We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Knowledge Center / HIPAA
US Dept. of Health & Human Services · United States

HIPAA

US law protecting the privacy and security of protected health information (PHI).

Introduction: The HIPAA Deep-Dive Guide

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the foundational United States federal law governing the confidentiality, integrity and availability of protected health information (PHI). Although enacted in 1996 to improve the portability of health coverage and to combat fraud, HIPAA has evolved through subsequent rulemaking - most notably the Privacy Rule, the Security Rule, the Breach Notification Rule and the HITECH Act of 2009 - into the definitive privacy-and-security regime for the American healthcare ecosystem. For any organisation that creates, receives, maintains or transmits health information on behalf of a US covered entity, HIPAA compliance is not optional; it is a statutory obligation enforced by the Office for Civil Rights (OCR) within the US Department of Health and Human Services (HHS).

This guide is written for compliance officers, security architects, privacy leads, internal auditors and executive sponsors who need an auditor-grade, control-by-control view of what HIPAA actually requires and how to demonstrate conformance under audit. It maps every implementation specification of the Security Rule, the core provisions of the Privacy and Breach Notification Rules, and the Business Associate obligations, and translates them into concrete verification steps and evidence artefacts. Throughout, we distinguish between required implementation specifications (which must be implemented as written) and addressable specifications (which permit a reasoned, documented risk-based alternative) - a distinction that is frequently misunderstood and a common source of enforcement findings.

A note on source material and copyright
HIPAA and its implementing regulations (codified at 45 CFR Parts 160, 162 and 164) are US federal law and are in the public domain; the regulatory text itself may be freely quoted. However, this guide is CyberSigma original analysis and interpretation. It paraphrases and organises the regulatory requirements for practitioner use and must not be treated as legal advice. Where an organisation requires a formal legal position, it should consult qualified US healthcare counsel. Third-party frameworks referenced for mapping (such as ISO 27001, NIST SP 800-53 and the HITRUST CSF) are the intellectual property of their respective owners and are used here for cross-reference only.

What is HIPAA?

HIPAA is an omnibus of statutory titles, but for privacy and security practitioners the relevant body of law is the Administrative Simplification provisions of Title II, together with the regulations HHS issued to implement them. The Administrative Simplification rules were designed to standardise electronic healthcare transactions while simultaneously protecting the individuals whose health information flows through those transactions. Over time, five interlocking rules have come to define the operative HIPAA compliance obligation.

  • The Privacy Rule (45 CFR Part 164, Subparts A and E) - establishes national standards for the protection of individually identifiable health information in any form or medium, defines permitted uses and disclosures, and grants individuals rights over their own information.
  • The Security Rule (45 CFR Part 164, Subparts A and C) - sets standards for safeguarding electronic protected health information (ePHI) through administrative, physical and technical safeguards, plus organisational and documentation requirements.
  • The Breach Notification Rule (45 CFR Part 164, Subpart D) - requires covered entities and business associates to notify affected individuals, HHS and, in some cases, the media following a breach of unsecured PHI.
  • The Enforcement Rule (45 CFR Part 160, Subparts C, D and E) - governs OCR investigations, compliance reviews, civil money penalties and the four-tier culpability penalty structure.
  • The Transactions and Code Sets and Identifier Rules (45 CFR Part 162) - standardise electronic administrative transactions and mandate unique identifiers such as the National Provider Identifier (NPI).

The HITECH Act (Health Information Technology for Economic and Clinical Health Act, 2009) substantially strengthened HIPAA by making business associates directly liable for Security Rule compliance, introducing the mandatory Breach Notification Rule, increasing penalty ceilings, and enabling state attorneys general to bring enforcement actions. The 2013 Omnibus Rule wove HITECH into the regulations and is the version practitioners audit against today. Terminology is precise: PHI is individually identifiable health information; ePHI is PHI in electronic form; a covered entity is a health plan, healthcare clearinghouse or covered healthcare provider; and a business associate is any person or entity that performs functions involving PHI on behalf of a covered entity.

Who Must Comply with HIPAA?

HIPAA applies directly to covered entities and, since HITECH, directly to business associates and their subcontractors. Understanding which category an organisation falls into is the first and most consequential scoping decision, because it dictates which rules apply and what contractual instruments are required.

