HIPAA, run as a program. Not as a checklist.
Risk analysis, technical and administrative safeguards, business associate agreements, and breach notification readiness. The OCR audits when something goes wrong; we make sure the program holds up.
United States federal law governing the protection of protected health information (PHI) by covered entities and business associates.
HIPAA is United States federal law, not a certification. Compliance is a continuous obligation rather than a point-in-time pass. The Security Rule (45 CFR §164.302 to 318) requires administrative, physical, and technical safeguards over electronic protected health information (ePHI). The Privacy Rule (45 CFR §164.500 to 534) governs use and disclosure of PHI in any form. The HHS Office for Civil Rights enforces, with civil penalties tiered by culpability and breach impact.
Who needs it
Covered entities (health plans, healthcare providers, healthcare clearinghouses) and business associates (any vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity). SaaS companies that handle health data for hospital systems, insurance companies, or digital health platforms are typically business associates and need a Business Associate Agreement with each covered entity customer.
The HSD playbook for HIPAA
HSD's engineers begin with the §164.308(a)(1)(ii)(A) risk analysis and risk management plan, then implement administrative safeguards (workforce training, access management, audit controls), physical safeguards (workstation and device security), and technical safeguards (access control, audit logs, encryption, transmission security). We write the BAA template you sign with covered entities, the BAA you sign with downstream subcontractors, the breach notification runbook, and the HIPAA-required policies. There is no formal certification, but customers may request an independent third-party assessment; we coordinate that.
Timeline
Weeks 1 to 2
Risk analysis
Documented risk analysis per §164.308(a)(1)(ii)(A): assets, threats, vulnerabilities, likelihood, impact, controls, residual risk
Weeks 2 to 5
Administrative safeguards
Workforce training program, access management, sanction policy, contingency plan, evaluation procedures
Weeks 3 to 6
Technical safeguards
Unique user identification, automatic logoff, encryption at rest and in transit, audit controls, integrity controls
Weeks 4 to 6
BAA program
Downstream subcontractor inventory, BAA execution; covered entity BAA template ready
Week 6
Breach notification readiness
Runbook, contact list, decision criteria; tabletop exercise documented
Weeks 7 to 10
Optional third-party assessment
Independent assessment if a customer requires one; commonly HITRUST CSF or similar
Cost reality
| Line item | Range | Note |
|---|---|---|
| Software platforms with HIPAA support | USD 8,000 to 22,000 per year | Most compliance platforms support HIPAA but it is rarely a primary use case |
| Remediation consulting | USD 25,000 to 70,000 | Lower than SOC 2 + ISO 27001 because of narrower scope, higher when PHI flows are complex |
| Optional third-party assessment | USD 15,000 to 40,000 | HITRUST CSF certification adds significantly; lighter independent attestations cost less |
| HSD bundled program | Scoped per program | Risk analysis, safeguards, BAA, breach readiness in one engagement |
What auditors check
Documented risk analysis
Most-cited gap in OCR enforcement actions. Required to be conducted, documented, and updated; cannot be a one-page form.
Workforce training program with records
All workforce members trained on policies and procedures; training tracked; refresher cadence documented.
Audit logs on systems with PHI access
Recording, reviewing, and retaining records of activity in systems that contain ePHI.
Encryption of ePHI at rest and in transit
Encryption is addressable rather than required, but the safeguard documentation must justify the choice if encryption is not implemented.
Business Associate Agreements with all subcontractors
Every downstream vendor handling PHI on the company's behalf has a current, signed BAA with §164.504(e) required terms.
Breach notification timeline and capability
Written runbook, contact lists, decision criteria, evidence the process has been exercised.
Common pitfalls
Treating risk analysis as a checklist
OCR settlements consistently cite inadequate or missing risk analysis. The §164.308(a)(1)(ii)(A) analysis must address the specific environment, not be a template.
Missing BAAs with subcontractors
BAAs flow downstream. If a vendor handling PHI on your behalf does not have a current BAA with you, you are exposed regardless of your other controls.
Confusing addressable with optional
Addressable safeguards must be implemented or the decision to use an alternative documented. Treating addressable as optional is a frequent finding.
No breach notification rehearsal
Sixty days from discovery to notify; reality forces faster. Without a tested runbook, the timeline slips and the violation compounds.
Stale workforce training
Annual training without records of completion is a documentation gap. Train, track, retain.
FAQ
Is HIPAA a certification?+
What is a Business Associate Agreement?+
What is the difference between PHI and ePHI?+
Do all SaaS companies that handle health data need to comply with HIPAA?+
What are HIPAA penalties?+
Does HSD do HIPAA without SOC 2?+
Want HIPAA scoped for your stack?
Thirty-minute call. Fixed-scope quote inside a week. We tell you honestly when HIPAA should wait or when it should lead.