping evidence already collected for SOC 2 or ISO 27001.

Step by step

Get and stay compliant

How the platform supports your HIPAA program — from first scope to ongoing monitoring.

Run a risk analysis

Conduct and document a security risk analysis of where ePHI lives and how it is protected.

Implement safeguards

Map administrative, physical, and technical safeguards to tests and evidence.

Document policies & BAAs

Organize policies and Business Associate Agreements as part of administrative safeguards.

Maintain & respond

Track remediation over time and keep breach-notification processes ready.

Representative areas

What HIPAA covers

Public, high-level control or requirement areas — for orientation, not a complete control list.

Administrative safeguards

Physical safeguards

Technical safeguards

Privacy Rule

Breach notification

Do it once

Reuse evidence across frameworks

HIPAA shares controls with frameworks you may already run. A passing test can satisfy requirements in more than one place — so adding the next framework means reusing work, not repeating it.

SOC 2

Trust Services Criteria for service organizations

ISO/IEC 27001

International standard for information security management

FAQ

Common questions about HIPAA

No official HIPAA certification exists. Organizations demonstrate compliance through risk analyses, implemented safeguards, and documentation rather than a certificate.

A vendor or subcontractor that creates, receives, maintains, or transmits PHI on behalf of a covered entity, governed by a Business Associate Agreement.

Yes. Many Security Rule safeguards overlap with SOC 2 and ISO 27001 controls, so evidence can be shared via cross-mapping.

Get audit-ready for HIPAA

Get a guided demo, or start by scanning any domain for free.

Get a demo Compliance automation