CategoryDefinitionHIPAA obligation
Health planAn individual or group plan that provides or pays the cost of medical care - insurers, HMOs, employer group health plans, Medicare, Medicaid.Full covered-entity obligations under Privacy, Security and Breach Notification Rules.
Healthcare clearinghouseAn entity that processes health information between standard and non-standard formats (billing services, repricing companies, value-added networks).Full covered-entity obligations; typically acts as business associate to providers/plans.
Covered healthcare providerA provider (hospital, clinic, physician, pharmacy, dentist, lab) that transmits health information electronically in connection with a standard transaction.Full covered-entity obligations under all applicable rules.
Business associateA person/entity creating, receiving, maintaining or transmitting PHI to perform a function on behalf of a covered entity (cloud hosts, IT vendors, billing firms, analytics providers).Direct liability for the Security Rule, Breach Notification Rule and specified Privacy Rule provisions; must sign a BAA.
SubcontractorA downstream entity that a business associate delegates PHI-handling functions to.Treated as a business associate; requires a BAA with the upstream business associate.
Hybrid entityA single legal entity with both covered and non-covered functions that has formally designated its healthcare components.HIPAA applies only to the designated healthcare components, subject to firewalls.

Certain organisations are explicitly out of scope: employers acting purely as employers (employment records are not PHI), life insurers, workers' compensation carriers, and many consumer health apps that do not act on behalf of a covered entity. However, the Federal Trade Commission's Health Breach Notification Rule may still apply to such apps, so out-of-scope status for HIPAA does not equal no obligation.

Structure of HIPAA

The operational heart of a HIPAA security assessment is the Security Rule, which is organised into standards and, beneath each standard, one or more implementation specifications that are marked either Required (R) or Addressable (A). The Privacy Rule and Breach Notification Rule add further obligations that any complete assessment must cover. The table below summarises the safeguard families and their principal standards, using the 45 CFR 164 citations that auditors reference directly.

Safeguard familyCFR citationPrincipal standardsNature
Administrative Safeguards164.308Security management process; assigned security responsibility; workforce security; information access management; security awareness and training; security incident procedures; contingency plan; evaluation; business associate contracts.Mix of Required and Addressable specifications; largest family.
Physical Safeguards164.310Facility access controls; workstation use; workstation security; device and media controls.Mix of Required and Addressable specifications.
Technical Safeguards164.312Access control; audit controls; integrity; person or entity authentication; transmission security.Mix of Required and Addressable specifications.
Organisational Requirements164.314Business associate contracts and other arrangements; requirements for group health plans.Required.
Policies, Procedures and Documentation164.316Policies and procedures; documentation (time limit, availability, updates).Required.
Privacy Rule164.500-534Uses and disclosures; minimum necessary; individual rights; notice of privacy practices; administrative requirements.Required (with addressable operational latitude).
Breach Notification Rule164.400-414Breach definition and risk assessment; notification to individuals, HHS and media; business associate notification.Required.

Master Assessment Checklist

This is the core of the guide. Every Security Rule standard and implementation specification is enumerated below, grouped by safeguard family, followed by the key Privacy and Breach Notification obligations. For each area we state what an auditor must verify and the typical evidence that demonstrates conformance. The (R) and (A) markers indicate Required and Addressable specifications; addressable does not mean optional - it means the entity must implement the specification, adopt an equivalent alternative measure, or document why the specification is not reasonable and appropriate.

Administrative Safeguards - Security Management Process (164.308(a)(1))

What to verifyTypical evidence
Risk Analysis (R): a thorough, accurate, enterprise-wide assessment of risks to the confidentiality, integrity and availability of all ePHI has been conducted and covers all systems, media and locations.Risk analysis report, ePHI data-flow inventory, asset register, methodology (e.g., NIST SP 800-30), scope statement, dated sign-off.
Risk Management (R): security measures sufficient to reduce risks to a reasonable and appropriate level are implemented and tracked.Risk treatment plan, remediation tracker, residual-risk acceptance records, prioritised action list.
Sanction Policy (R): a policy exists to apply sanctions against workforce members who fail to comply with security policies.Written sanction policy, disciplinary matrix, records of sanctions applied, acknowledgement of receipt.
Information System Activity Review (R): procedures to regularly review records of information system activity such as audit logs, access reports and incident reports.Log-review procedure, review schedule, sample review sign-offs, SIEM alert triage records.

