Frameworks / Healthcare / HIPAA
HHS · OCR · 45 CFR Parts 160 & 164 · Lead framework

HIPAA: no certificate. Only proof.

A federal statute, not a certification, no HIPAA logo, no register, no auditor who certifies you. Four rules: Privacy, Security, Breach Notification, Enforcement, enforced by the HHS Office for Civil Rights under 45 CFR §§160–164. Compliance is not a status you hold. It is a case you must be able to prove, on a day you don’t choose.

Our stance: HIPAA isn’t audited, it’s proven. A breach, a complaint, an access request, or an OCR inquiry can each demand that proof without warning. Build the program so the evidence already exists.

Book the scoping call See the timeline ↓ 48-hour written memo
§ 0 · Why it matters

HIPAA isn't a certificate. It's enforced, and your buyers check.

What's at stake

HIPAA is not a badge you earn once. It is a federal obligation the Office for Civil Rights enforces through investigation, corrective action plans, and settlements, triggered by breaches, complaints, and audits. For anyone selling into healthcare, a signed Business Associate Agreement is the gate to the deal, and the buyer's security team will ask how you run risk analysis, safeguards, and breach response before they sign. The exposure is operational, financial, and reputational at once, and a single unencrypted laptop or a late breach notice can convert a routine incident into a multi-year enforcement action. The work is proving, continuously, that the program is real.

Program architecture

HIPAA is a program,
not a policy binder

One compliance program.
Every safeguard connected.

  • Privacy Rule
  • Security Rule
  • Breach Rule
  • Risk analysis
  • Business Associate Agreements
  • Workforce training
  • Administrative & technical safeguards
  • Incident response
HIPAA holds when compliance is an operating program, not a binder pulled out after a breach.

Protected health information, governed.

A HIPAA compliance officer reviewing patient records beside Protected Health Information files in a healthcare security operations office
§ I · The statute

What HIPAA actually is, in plain English.

The one-line version

A federal obligation you must be able to prove on demand, not a certificate you earn. No badge, no auditor, no public registry, just the rule, your duty under it, and the regulator who enforces it.

No certificateproven by evidence Four rulesPrivacy · Security · Breach · Enforcement CE + Business Associateboth directly liable 45 CFR 160–164HHS-codified regulation Burden of proofsits with you · §164.414
The statute, in full

HIPAA is a federal statute, the Health Insurance Portability and Accountability Act of 1996, whose privacy and security provisions were materially expanded by the HITECH Act of 2009 and codified by HHS as regulations at 45 CFR Parts 160, 162, and 164. There is no certifying body. There is no auditor who issues a HIPAA certificate. There is no logo. There is the rule, your obligation under it, and the regulator who enforces it, after a breach, a complaint, an access dispute, a media report, or a compliance review.

The framework is four rules: the Privacy Rule (§164.500-534) governs uses and disclosures of protected health information; the Security Rule (§164.302-318) sets administrative, physical, and technical safeguards for electronic PHI; the Breach Notification Rule (§164.400-414) imposes the 60-day clock when unsecured PHI is breached; and the Enforcement Rule (§160.300-552) sets civil money penalties tiered by culpability. The statute reaches two classes of organization. Covered Entities are health plans, health-care clearinghouses, and most providers; Business Associates are anyone who creates, receives, maintains, or transmits PHI on a CE’s behalf. HITECH made BAs and their subcontractors directly liable; the BAA is the contractual chain that flows obligations down.

Enforcement is by HHS OCR, with state attorneys general empowered under HITECH to bring parallel actions, and a small number of criminal referrals to DOJ each year. OCR opens a matter in several ways: a breach report you file, a patient complaint, a right-of-access complaint, a media report, or a compliance review it starts on its own. What unites all of them is one demand: prove you met the rule. Under §164.414 the burden of proof sits with you, not the regulator. Everything else, the binders, the annual training certificates, the policies in SharePoint, is preparation for the day someone asks you to prove it.

The burden of proof · §164.414
Layer 1 of 5

A policy exists.

A privacy or security policy sits in SharePoint. It states intent, and on its own, it proves nothing about whether the program actually runs.

A policy is not proof. A dashboard is not proof. Assembled, dated, retrievable evidence is.
BURDEN OF PROOF PROOF READY · BEFORE THE REQUEST Policiesstated Risk analysisdated Safeguard evidencedeployed BAA chainintact Breach / access responseassembled · dated · retrievable
§ II · Scope decoder

Does this apply to you?

A three-question filter we run on every healthcare intake call. The right answer to even one of these means HIPAA reaches your contract, BAA chain, breach clock, and all.

Interactive · 3 questions

HIPAA scope check

1. Do you create, receive, maintain, or transmit PHI on behalf of a healthcare entity?
2. Has any healthcare customer asked you to sign a BAA?
3. Are you a Covered Entity, a Business Associate, or unsure?
Answer above: we’ll tell you whether HIPAA is in scope and what posture you should be in.
§ III · The rules

The four rules, and the three categories of safeguard.

Privacy and Security are non-negotiable, and every CE and BA must comply. Breach Notification is what you execute the day something goes wrong. Enforcement is what OCR does afterward. Expand each rule to see the citations and the artifacts you must be able to produce when the burden of proof is tested.

