HIPAA’s Security Rule and Privacy Rule apply to every technology company that handles Protected Health Information on behalf of a covered entity. We build your HIPAA compliance programme — policies, risk analysis, controls, and BAA documentation — so you can sign with hospital systems and health plans without delay.
8–12 weeks (HIPAA standalone) · 10–14 weeks (HIPAA + SOC 2 combined)
Security Rule compliance · Privacy Rule compliance · BAA documentation · Risk Analysis
Senior advisor with HealthTech experience
First pass rate 98% of clients pass their healthcare procurement review first time
Pricing PHI data flow mapping included · Fixed fee
HIPAA — the Health Insurance Portability and Accountability Act — is a US federal law that establishes national standards for protecting sensitive patient health information. For technology companies, HIPAA compliance is relevant whenever your platform, application, or service creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a HIPAA covered entity — a hospital, health plan, healthcare clearinghouse, or healthcare provider.
When a technology company handles PHI on behalf of a covered entity, they become a Business Associate. As a Business Associate, you are directly required to comply with HIPAA’s Security Rule, you are subject to HIPAA’s Privacy Rule in relation to how you handle PHI, and you must sign a Business Associate Agreement (BAA) with every covered entity you work with. Failure to comply with HIPAA as a Business Associate exposes your company to HHS enforcement actions, civil monetary penalties, and — in cases of wilful neglect — criminal liability.
HIPAA compliance is not a certification in the same sense as SOC 2 or ISO 27001 — there is no HIPAA certificate issued by an external auditor. Instead, HIPAA compliance is demonstrated through a documented programme: a completed Security Rule Risk Analysis, implemented administrative, physical, and technical safeguards, Privacy Rule policies, and a portfolio of signed Business Associate Agreements. Enterprise healthcare buyers verify this programme through vendor security questionnaires and due diligence reviews before signing BAAs.
The Security Rule requires covered entities and Business Associates to implement administrative safeguards (risk analysis, workforce training, access management), physical safeguards (facility access controls, workstation security, device disposal), and technical safeguards (access controls, audit controls, integrity controls, and transmission security) for all electronic PHI. The Security Rule is the most technically demanding component of HIPAA compliance and the area where most HealthTech companies have the most gaps before their first assessment.
The Privacy Rule establishes national standards for the protection of individuals' medical records and other personally identifiable health information. For Business Associates, the Privacy Rule governs how you may use PHI that covered entities share with you, what disclosures are permitted, and what obligations you have regarding minimum necessary access and PHI de-identification. Your BAA template must accurately reflect your Privacy Rule obligations.
Every healthcare enterprise customer you work with will require you to sign a BAA before sharing any PHI with you. Your BAA must accurately describe your permitted uses of PHI, your security obligations, your breach notification procedures, and your subcontractor management requirements. We prepare your standard BAA template, your BAA review process, and your subcontractor BAA programme — so that when the request arrives, you have a legally sound response ready immediately.
HIPAA's Breach Notification Rule requires Business Associates to notify covered entity clients of any breach of unsecured PHI within 60 days of discovery. We build your breach detection, investigation, and notification procedures — including the documentation and communication templates required by the Breach Notification Rule. This is increasingly scrutinised by healthcare enterprise procurement teams as part of vendor due diligence.
The scope of HIPAA obligations is frequently misunderstood — including by experienced technology teams. We will tell you clearly whether you are a Business Associate, what your specific obligations are, and what the fastest path to a compliant programme looks like. 30-minute consultation, no cost.
We map every system, service, and data flow that creates, receives, maintains, or transmits PHI in your environment. We conduct a Security Rule gap assessment against the administrative, physical, and technical safeguard requirements, identify your risk areas, and produce a gap report with a prioritised remediation roadmap. We also assess your current BAA posture and identify all vendors who require subcontractor BAAs.
We complete your formal HIPAA Security Rule Risk Analysis — a documented assessment of the threats and vulnerabilities to the confidentiality, integrity, and availability of ePHI in your environment. We implement the required administrative safeguards (policies, workforce training, access management), physical safeguards (device policies, facility controls), and technical safeguards (encryption, audit controls, access management).
We produce your complete HIPAA policy suite — Security Rule policies, Privacy Rule policies, and your Breach Notification procedures — written specifically for your company, your systems, and your customer relationships. We prepare your standard Business Associate Agreement template and your subcontractor BAA programme. These documents are reviewed and finalised with your legal team before use.
