HIPAA
Federal requirements for protecting electronic protected health information (ePHI).
Overview
The HIPAA Security Rule requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI. Unlike ISO 27001 or SOC 2, there is no formal 'HIPAA certification' — compliance is demonstrated through documented safeguards and risk analysis.
Key Requirements
- Documented Security Risk Analysis (SRA)
- Access controls and audit logging for ePHI systems
- Business Associate Agreements (BAAs) with all vendors touching ePHI
- Workforce security awareness training
Who Needs This
- • Healthcare providers and clinical systems
- • Health insurance payers and claims processors
- • Business associates handling ePHI on behalf of covered entities
Typical Timeline
8-10 weeks for a comprehensive Security Risk Analysis and remediation plan
Our Approach
Security Risk Analysis aligned to NIST SP 800-66 guidance
Technical safeguard implementation (access control, encryption, audit logging)
Business associate risk review
Breach notification readiness and incident response planning
Ready to pursue HIPAA readiness?
Talk to our GRC advisory team about a scoped gap assessment for your organization.