All framework guides
HIPAA Hub
HIPAA Compliance Hub
Healthcare data protection in the United States
Overview
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule sets national standards for protecting electronic protected health information (ePHI). Covered entities and business associates must implement administrative, physical, and technical safeguards.
Who needs it?
Healthcare providers, health plans, healthcare clearinghouses, and business associates that create, receive, maintain, or transmit ePHI in the United States.
Key topics
- Administrative safeguards (risk analysis, workforce training)
- Physical safeguards (facility access, device media controls)
- Technical safeguards (access control, audit controls, encryption)
- Business Associate Agreements (BAAs)
- Breach notification under the HITECH Act
Typical timeline
HIPAA compliance is ongoing. OCR investigations follow complaints or breaches; HITRUST or SOC 2 + HIPAA mappings are common attestation paths for vendors.
How ComplAI helps
- HIPAA Security Rule mapped controls
- Policy templates for workforce and access management
- Vendor risk assessments for business associates
- Evidence collection for safeguard implementation
