New

Our AI-first training platform is live – safe AI skills, tracked, certified, and audit-ready.

Back to frameworks
Healthcare (US)

HIPAA Healthcare Privacy & Security

The US healthcare privacy and security rules protecting patient health information – binding on covered entities and their business associates.

HIPAA – the Health Insurance Portability and Accountability Act – sets the US federal rules for protecting health information. Its three operative rules matter most: the Privacy Rule (how protected health information may be used and disclosed), the Security Rule (how electronic PHI must be safeguarded), and the Breach Notification Rule (what happens when protection fails). Enforcement by the HHS Office for Civil Rights (OCR) is active and public, with penalties tiered by culpability and settlements that routinely reach seven figures. If you're an Australian or global health-tech company selling into the US, HIPAA compliance isn't a legal nicety – it's the gate your sales pipeline passes through.

Who HIPAA bindsLink to this section

HIPAA applies to covered entities – health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically – and, since the HITECH Act, directly to their business associates: any vendor that creates, receives, maintains, or transmits PHI on their behalf. That second category is where most software companies live. A SaaS platform serving US hospitals, a diagnostics API, an analytics vendor – all are business associates, all must sign Business Associate Agreements (BAAs), and all carry direct liability for Security Rule and breach obligations. Your customers' compliance teams will not integrate you without this in order.

The Security Rule: flexible, but not optionalLink to this section

The Security Rule is deliberately technology-neutral. It defines administrative, physical, and technical safeguards, each with required and "addressable" implementation specifications – where addressable means "implement it or document a defensible reason and alternative", never "skip it". Everything hangs off one artefact: the risk analysis (§164.308(a)(1)). It is the first document OCR requests in almost every investigation, and "no accurate and thorough risk analysis" is the most cited failure in enforcement actions. Worth knowing: OCR has proposed the first major Security Rule overhaul in two decades, which would make today's addressable specifications – encryption, MFA, and more – explicitly mandatory. The bar is moving up, not down; building to the strong interpretation now is the cheap option.

Training isn't a best practice – it's the lawLink to this section

HIPAA is one of the few regimes that mandates workforce training twice over: the Privacy Rule requires training every workforce member on your PHI policies (§164.530(b)), and the Security Rule requires an ongoing security awareness and training programme for all users (§164.308(a)(5)) – including phishing and malware awareness, the vector behind most healthcare breaches. Both require documented proof, retained for six years. Undocumented training is, for enforcement purposes, training that never happened. This is precisely the gap our platform closes: courses delivered, completions and certificates recorded in a tamper-evident ledger, and evidence exportable the day OCR or a customer auditor asks.

When it goes wrong: the Breach Notification RuleLink to this section

An impermissible use or disclosure of unsecured PHI is presumed a breach unless a documented risk assessment shows a low probability of compromise. Confirmed breaches mean notifying affected individuals within 60 days, reporting to HHS (immediately for 500+ individuals, annually below that), and alerting the media for large breaches – which then appear on HHS's public "wall of shame". The organisations that manage this well decided their process before the incident, not during it.

How HIPAA relates to other frameworksLink to this section

HIPAA tells you what must be protected; frameworks give you the how. SOC 2 is the attestation your US healthcare customers will ask for alongside a BAA; ISO 27001 provides the management system that makes the Security Rule sustainable; and the NIST CSF is the reference OCR itself points to for implementing safeguards. Done properly, one control set feeds all of them.

How we helpLink to this section

We work with health-tech and healthcare-adjacent teams to make HIPAA a closed loop – controls, people, and proof:

  • Risk analysis done properly. The OCR-grade risk analysis and risk management plan that anchors everything else.
  • The full document set. Security and privacy policies, BAA templates and vendor inventory, contingency plans, and breach playbooks – written to be followed, not filed.
  • Mandated training, delivered and proven. Privacy and security awareness for the whole workforce, role-based depth for engineering and support, and every completion recorded in our platform's tamper-evident training ledger with verifiable certificates.
  • Breach readiness. Risk-assessment templates, notification decision trees, and tabletop exercises against realistic healthcare scenarios.
  • Customer-audit support. When a hospital's compliance team sends the security questionnaire, you answer from evidence, not memory.

The table below maps HIPAA's key requirements to how we help you meet them.

HIPAA safeguards and requirements

Security Rule – administrative safeguards

CiteRequirementHow we help
§164.308(a)(1)Security management process and risk analysisWe run the accurate, thorough risk analysis OCR asks for first in nearly every investigation – an asset-and-ePHI inventory, threat assessment, and a risk register with a managed remediation plan.
§164.308(a)(3)–(4)Workforce security and information access managementWe design role-based access aligned to minimum necessary, with joiner/mover/leaver procedures and periodic access reviews that generate their own evidence.
§164.308(a)(5)Security awareness and trainingThis one is our specialty – practitioner-led security awareness for the whole workforce (phishing, malware, passwords, ePHI handling), with completions recorded in a tamper-evident ledger for OCR or customer audits.
§164.308(a)(6)Security incident proceduresWe build incident response procedures scaled to your organisation and run tabletop exercises so the first real incident isn't the first rehearsal.
§164.308(a)(7)Contingency planWe develop data backup, disaster recovery, and emergency mode operation plans – and the testing schedule that proves they work.
§164.308(b)Business associate contractsWe inventory every vendor that touches ePHI, put compliant BAAs in place, and add proportionate due diligence so your subcontractor chain holds up.

Security Rule – physical safeguards

CiteRequirementHow we help
§164.310Facility access, workstation use, and device and media controlsWe document facility and workstation controls (built for remote-first realities, not just server rooms) plus media disposal and re-use procedures with destruction records.

Security Rule – technical safeguards

CiteRequirementHow we help
§164.312(a)–(b)Access control and audit controlsWe implement unique user identification, automatic logoff, and encryption, and define what your systems must log so activity on ePHI is traceable when it matters.
§164.312(c)–(e)Integrity, authentication, and transmission securityWe stand up integrity controls and encryption in transit across the messy real estate – APIs, SFTP, email, and the legacy interfaces healthcare never quite retires.

Privacy Rule

CiteRequirementHow we help
§164.502Uses, disclosures, and minimum necessaryWe map your permitted uses and disclosures of PHI, apply the minimum necessary standard to roles and processes, and train staff on the judgement calls the rule leaves to them.
§164.520Notice of privacy practicesWe draft a compliant, readable notice and wire its distribution and acknowledgement into your intake flows.
§164.524–.526Individual access and amendment rightsWe build the access-request workflow – 30-day clocks, format requirements, and fee limits – that OCR's right-of-access enforcement initiative keeps penalising organisations for missing.
§164.530(b)Privacy training and administrative requirementsWe deliver the workforce privacy training the rule mandates for every member of your workforce, with role-specific content, and the documented completions §164.530(j) requires you to retain.

Breach Notification Rule

CiteRequirementHow we help
§164.400–.414Breach assessment and notificationWe build your breach risk-assessment process and notification playbook – individuals within 60 days, HHS, and media where 500+ are affected – with templates ready before you need them.

Need help with compliance?

From ISO 27001 readiness to SOC 2 audits, we help teams build practical programs that satisfy assessors and work in the real world.