Administrative Safeguards - Assigned Security Responsibility (164.308(a)(2))

What to verifyTypical evidence
A single Security Official (R) has been formally designated as responsible for developing and implementing the required policies and procedures.Appointment letter/board resolution, job description, organisation chart, RACI matrix showing the Security Official.

Administrative Safeguards - Workforce Security (164.308(a)(3))

What to verifyTypical evidence
Authorisation and/or Supervision (A): procedures ensure workforce members who access ePHI are appropriately authorised or supervised.Access-authorisation procedure, role-to-access mapping, supervisor sign-offs.
Workforce Clearance Procedure (A): a process determines that a workforce member's access to ePHI is appropriate.Background-check policy, clearance records, screening evidence proportionate to role.
Termination Procedures (A): access to ePHI is revoked promptly when employment ends or roles change.Joiner-mover-leaver checklist, deprovisioning tickets, timestamps evidencing timely revocation, badge/return logs.

Administrative Safeguards - Information Access Management (164.308(a)(4))

What to verifyTypical evidence
Isolating Healthcare Clearinghouse Functions (R, where applicable): clearinghouse functions within a larger organisation are protected from unauthorised access by the rest of the organisation.Network segmentation diagrams, firewall rules, logical isolation policy.
Access Authorisation (A): policies grant access to ePHI through workstations, transactions, programs or processes.Access-request workflow, approval records, role-based access model documentation.
Access Establishment and Modification (A): access rights are established, documented, reviewed and modified consistently with the access policy.Access-review reports (periodic recertification), change tickets, entitlement matrices.

Administrative Safeguards - Security Awareness and Training (164.308(a)(5))

What to verifyTypical evidence
Security Reminders (A): periodic security updates are issued to the workforce.Newsletters, intranet bulletins, phishing-simulation reminders, communication logs.
Protection from Malicious Software (A): procedures guard against, detect and report malicious software.Anti-malware/EDR configuration, deployment coverage report, definition-update logs.
Log-in Monitoring (A): procedures monitor log-in attempts and report discrepancies.Failed-logon alerting configuration, account-lockout policy, SIEM alerts.
Password Management (A): procedures create, change and safeguard passwords.Password policy, MFA enforcement, credential-vault evidence, complexity configuration.
Training programme completeness (R standard): all workforce members, including management, receive security awareness training.Training curriculum, completion records with dates, new-hire onboarding evidence, refresher schedule.

Administrative Safeguards - Security Incident Procedures (164.308(a)(6))

What to verifyTypical evidence
Response and Reporting (R): procedures identify and respond to suspected or known security incidents, mitigate harmful effects and document incidents and outcomes.Incident response plan, incident register, post-incident reports, evidence of mitigation and lessons learned, tabletop exercise records.

Administrative Safeguards - Contingency Plan (164.308(a)(7))

What to verifyTypical evidence
Data Backup Plan (R): retrievable exact copies of ePHI can be created and recovered.Backup policy, backup job logs, restoration test results, backup encryption evidence.
Disaster Recovery Plan (R): procedures restore any lost data.DR plan document, RTO/RPO definitions, DR test reports.
Emergency Mode Operation Plan (R): critical business processes protecting ePHI security continue during emergencies.Emergency operating procedures, continuity playbooks, failover runbooks.
Testing and Revision Procedures (A): contingency plans are periodically tested and revised.Test schedule, exercise after-action reports, plan version history.
Applications and Data Criticality Analysis (A): the relative criticality of specific applications and data is assessed to support contingency planning.Business impact analysis, application criticality ranking, dependency mapping.

Administrative Safeguards - Evaluation and BA Contracts (164.308(a)(8) and (b)(1))

What to verifyTypical evidence
Evaluation (R): periodic technical and non-technical evaluations establish the extent to which safeguards meet the Security Rule, especially after material environmental or operational change.Periodic security assessment reports, penetration test results, evaluation cadence policy, post-change review records.
Business Associate Contracts (R): satisfactory assurances are obtained, documented in a BAA, that a business associate will appropriately safeguard ePHI.Executed BAAs, BA inventory, due-diligence questionnaires, BA risk-tier register.

