Menu
Key facts
- Controls
- 3 rules (Privacy, Security, Breach Notification). Security Rule: 18 standards and 36 implementation specifications across Administrative, Physical, and Technical safeguards.
- Recertification cycle
- Continuous legal obligation (no expiry)
- Ongoing oversight
- OCR complaint-driven investigations and periodic audit programs
- Common gap categories
- Risk analysis (Β§164.308(a)(1)); Access controls (Β§164.312(a)); Audit controls (Β§164.312(b)); Business Associate Agreements (Β§164.308(b)); Workforce training (Β§164.308(a)(5))
- Related standards
What is HIPAA?
A US federal law (enacted 1996, with the HITECH Act in 2009 and Omnibus Rule in 2013; Security Rule overhaul proposed January 2025) administered by HHS Office for Civil Rights, scoped to covered entities and business associates that handle protected health information (PHI).
Is HIPAA a certification or an attestation?
There is no HIPAA certification. OCR issues no certificate and no accreditation body confers one. Compliance is a continuous legal obligation demonstrated through risk analyses, policies, and controls. Organizations undergo third-party assessments, not certifications.
Who needs HIPAA?
Any software vendor, cloud provider, or service company that handles, stores, or transmits PHI on behalf of a healthcare provider, health plan, or clearinghouse. Triggered by a Business Associate Agreement (BAA) requirement.
What does HIPAA cost and how long does it take?
Third-party risk assessment $4Kβ$60K over 2β8 weeks. Total first-year compliance build (policies, controls, tools) typically $10Kβ$50K for mid-size companies.
HITRUST is the closest market analog to a formal HIPAA certification and is a separate, optional framework. Vendors who say they are HIPAA certified usually mean HITRUST.