Administrative safeguards
Risk analysis and management, a designated security official, workforce training, sanction policies, access management, and a contingency/disaster-recovery plan.
Compliance · US Healthcare
HIPAA compliance that protects patients
Healthcare is the most breached industry on earth, and HIPAA holds you accountable for every record. S-Security secures protected health information end to end — and gives you the safeguards, documentation, and breach response to prove it.
What is HIPAA?
The law that guards health data
The Health Insurance Portability and Accountability Act of 1996, strengthened by the HITECH Act of 2009, sets the US national standard for protecting Protected Health Information (PHI) — any individually identifiable health data, including its electronic form (ePHI).
It is enforced by the HHS Office for Civil Rights (OCR) and built on three core rules: the Privacy Rule (who may use and disclose PHI), the Security Rule (how to protect ePHI), and the Breach Notification Rule (what to do when protection fails).
HIPAA is deliberately technology-neutral and "scalable" — a solo dental practice and a national hospital network are both accountable, but the depth of controls is expected to match the size and risk of the organization.
Who must comply
HIPAA binds covered entities and the business associates who handle PHI on their behalf.
- Healthcare providers who transmit data electronically
- Health plans and insurers
- Healthcare clearinghouses
- Business associates: billing firms, cloud hosts, SaaS vendors, IT and security providers, analytics platforms
Key requirements
The safeguards HIPAA demands
The Security Rule organizes protection of ePHI into three families of safeguards, anchored by a mandatory risk analysis.
Physical safeguards
Facility access controls, workstation use and security policies, and strict device and media controls covering disposal, re-use, and movement of hardware holding ePHI.
Technical safeguards
Unique user IDs, access and audit controls, integrity protection, and encryption of ePHI both in transit and at rest — the addressable control most regulators expect you to implement.
Business Associate Agreements
Before sharing PHI with any vendor, a signed BAA must contractually bind them to HIPAA's requirements. Missing BAAs are one of OCR's most common findings.
Breach notification
Notify affected individuals and HHS without unreasonable delay, no later than 60 days. Breaches affecting 500+ individuals must also be reported to the media and OCR promptly.
Patient rights (Privacy Rule)
Patients can access and obtain copies of their records, request amendments, and receive an accounting of disclosures — generally within 30 days of the request.
How S-Security helps
Safeguards mapped to our services
We translate each HIPAA Security Rule safeguard into a control we operate and evidence for you.
| HIPAA safeguard | How we deliver it | Backed by |
|---|---|---|
| Required risk analysis & management | Comprehensive technical assessment of where ePHI lives and how it could be exposed | Penetration Testing |
| Technical safeguards (access, encryption, audit) | Identity-first access, least privilege, and full audit logging for every PHI touch | Zero Trust |
| Protect ePHI in cloud systems | Continuous posture management for EHR, cloud storage, and SaaS holding ePHI | Cloud Security |
| Detect intrusions & insider misuse | 24/7 monitoring tuned for healthcare threats — ransomware, credential theft, data exfil | Managed Detection & Response |
| Breach notification readiness | Forensic-grade containment and a 60-day-ready report for OCR and affected patients | Incident Response |
Many providers pair HIPAA with SOC 2 to satisfy enterprise customers. We run both as one program.
The compliance journey
Your path to HIPAA compliance
HIPAA isn't a certificate you earn once — it's an ongoing program. Here's how we stand it up and keep it running.
Mandatory risk analysis
We perform the Security Rule's required risk analysis: inventorying ePHI, identifying threats and vulnerabilities, and rating the risk to every system that touches patient data.
Policies, BAAs & safeguards
We build your administrative, physical, and technical safeguard policies, designate your security official, and audit your Business Associate Agreement coverage.
Encrypt, control, monitor
Encryption of ePHI at rest and in transit, least-privilege access, audit logging, and 24/7 detection go live across your EHR, cloud, and endpoints.
Workforce & breach drills
Role-based HIPAA training plus a simulated breach exercise so your team can hit the 60-day notification window without panic.
Continuous risk management
Annual re-analysis, control monitoring, and updates as your systems and the threat landscape evolve — the "ongoing" OCR explicitly expects.
What non-compliance costs
OCR enforces HIPAA on a tiered penalty scale based on culpability — from "did not know" to "willful neglect." Penalties run from roughly $100 to over $50,000 per violation, with an annual cap exceeding $1.9 million per violation category (figures are inflation-adjusted each year).
"Willful neglect" — failing to perform the required risk analysis is a classic example — draws the harshest tier. Multi-million-dollar settlements are routine, and severe cases can bring criminal charges, mandatory corrective action plans, and years of OCR oversight. With healthcare breaches now exposing tens of millions of records annually, the patient-trust damage often exceeds the fine.
0
Max breach notification window
0
Annual cap per violation type
0
Records that trigger media notice
0
Privacy · Security · Breach
"After a near-miss with ransomware, we needed real HIPAA controls, not a binder of policies. S-Security delivered the risk analysis OCR expects, locked down our ePHI, and gave our board genuine peace of mind."
Elena VasquezCISO · MeridianPay
FAQ
HIPAA questions, answered
Is there an official HIPAA certification we can earn?
No. HHS does not certify or endorse any HIPAA "certification." Compliance is demonstrated through your own documented safeguards, a completed risk analysis, and evidence of ongoing risk management. Beware vendors selling a "HIPAA certified" badge as proof — OCR looks at what you actually do, not a logo.
Is encryption of ePHI legally mandatory?
Encryption is technically "addressable" rather than "required," meaning you must implement it or document a reasonable alternative that achieves equivalent protection. In practice, encrypting ePHI at rest and in transit is the expected baseline — and it's also a safe-harbor that can exempt you from breach notification if encrypted data is lost.
Do our cloud and SaaS vendors need to be HIPAA compliant too?
Yes. Any vendor that creates, receives, maintains, or transmits PHI on your behalf is a business associate and must sign a BAA committing them to HIPAA. You remain accountable for ensuring those agreements exist — missing or inadequate BAAs are among OCR's most frequently cited violations.
How does HIPAA relate to GDPR if we have patients in Europe?
They're separate regimes that can both apply. HIPAA governs US health data; GDPR governs the personal data of EU residents and treats health data as a special category with extra protections. If you serve patients on both sides of the Atlantic, you'll need to satisfy both — we design one control set that covers each.
Ready to protect PHI?
HIPAA compliance you can defend
Begin with the risk analysis HIPAA requires — and a clear roadmap to close every gap. Book your assessment today.