Physical Safeguards - Facility Access Controls (164.310(a)(1))

What to verifyTypical evidence
Contingency Operations (A): facility access is available to support restoration of lost data under the disaster recovery and emergency mode plans.Emergency access procedures, DR-site access provisions.
Facility Security Plan (A): the facility and equipment are safeguarded from unauthorised physical access, tampering and theft.Physical security policy, floor plans with controlled zones, CCTV coverage records.
Access Control and Validation Procedures (A): access is controlled and validated based on role or function, including visitor control.Badge-access logs, visitor registers, escort policy, access-control matrix.
Maintenance Records (A): repairs and modifications to physical security components are documented.Maintenance logs for locks, doors, walls, hardware; work-order records.

Physical Safeguards - Workstation and Device Controls (164.310(b)-(d))

What to verifyTypical evidence
Workstation Use (R): policies specify the proper functions, manner and physical environment of workstations that access ePHI.Acceptable-use policy, workstation configuration standard, clear-desk/clear-screen policy.
Workstation Security (R): physical safeguards restrict access to workstations that access ePHI.Privacy screens, cable locks, positioning standards, restricted-area evidence.
Device and Media Controls - Disposal (R): ePHI and hardware/media are disposed of securely.Media sanitisation/destruction policy, certificates of destruction, degaussing/wipe logs.
Device and Media Controls - Media Re-use (R): ePHI is removed before media are re-used.Wipe procedures, sanitisation records, verification logs.
Accountability (A): movement of hardware and media and the person responsible is recorded.Asset movement register, chain-of-custody records, asset tags.
Data Backup and Storage (A): a retrievable exact copy of ePHI is made before equipment is moved.Pre-move backup evidence, storage inventory.

Technical Safeguards - Access Control (164.312(a)(1))

What to verifyTypical evidence
Unique User Identification (R): each user is assigned a unique name/number for tracking identity.IAM user inventory showing no shared accounts, provisioning records, unique-ID naming standard.
Emergency Access Procedure (R): procedures obtain necessary ePHI during an emergency.Break-glass procedure, emergency-access account inventory, activation and review logs.
Automatic Logoff (A): electronic sessions terminate after a predetermined period of inactivity.Session-timeout configuration, screensaver lock policy, endpoint policy evidence.
Encryption and Decryption (A): a mechanism encrypts and decrypts ePHI at rest.Disk/database/field encryption configuration, key-management records, algorithm/standard (e.g., AES-256).

Technical Safeguards - Audit, Integrity and Authentication (164.312(b)-(d))

What to verifyTypical evidence
Audit Controls (R): hardware, software and procedural mechanisms record and examine activity in systems containing ePHI.Logging configuration, log retention policy, SIEM ingestion evidence, audit-log samples with user/timestamp/action.
Integrity (R standard) with Mechanism to Authenticate ePHI (A): ePHI is protected from improper alteration or destruction and mechanisms corroborate that it has not been altered.File-integrity monitoring, checksums/hashing, database integrity constraints, change-detection alerts.
Person or Entity Authentication (R): the identity of a person or entity seeking access to ePHI is verified.Authentication policy, MFA enforcement records, SSO configuration, credential-strength evidence.

Technical Safeguards - Transmission Security (164.312(e)(1))

What to verifyTypical evidence
Integrity Controls (A): measures ensure ePHI is not improperly modified in transit.TLS configuration, message-authentication/HMAC evidence, VPN configuration.
Encryption (A): ePHI is encrypted whenever deemed appropriate during transmission over open networks.TLS 1.2+/certificate inventory, secure email/gateway configuration, cipher-suite hardening evidence.

Organisational Requirements (164.314)

What to verifyTypical evidence
Business Associate Contracts (R): BAAs meet the required content - permitted uses, safeguards, breach reporting, subcontractor flow-down and termination provisions.Executed BAA templates, clause-mapping checklist, subcontractor BAAs.
Requirements for Group Health Plans (R): plan documents incorporate required ePHI protections and firewalls between the plan and plan sponsor.Amended plan documents, sponsor certification, firewall attestations.

