Logo Menu

Platform

Best Auditors Directory Software Cost Calculator

By Country

πŸ‡ΊπŸ‡Έ United States πŸ‡¬πŸ‡§ United Kingdom πŸ‡¨πŸ‡¦ Canada πŸ‡¦πŸ‡Ί Australia πŸ‡©πŸ‡ͺ Germany

Free Tools

SOC 2 Readiness Assessment Cost Calculator Timeline Calculator Find My Auditor Framework Selector

Resources

Compliance Frameworks SOC 2 Buyer Guides What is SOC 2? Pricing Guide Insights Find Near Me

About

How We Review For Vendors For Auditors
US healthcare Β· Last verified 2026-05-13

HIPAA

Bottom line

HIPAA is a US federal law, not a certification. No HIPAA certificate exists; compliance is a continuous legal obligation enforced by HHS Office for Civil Rights. Third-party risk assessments run $4K–$60K over 2–8 weeks for covered entities and business associates.

Cost & timeline $4K–$60K assessment / 2–8 weeks

One of 10 compliance framework explainers we maintain.

Key facts

Controls
3 rules (Privacy, Security, Breach Notification). Security Rule: 18 standards and 36 implementation specifications across Administrative, Physical, and Technical safeguards.
Recertification cycle
Continuous legal obligation (no expiry)
Ongoing oversight
OCR complaint-driven investigations and periodic audit programs
Common gap categories
Risk analysis (Β§164.308(a)(1)); Access controls (Β§164.312(a)); Audit controls (Β§164.312(b)); Business Associate Agreements (Β§164.308(b)); Workforce training (Β§164.308(a)(5))
Related standards
HITRUSTNIST SP 800-66HITECH ActSOC 2

What is HIPAA?

A US federal law (enacted 1996, with the HITECH Act in 2009 and Omnibus Rule in 2013; Security Rule overhaul proposed January 2025) administered by HHS Office for Civil Rights, scoped to covered entities and business associates that handle protected health information (PHI).

Is HIPAA a certification or an attestation?

There is no HIPAA certification. OCR issues no certificate and no accreditation body confers one. Compliance is a continuous legal obligation demonstrated through risk analyses, policies, and controls. Organizations undergo third-party assessments, not certifications.

Who needs HIPAA?

Any software vendor, cloud provider, or service company that handles, stores, or transmits PHI on behalf of a healthcare provider, health plan, or clearinghouse. Triggered by a Business Associate Agreement (BAA) requirement.

What does HIPAA cost and how long does it take?

Range

$4K–$60K assessment / 2–8 weeks

Third-party risk assessment $4K–$60K over 2–8 weeks. Total first-year compliance build (policies, controls, tools) typically $10K–$50K for mid-size companies.

Source: HHS OCR: HIPAA Audit Program β†—

One thing to watch

HITRUST is the closest market analog to a formal HIPAA certification and is a separate, optional framework. Vendors who say they are HIPAA certified usually mean HITRUST.

Sources

Last verified 2026-05-13. Found a stale or wrong source? Email hello@soc2auditors.org.

Other frameworks buyers ask about

SOC 2 Type 1 $7.5K–$30K / 3–6 months SOC 2 Type 2 $12K–$100K / 6–15 months ISO 27001 $10K–$80K audit / 6–18 months PCI DSS $1K–$200K / 3–12 months GDPR €30K–€500K+ program / 6–18 months FedRAMP $250K–$3M+ / 12–36 months

See all frameworks β†’