Build trust with a HIPAA attestation

Demonstrate your secure and reliable handling of ePHI to build trust with large enterprise healthcare organisations.


Is this the year you grow with SOC 2?

There’s no better standard to baseline your information security and earn trust with a broad customer base.

AssuranceLab is a registered CPA and CA firm ready to help you earn trust with SOC 2 in the US and globally.

We provide end-to-end readiness and audit services, with a cloud-native and agile approach that enables you to work at your own pace.


You’re in great company. We work with hundreds of fast-growing software companies across 13 countries, ranging in size from 2 to 26,000 employees.


We work with more than 500 fast-growing companies across 20+ countries, ranging in size from 2 to 26,000+ employees.


Is this the year you

grow with HIPAA?

HIPAA (Health Insurance Portability Accountability Act) attestations demonstrate your secure and reliable handling of electronic protected healthcare information (ePHI).

As a registered CPA and CA firm ready we provide complete audit services, with a cloud-native and agile approach. Helping you to earn trust with HIPAA in the United States and globally.

Ready to get started with HIPAA?



Four steps to HIPAA

left arrow right arrow
HIPAA Readiness Assessment

HIPAA Readiness Assessment

Integrating with many compliance platforms, we provide a tailored view of your controls and any gaps to help you prepare for your audit.

Remediation Support

Remediation Support

We guide you as you address potential gaps and implement fit-for-purpose processes that align with your culture and HIPAA requirements. Our flexible and responsive team help you work through it at your own pace.

HIPAA Type 1 Audit

HIPAA Type 1 Report

We conduct the Type 1 audit at your pace to help you minimise disruption and learn through the process. Our iterative reviews and feedback help you stay on track and achieve real operational benefits for your company.

HIPAA Type 2 Audit

HIPAA Type 2 Report

We conduct the Type 2 audits either at your own pace within a defined timeline or incrementally throughout the year to minimise disruption and increase confidence in your compliance.

Ready to get started on your compliance journey?


Clear reasons to act


International credibility

A globally recognised attestation report to build trust with healthcare organisations at scale


Customer comfort and trust

A detailed report addressing crucial
customer due diligence questions


Minimal business disruption

Agile and flexible audits that help minimise disruption while meeting client deadlines


Choice of goalposts

Optional control objectives to satisfy various technology and financial objectives


Multi-standard compliance

A strong starting point in meeting multiple related frameworks, standards and certifications


Recognition of partial progress

The ability to achieve a HIPAA report
with known process improvements


Your questions answered

What is HIPAA attestation? 

The Health Insurance Portability Accountability Act (HIPAA) is U.S. law establishing privacy, security and breach notification standards for protected health information (PHI). It demonstrates your secure and reliable handling of electronically protected healthcare information (ePHI).

Do I need a HIPAA attestation?

Regulations like HIPAA are mandatory obligations that apply if your data processing activities meet the criteria of the regulation. The regulation sets out the detailed compliance requirements. If you operate in accordance with those requirements, you are compliant, regardless of whether you issue an attestation report. 

An attestation report is used to provide third parties with evidence of your compliance activities with an independent audit that earns and maintains trust in your compliance. That’s especially important when your customers rely on your compliance for their own, eg. if they are using your software or services with the sensitive data of their customers.

Do I need to comply with HIPAA?

HIPAA is a mandatory regulation that applies to healthcare providers, health plans, healthcare clearinghouses and business associates, eg. technology companies, that transmit electronic protected healthcare information (ePHI).

It is a federal law in the United States of America, but it is also viewed globally as the de facto leading standard of expectation for handling ePHI, commonly relied upon and referenced by global healthcare companies.

Type 1 and Type 2 reports: what's the difference? 

A Type 1 report attests to your compliance by design. It’s a snapshot in time that can be achieved by showing you have the right systems and processes in place to satisfy the HIPAA regulatory clauses.

A Type 2 report attests to your compliance by both design and operation over a set period of time, usually between 3-12 months, to show your systems and processes have been operating consistently to satisfy the HIPAA regulatory clauses.

Usually, a Type 1 report is issued first to baseline compliance. That marks the start of the live and recurring Type 2 audit periods for reports issued annually.

What does HIPAA cover?

The HIPAA regulation specifies detailed clauses or criteria for what control activities are required to satisfy the requirements. These are broken down into the following areas:

  • Organisational Safeguards
  • Administrative Safeguards
  • Physical Safeguards
  • Technical Safeguards
  • Breach Safeguards

Can we use compliance automation platforms for HIPAA?

Yes, unlike other standards, there are no prescribed audit days. Using automation can help auditors achieve the required level of comfort for their controls. But that relies on an audit firm that’s familiar with the specific platform you’re using. It also only works if the controls and scope of the audit are adaptable to the platform. If you look to have customised controls or diverge from the way the platform works, it can cause additional work. We integrate with many compliance automation platforms to ensure a streamlined approach to your audit.


Earn trust with other leading standards


Blended Audits

Combine two or more compliance frameworks into a single blended audit process without duplication to scale trust, not costs and effort.



The de facto global and best practice standard for proving secure handling of electronic protected health information (ePHI).


Custom Frameworks

Manage any compliance obligations from customers, regulators or your own internal risk requirements with custom frameworks.


ISO 27001

An international framework to apply a structured and best practice methodology for managing information security.



A comprehensive, best practice standard for cloud security to achieve Level Two accreditation in the security, trust and risk (STAR) register.


Consumer Data Right

Access consumer data in Australia’s economy-wide open data regime with Consumer Data Right accreditation.


ESG Reporting

A flexible and lightweight framework to report up to 500+ positive impact activities supporting environmental, social and governance (ESG) objectives.



The global gold-standard for privacy. GDPR is regulated for personal data collected from EU citizens, and an effective framework to satisfy enterprise customers globally.



Trust services criteria to satisfy a broad customer base globally for security, availability, confidentiality, privacy and processing integrity.

Get started your way

We’re ready when you are



The global gold-standard for privacy. GDPR is regulated for personal data collected from EU citizens, and an effective framework to satisfy enterprise customers globally.