Policies, Procedures and Documentation (164.316)

What to verifyTypical evidence
Policies and Procedures (R): reasonable and appropriate policies and procedures implement the Security Rule standards.Approved policy set covering all safeguard families, version control, ownership register.
Documentation - Time Limit (R): documentation is retained for six years from creation or last effective date.Retention schedule, document repository with dates, archival evidence.
Documentation - Availability (R): documentation is available to those responsible for implementing the procedures.Access-controlled policy portal, distribution records.
Documentation - Updates (R): documentation is reviewed periodically and updated in response to environmental or operational changes.Review log, change history, scheduled review cadence.

Privacy Rule Core Obligations (164.500-534)

What to verifyTypical evidence
Uses and Disclosures / Minimum Necessary (164.502, 164.514): PHI is used and disclosed only as permitted, limited to the minimum necessary.Use-and-disclosure policy, minimum-necessary determinations, role-based access aligned to need, disclosure log.
Notice of Privacy Practices (164.520): a compliant NPP is provided and acknowledged.Current NPP, distribution/acknowledgement records, website posting.
Individual Rights (164.522-528): rights to access, amend, obtain an accounting of disclosures, request restrictions and confidential communications are honoured within statutory timelines.Access-request log with fulfilment dates, amendment records, accounting-of-disclosures reports, restriction request handling.
Administrative Requirements (164.530): a Privacy Official is designated, workforce is trained, complaints are handled, and safeguards are in place.Privacy Official appointment, privacy training records, complaint register, safeguard evidence.
Authorisations (164.508): valid written authorisations exist for uses/disclosures not otherwise permitted (e.g., marketing, psychotherapy notes, sale of PHI).Authorisation forms, tracking log, revocation handling.

Breach Notification Rule (164.400-414)

What to verifyTypical evidence
Breach Risk Assessment (164.402): a four-factor assessment determines whether an impermissible use/disclosure is a reportable breach of unsecured PHI.Breach risk-assessment template and completed assessments covering the four factors, low-probability determinations.
Individual Notification (164.404): affected individuals are notified without unreasonable delay and no later than 60 days.Notification letters, mailing/return records, timeline evidence.
HHS and Media Notification (164.408, 164.406): HHS is notified (and media for breaches affecting 500+ residents of a state/jurisdiction) within required timelines.HHS breach-portal submissions, media notice evidence, annual small-breach log.
Business Associate Notification (164.410): business associates notify covered entities of breaches without unreasonable delay.BA breach-notification records, contractual reporting evidence.

Scoping the HIPAA Assessment

Accurate scoping is the single most important determinant of an efficient and defensible HIPAA assessment. Over-scoping wastes effort on systems that never touch PHI; under-scoping leaves ePHI unprotected and creates enforcement exposure. Scoping begins by tracing every flow of PHI - electronic and non-electronic - from creation to destruction.

  • Identify all PHI and ePHI: patient records, claims, eligibility data, imaging, lab results, billing, appointment and any 18 HIPAA identifiers linked to health information.
  • Map data flows end to end: intake, EHR/EMR, clearinghouse transactions, cloud storage, backups, email, faxes, portals, mobile devices and third-party integrations.
  • Inventory systems and assets that create, receive, maintain or transmit ePHI, including on-premises servers, SaaS, IaaS, endpoints, medical devices and removable media.
  • Enumerate business associates and subcontractors and confirm each has an executed BAA; scope must follow the data downstream.
  • Define the covered-entity or business-associate role, and for hybrid entities designate the healthcare components and establish firewalls.
  • Determine which rules apply: business associates are directly bound by the Security Rule, Breach Notification Rule and specified Privacy provisions but not the full Privacy Rule.
  • Document explicit in-scope and out-of-scope boundaries with justification, and note any segmentation used to reduce scope.
Scoping pitfall
There is no HIPAA equivalent of PCI DSS network segmentation that removes systems from scope by isolation alone. If a system can access ePHI, it is in scope. Segmentation reduces risk and audit effort but does not eliminate the obligation to safeguard connected systems. Document the reasoning behind every scope exclusion.

Implementation Approach

A pragmatic HIPAA programme is delivered in phases. Each phase produces defined deliverables that become the evidence base for the eventual assessment. The approach below assumes an organisation moving from an ad hoc state to a defensible, audit-ready posture.

