HIPAA Compliance three ways

HIPAA is a healthcare data protection regulation; that’s mandatory to comply with and has optional attestations to satisfy enterprise customers. 


The Health Information Portability and Accountability Act (HIPAA) is a common point of confusion because it can mean totally different things in practice. There are three ways you can “do HIPAA compliance”:

  1. You comply with the regulation that applies to managing healthcare data within the U.S; 
  2. You manage a formal governance program that includes assessing, monitoring and verifying your compliance with the HIPAA regulation; and/or 
  3. You complete a third-party audit to issue an attestation report or certification that verifies your compliance in a form that can be shared with customers and other stakeholders. 


There’s commonly confusion between these three meanings. Businesses can be caught off guard by regulators if you don’t have a formal governance program and you inadvertently breach the HIPAA rules. Or more commonly you can be caught off guard by enterprise healthcare or other enterprise prospects that won’t do business with you if you can’t prove your compliance status. Proving that status is not always mandated, even if it applies. Like many compliance standards, proving your compliance lowers the friction for enterprise sales and security due diligence, that helps you land deals with those enterprise customers. 


Who does HIPAA apply to?


HIPAA applies to any company handling health information in the U.S. Even though it’s an American standard, it’s recognised globally as the de-facto authority or source of truth on how healthcare information should be handled. It’s even recognised outside of healthcare for data handling in general! 


HIPAA applies to both the organisations that collect health data from consumers, ie. Healthcare companies, as well as any other organisations that process, handle, store, or otherwise interact with healthcare information on their behalf. That means any software companies that provide related services to those healthcare companies. 


Health data includes sensitive patient information in hard copy or electronic form. And while it’s patient information specifically, the interpretation is often applied more broadly to any healthcare data even if identifiable patient information is not directly used in software, or not intended to be, to ensure all bases are covered. 


What’s covered by HIPAA? 


HIPAA is very similar to other information security standards like SOC 2 and ISO 27001. Beyond core security principles like established HIPAA policies, access control, data encryption, and governance, it also covers elements of privacy, processing integrity (similar to those covered in the optional criteria for SOC 2), and specific requirements around data breach handling and notification (HIPAA breach notification rule), and associate agreements with third-parties. 


The way we often put it to customers is that SOC 2 and ISO 27001 overlap about 80% with each other, and 70% with HIPAA, with the residual 20-30% of each being the nuances of those standards. So there’s a lot of efficiency for combining them, which can solve multiple business goals and requirements in one project. 


Read our post SOC + Options on how these combinations work. 


How do I get started?


Whichever of the three ways of “doing HIPAA” that you decide on, we recommend using our free readiness software. In a 60 minute self-guided assessment this identifies and maps your HIPAA control framework, with a list of any gaps identified and recommendations to resolve them. This helps you meet the HIPAA compliance requirements with a HIPAA compliance checklist tailored to your business. That may help you comply to avoid breaches and penalties, and it's a leap towards implementing a governance program to continue managing your HIPAA obligations. If you do decide to continue to the point of an attestation report, or if you just want to discuss your business goals and whether that’s right for you, get in touch with our friendly team. 


About AssuranceLab


AssuranceLab is a modern cybersecurity audit firm that provides assurance reports (ASAE 3150, SOC 1/2, and more!). Our award-winning, free software has helped over 500 companies prepare for their compliance goals. We're experts in the latest software and cloud providers. We guide your team through the compliance practices in a way that fits your environment and culture. We work closely with clients through our agile and collaborative approach; saving time, costs, and headaches along the way.

Some additional information in one line