New: Autonomous AI risk intelligence is live — your compliance program in 12 minutes. Get started →

Framework Guide · HIPAA

HIPAA (Health Insurance Portability and Accountability Act)

The baseline for anyone touching Protected Health Information.

Who needs it: Covered entities (providers, health plans, clearinghouses) and their business associates — including SaaS vendors handling PHI.

Overview

HIPAA's Security Rule requires administrative, physical, and technical safeguards for electronic PHI. There is no formal certification, but HHS enforcement, breach notification, and BAA obligations make compliance non-optional.

Timeline

2–4 months for a solid initial risk analysis and safeguards program.

Typical cost

$8k–$40k for SMBs, depending on complexity and BAA volume.

What it covers

Administrative safeguardsPhysical safeguardsTechnical safeguardsBreach notificationBusiness Associate AgreementsRisk analysis

How Scarlet Risk helps

  • HIPAA-aligned policies

    Solo practitioner and SMB templates ready to sign.

  • Risk analysis

    Structured Security Rule risk analysis and remediation tracking.

  • BAA vendor tracking

    Vendor Risk report captures BAA coverage and gaps.

Frequently asked

Is there a HIPAA certification?

No — HIPAA has no government-issued certificate. You demonstrate compliance through documentation, risk analysis, safeguards, and audit trail.

What's a BAA?

A Business Associate Agreement — a contract that binds your vendors to protect PHI on your behalf. Every vendor that touches PHI needs one.

How does HIPAA overlap with SOC 2?

SOC 2 controls cover most HIPAA Security Rule technical safeguards, but HIPAA adds breach notification, BAAs, and administrative requirements. They complement each other.

Ready to shortcut HIPAA?

Scarlet Comply and our on-demand reports collapse months of prep into hours.

Other frameworks