Phase 1 - Discovery and Gap Analysis

  • Activities: confirm covered-entity/business-associate role; inventory ePHI and data flows; conduct an initial gap analysis against every Security Rule specification and the Privacy/Breach rules; establish governance and appoint the Security and Privacy Officials.
  • Deliverables: ePHI data-flow inventory, asset register, role determination memo, gap-analysis report with Required/Addressable disposition, governance charter.

Phase 2 - Risk Analysis and Risk Management

  • Activities: perform a formal enterprise-wide risk analysis (NIST SP 800-30 methodology recommended); rate likelihood and impact; build a prioritised risk-treatment plan; document addressable-specification decisions with rationale.
  • Deliverables: risk analysis report, risk register, risk-treatment/remediation plan, addressable-specification decision log.

Phase 3 - Policy and Control Implementation

  • Activities: author or update the full policy and procedure set across administrative, physical and technical safeguards; deploy technical controls (MFA, encryption, logging, EDR, backups); execute BAAs; stand up incident response and contingency plans.
  • Deliverables: approved policy suite, control-implementation evidence, executed BAA portfolio, IR and contingency plans, training curriculum.

Phase 4 - Training, Testing and Validation

  • Activities: roll out workforce security-awareness and privacy training; conduct phishing simulations; test backups, DR and incident response through tabletop and technical exercises; perform internal control testing and a penetration test.
  • Deliverables: training completion records, exercise after-action reports, penetration-test report, internal validation findings.

Phase 5 - Assessment, Attestation and Continuous Monitoring

  • Activities: conduct the formal HIPAA Security Rule assessment; remediate residual findings; establish ongoing monitoring, periodic evaluations and annual risk-analysis refresh; institute BA re-assessment cadence.
  • Deliverables: assessment report, remediation tracker, continuous-monitoring plan, evaluation schedule, management attestation.

Maturity and Capability Model

HIPAA itself does not mandate a maturity model, but auditors and boards benefit from measuring capability on a consistent scale. The model below adapts a five-level capability maturity approach to HIPAA safeguard implementation, enabling programme benchmarking and roadmap prioritisation.

LevelNameDescriptionTypical indicators
1Initial / Ad hocSafeguards are inconsistent and undocumented; compliance is reactive.No risk analysis, informal policies, no BAAs, unassigned responsibility.
2DevelopingBasic policies exist and a Security Official is assigned but coverage is partial.Draft policies, some BAAs, initial risk analysis, limited training.
3DefinedPolicies and controls cover all safeguard families and are consistently applied.Complete policy suite, enterprise risk analysis, BAAs executed, training tracked.
4ManagedControls are measured, monitored and evidenced with metrics and periodic testing.KPIs tracked, log review operational, tested DR/IR, recurring evaluations.
5OptimisedContinuous improvement, automation and proactive risk reduction are embedded.Automated monitoring, continuous control validation, mature BA governance, threat-informed updates.

Assessment and Audit Approach

A structured assessment produces defensible conclusions that would withstand OCR scrutiny. The following sequence reflects auditor best practice for a HIPAA Security and Privacy assessment.

  1. Confirm scope, role (covered entity/business associate) and the ePHI data-flow inventory with the client.
  2. Review the existing risk analysis and risk management documentation for completeness and currency.
  3. Assess each Administrative, Physical and Technical safeguard specification against the What-to-verify criteria, recording Required/Addressable disposition.
  4. Evaluate Privacy Rule and Breach Notification Rule obligations, individual-rights fulfilment and BAA coverage.
  5. Perform technical validation: configuration review, access-control testing, encryption verification, log-review sampling and vulnerability/penetration testing.
  6. Interview the Security Official, Privacy Official, IT, HR and business-associate managers to corroborate documentary evidence.
  7. Collect and index evidence, cross-referencing each specification to its supporting artefact.
  8. Rate findings by risk, distinguishing gaps in Required specifications from unsupported addressable decisions.
  9. Produce a findings report with a prioritised remediation plan and management attestation.
  10. Define a re-assessment and continuous-monitoring cadence, including annual risk-analysis refresh.

Evidence Request List

The following categorised list represents the documentary and technical evidence typically requested at the outset of a HIPAA assessment.

