Framework Guide · HIPAA
HIPAA (Health Insurance Portability and Accountability Act)
The baseline for anyone touching Protected Health Information.
Who needs it: Covered entities (providers, health plans, clearinghouses) and their business associates — including SaaS vendors handling PHI.
Overview
HIPAA's Security Rule requires administrative, physical, and technical safeguards for electronic PHI. There is no formal certification, but HHS enforcement, breach notification, and BAA obligations make compliance non-optional.
Timeline
2–4 months for a solid initial risk analysis and safeguards program.
Typical cost
$8k–$40k for SMBs, depending on complexity and BAA volume.
What it covers
How Scarlet Risk helps
HIPAA-aligned policies
Solo practitioner and SMB templates ready to sign.
Risk analysis
Structured Security Rule risk analysis and remediation tracking.
BAA vendor tracking
Vendor Risk report captures BAA coverage and gaps.
Frequently asked
Is there a HIPAA certification?
No — HIPAA has no government-issued certificate. You demonstrate compliance through documentation, risk analysis, safeguards, and audit trail.
What's a BAA?
A Business Associate Agreement — a contract that binds your vendors to protect PHI on your behalf. Every vendor that touches PHI needs one.
How does HIPAA overlap with SOC 2?
SOC 2 controls cover most HIPAA Security Rule technical safeguards, but HIPAA adds breach notification, BAAs, and administrative requirements. They complement each other.
Ready to shortcut HIPAA?
Scarlet Comply and our on-demand reports collapse months of prep into hours.