HIPAA requires documented workforce training on privacy and security policies. We build your training programme, deliver initial training to your team, and document completion. We then conduct a final validation of your completed programme — confirming every required element is in place and that your due diligence questionnaire responses can be substantiated by your documentation.
HIPAA compliance is not a one-time project. It requires an annual review of your Risk Analysis, ongoing monitoring of your safeguards, and updating your documentation as your platform evolves. We stay engaged as your compliance partner — reviewing your programme annually, updating your policies when your systems change, and supporting your responses to healthcare enterprise vendor questionnaires.
If your primary requirement is signing BAAs with covered entities and passing healthcare vendor due diligence questionnaires, a standalone HIPAA compliance programme is the most direct path. We complete your Security Rule Risk Analysis, implement your required safeguards, produce your policy documentation, and prepare your BAA template — typically in 8–12 weeks. This is appropriate for companies in the early stages of entering the healthcare market.
Most hospital systems, health plans, and digital health networks require both HIPAA compliance and SOC 2 Type 2 for technology vendors handling PHI. HIPAA and SOC 2 share substantial control overlap — access controls, encryption, audit logging, incident management, vendor management — and we build these controls once, for both frameworks, on a single coordinated timeline. A combined programme typically delivers both deliverables in 10–14 weeks and saves 30–40% versus two sequential engagements.
For HealthTech companies targeting large hospital systems and national health plans, HITRUST certification is increasingly required in addition to HIPAA and SOC 2. We build all three as a unified programme — mapping overlapping controls across HIPAA, SOC 2, and HITRUST to eliminate duplicated work and deliver all three certifications on a single coordinated timeline. See our HITRUST page for more on this path.
If your question is not here, just email us — we will give you a straight answer.
If your platform creates, receives, maintains, or transmits Protected Health Information on behalf of a HIPAA covered entity — a hospital, health plan, or healthcare provider — you are a Business Associate and are directly required to comply with HIPAA’s Security Rule and subject to its Privacy Rule. If you are unsure whether you handle PHI in a way that triggers Business Associate status, a 30-minute consultation with a senior advisor will give you a definitive answer.
A Business Associate Agreement (BAA) is a legally required contract between a HIPAA covered entity and any vendor that handles PHI on their behalf. The BAA specifies your permitted uses of PHI, your security obligations, your breach notification requirements, and your subcontractor management obligations. Every healthcare enterprise customer will require you to sign a BAA before they share any PHI with you. An unsigned BAA — or a BAA that does not accurately reflect your obligations — exposes both parties to regulatory risk.
No. Unlike SOC 2 or ISO 27001, there is no HIPAA certificate issued by an external auditor. HIPAA compliance is demonstrated through a documented programme — a completed Risk Analysis, implemented safeguards, privacy policies, and BAA documentation. Healthcare enterprise buyers verify your compliance through vendor security questionnaires and due diligence reviews. We build the documentation programme that satisfies these reviews.
SOC 2 and HIPAA are complementary but not substitutable. SOC 2 provides independent third-party assurance of your security controls. HIPAA compliance demonstrates that you have specifically addressed the requirements of US federal health privacy law. Healthcare enterprise buyers — particularly hospital systems and health plans — require both. A combined SOC 2 + HIPAA programme is the most efficient path to satisfying both requirements.
HIPAA is a US federal law with specific compliance requirements. HITRUST is a certifiable framework that incorporates HIPAA, NIST, ISO 27001, and other standards into a single comprehensive control set. HITRUST certification is increasingly required by large hospital systems and national health plans as a more rigorous and independently verified alternative to self-declared HIPAA compliance. Most HealthTech companies begin with HIPAA compliance and layer HITRUST certification on top as their customer requirements mature.
Book a free 30-minute consultation. A senior advisor will review your PHI data flows and tell you exactly what HIPAA compliance requires for your specific platform — and how long it will take to get there.
For HealthTech companies targeting large hospital systems and national health plans, HITRUST certification is the next layer of compliance after HIPAA. We build HIPAA and HITRUST together using a unified programme
Most healthcare enterprise buyers require SOC 2 in addition to HIPAA. Our Healthcare industry page covers the full compliance stack — SOC 2, HIPAA, and HITRUST — on a single coordinated timeline.
If you are building toward a combined SOC 2 and HIPAA programme, a gap assessment covering both frameworks simultaneously is the right starting point. We map your gaps against both and produce a single prioritised roadmap.