  • Governance: Security Official and Privacy Official appointments, organisation chart, RACI matrix, board oversight records.
  • Risk management: risk analysis report, risk register, risk-treatment plan, addressable-specification decision log.
  • Policies and procedures: full policy suite across all safeguard families, version history, retention schedule.
  • Access and identity: IAM user inventory, access-review/recertification reports, MFA configuration, joiner-mover-leaver records.
  • Technical controls: encryption-at-rest and in-transit configuration, key-management records, logging/SIEM configuration, EDR/anti-malware coverage.
  • Physical security: facility access logs, visitor registers, CCTV records, media disposal certificates, asset movement register.
  • Contingency: backup logs, restoration test results, DR plan and test reports, business impact analysis.
  • Incident and breach: incident response plan, incident register, breach risk assessments, notification records, HHS portal submissions.
  • Business associates: BA inventory, executed BAAs, due-diligence questionnaires, subcontractor BAAs.
  • Training: curriculum, completion records, phishing-simulation results, security reminders.
  • Privacy: Notice of Privacy Practices, authorisations, minimum-necessary determinations, individual-rights request logs, complaint register.
  • Evaluations: prior assessment reports, penetration-test results, evaluation cadence evidence.

Roles and Responsibilities

RoleKey HIPAA responsibilities
Executive leadership / BoardProvide oversight and resources; accept residual risk; sponsor the compliance programme.
Security Official (164.308(a)(2))Own the Security Rule programme: risk analysis, safeguards, incident response, evaluations.
Privacy Official (164.530)Own the Privacy Rule programme: uses/disclosures, NPP, individual rights, complaints, privacy training.
IT / Security operationsImplement and operate technical safeguards: access control, encryption, logging, backups, monitoring.
Human resourcesWorkforce clearance, sanctions, termination/deprovisioning, training tracking.
Legal / ComplianceNegotiate and maintain BAAs, interpret regulatory obligations, manage breach notifications and OCR liaison.
Business associate managersConduct BA due diligence, manage BAAs, monitor BA performance and breach reporting.
Workforce membersComplete training, follow policies, safeguard PHI, report incidents promptly.
Internal auditIndependently test controls and evidence, report to leadership, track remediation.

KPIs to Track

  • Percentage of workforce completing security and privacy training on schedule.
  • Time to complete the annual (or triggered) enterprise risk analysis.
  • Number of open Required-specification gaps versus remediation SLA.
  • Percentage of business associates with a current executed BAA.
  • Mean time to detect and mean time to respond to security incidents.
  • Access-recertification completion rate and number of orphaned/stale accounts.
  • Backup restoration test success rate and DR test pass rate.
  • Percentage of ePHI encrypted at rest and in transit.
  • Breach risk assessments completed within timeline and notification timeliness (within 60 days).
  • Phishing-simulation failure rate trend.
  • Number of individual-rights requests fulfilled within statutory timelines.
  • Audit-log review coverage and unreviewed-alert backlog.

Readiness Checklist

  • Security Official and Privacy Official formally appointed and documented.
  • Complete ePHI data-flow inventory and asset register maintained.
  • Enterprise-wide risk analysis completed and current, with a documented risk-management plan.
  • Full policy and procedure suite approved across administrative, physical and technical safeguards.
  • All addressable specifications implemented, substituted or documented with rationale.
  • Unique user IDs, MFA and role-based access control enforced for all ePHI systems.
  • ePHI encrypted at rest and in transit using strong, current algorithms.
  • Audit logging enabled, retained and regularly reviewed.
  • Backups performed, encrypted and restoration-tested; DR and emergency plans tested.
  • Incident response plan established, tested and exercised.
  • All business associates identified with executed BAAs; subcontractor BAAs in place.
  • Breach risk-assessment process and notification procedures documented and rehearsed.
  • Workforce security and privacy training delivered and tracked.
  • Notice of Privacy Practices current, posted and acknowledged.
  • Individual-rights request handling operational within statutory timelines.
  • Documentation retained for six years and reviewed periodically.

Common Gaps

  • Absent or superficial risk analysis - the single most cited OCR enforcement finding; a checklist is not a risk analysis.
  • Treating addressable specifications as optional and failing to document the decision or alternative.
  • Missing or generic BAAs, and no tracking of subcontractor flow-down obligations.
  • Incomplete ePHI inventory - forgotten backups, portals, email, faxes, medical devices and shadow IT.
  • No or ineffective audit-log review; logs collected but never examined.
  • Lack of encryption for ePHI at rest and on portable devices, a frequent cause of large breaches.
  • Delayed or incomplete termination/deprovisioning leaving active accounts for departed staff.
  • Untested backups, disaster recovery and incident response plans.
  • Stale documentation not updated after material system or organisational change.
  • Weak breach risk-assessment discipline leading to under-reporting or missed 60-day deadlines.
  • Minimum-necessary principle not enforced through role-based access.
  • Confusing HIPAA obligations with vendor certifications - a cloud provider being HIPAA-eligible does not make the customer compliant.

HIPAA Mapped to Other Frameworks

Organisations frequently maintain multiple frameworks. The mapping below shows how HIPAA Security Rule safeguard families broadly correspond to controls in widely used standards. These are indicative alignments to support control rationalisation, not one-to-one equivalences.

HIPAA areaISO/IEC 27001:2022NIST SP 800-53 Rev 5NIST CSF 2.0HITRUST CSF
Security management / risk analysis (164.308(a)(1))Clause 6, A.5.1, A.5.9RA-1, RA-3, PM-9GOVERN, IDENTIFYControl 03 - Risk Management
Assigned responsibility (164.308(a)(2))A.5.2, A.5.3PM-2, PL-9GOVERNControl 00 - Information Security Programme
Workforce security and training (164.308(a)(3),(5))A.6.1-6.3, A.6.8PS-2 to PS-8, AT-2, AT-3PROTECT (PR.AT)Control 01/02 - Access, Human Resources
Access control and authentication (164.312(a),(d))A.5.15-5.18, A.8.2-8.5AC-2 to AC-6, IA-2, IA-4PROTECT (PR.AA)Control 01 - Access Control
Audit controls (164.312(b))A.8.15, A.8.16AU-2, AU-6, AU-12DETECT (DE.AE)Control 09 - Audit Logging and Monitoring
Transmission and encryption (164.312(e))A.8.24, A.5.14SC-8, SC-12, SC-13PROTECT (PR.DS)Control 06 - Cryptography
Contingency and backup (164.308(a)(7))A.5.29, A.8.13, A.8.14CP-2, CP-9, CP-10RECOVERControl 12 - Business Continuity and DR
Incident and breach (164.308(a)(6), 164.400s)A.5.24-5.28IR-4, IR-6, IR-8RESPONDControl 11 - Incident Management
Physical safeguards (164.310)A.7.1-7.14PE-2, PE-3, PE-6, MP-6PROTECT (PR.IR)Control 08 - Physical and Environmental
Business associate contracts (164.308(b), 164.314)A.5.19-5.22SA-9, SR-3GOVERN (GV.SC)Control 05 - Third-Party Assurance

How CyberSigma Helps

Partner with CyberSigma for HIPAA readiness and assurance
CyberSigma brings CERT-In empanelled and PCI QSA-grade rigour to HIPAA engagements. Our specialists conduct the enterprise-wide risk analysis that OCR expects, perform control-by-control gap assessments across every Security, Privacy and Breach Notification requirement, and translate findings into a prioritised, board-ready remediation roadmap. We help you build a defensible policy suite, implement technical safeguards such as encryption, MFA and audit logging, execute and govern business associate agreements, and stand up tested incident response and contingency plans. From first gap analysis to continuous monitoring and annual re-assessment, CyberSigma delivers audit-ready evidence and demonstrable, sustained HIPAA compliance. Contact us to scope your HIPAA assessment.
Free 1-minute check
DPDP Readiness Checker
Check your readiness for India’s DPDP Act and see your priority gaps — free.
Try it free →

Frequently asked questions

Does HIPAA apply to Indian companies?
Yes — if an Indian IT/BPO/SaaS company processes PHI on behalf of a US covered entity, it is a business associate and must comply, backed by a Business Associate Agreement.
Is there a HIPAA certification?
HIPAA has no official government certification. Organisations demonstrate compliance via risk analysis, safeguards and independent assessments; HITRUST is often used as a certifiable proxy.

Need help with HIPAA?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.