Privacy · §164.500 Privacy Rule Required · uses & disclosures

Governs every use, disclosure, and request for PHI, whether oral, paper, or electronic. Built around permitted purposes (treatment, payment, operations) and the minimum-necessary rule. Operationalized through Notice of Privacy Practices, authorizations, individual rights, and the Privacy Officer role.

§164.502
Permitted uses & disclosures
PHI used or disclosed only for TPO or with valid authorization. Minimum-necessary applied where it applies (treatment disclosures and a few others are exempt), with documented role-based access definitions.
§164.504
Business Associate contracts
Signed BAA before any PHI flows. Subcontractor BAAs in place with the same flow-down. Inventory tied to vendor management.
§164.508
Authorizations
Authorization template, revocation procedure, marketing/sale-of-PHI carve-outs, log of authorizations granted.
§164.520
Notice of Privacy Practices
NPP published, dated, distributed at first encounter; acknowledgment captured; current version on the website.
§164.524
Right of access
Right-of-access workflow. 30-day response (one 30-day extension allowed), fees capped, electronic-format support. The engine of OCR’s Right-of-Access Initiative: a single complaint, no breach required, is enough to test it.
§164.526
Right to amend
Amendment request workflow, denial reasons documented, accounting tied to the record.
§164.528
Accounting of disclosures
Disclosure log for non-TPO releases, retained 6 years, generable on request within 60 days.
§164.530
Privacy Officer
Named Privacy Officer, training program, complaint mechanism, sanctions policy enforced, with evidence.
Security-A · §164.308 Administrative Safeguards Required · 9 standards

Nine standards under §164.308. This is where most programs fail. Risk analysis, risk management, sanctions, workforce clearance, training, incident procedures, contingency planning, evaluation, and BA contracts. Several specs here are addressable (§164.306(d)), not optional, but satisfied either by implementing the safeguard or by documenting why it isn’t reasonable and adopting a reasonable equivalent.

§164.308(a)(1)(ii)(A)
Risk analysis
Among the most-cited deficiencies in OCR breach settlements. Dated, scoped to all ePHI, threat-source-specific, with likelihood-and-impact rating per asset class.
§164.308(a)(1)(ii)(B)
Risk management
Mitigation plan tied to the risk analysis, dated, with named owners and target dates. Updated when material change occurs.
§164.308(a)(3)
Workforce security
Authorization, clearance, termination procedures, via SCIM-driven off-boarding with timestamps, not Slack-driven.
§164.308(a)(4)
Information access management
Role-based access; access authorization, establishment, and modification, with quarterly review evidence.
§164.308(a)(5)
Security awareness & training
Periodic training, security reminders, malware updates, login monitoring, password mgmt, with rosters retained 6 years.
§164.308(a)(6)
Security incident procedures
Documented response & reporting procedure. Incident log, lessons-learned, escalation gate to breach assessment.
§164.308(a)(7)
Contingency plan
Data backup, DR, emergency mode, testing, applications & data criticality analysis, tested at least annually.
§164.308(a)(8)
Evaluation
Periodic technical and non-technical evaluation, the basis your annual security posture review must satisfy.
Security-P · §164.310 Physical Safeguards Required · 4 standards

Four standards under §164.310. Often dismissed by cloud-native shops: “AWS handles it.” Wrong. Your workforce’s physical access to ePHI, on laptops, paper, and screens in coffee shops, is yours, regardless of where the data sits.

§164.310(a)
Facility access controls
For owned/leased space: badge logs, visitor management, contingency operations. Cloud: SOC 2 / ISO 27001 from your hosting provider in vendor file.
§164.310(b)
Workstation use
Documented acceptable use, screen-lock policy, prohibition on PHI in unencrypted local storage, signed acknowledgment.
§164.310(c)
Workstation security
Endpoint MDM, FDE enforcement, remote-wipe capability, device inventory tied to identity.
§164.310(d)
Device & media controls
Disposal, re-use, accountability log, backup-before-movement procedure. Certificates of destruction retained.
Security-T · §164.312 Technical Safeguards Required · 5 standards

Five standards under §164.312. Encryption is an addressable specification (§164.306(d)), and if you don’t encrypt PHI at rest or in transit, you must document why and implement a reasonable equivalent. OCR has repeatedly cited unencrypted ePHI in recent settlements; in our view, for modern cloud workloads a defensible non-encryption alternative is very hard to construct.

§164.312(a)
Access control
Unique user IDs, emergency access, automatic logoff, encryption/decryption of ePHI. MFA on every PHI-touching system.
§164.312(b)
Audit controls
Hardware, software, and procedural mechanisms to record and examine activity, with immutable logs, retention, periodic review.
§164.312(c)
Integrity
Mechanisms to ensure ePHI not improperly altered or destroyed, via hashing, change-mgmt records, integrity tests.
§164.312(d)
Person/entity authentication
Verify the person seeking access is who they claim. MFA on workforce, identity proofing on patient portals.
§164.312(e)
Transmission security
TLS 1.2+ everywhere PHI moves. Integrity controls. (End-to-end encryption is often a buyer requirement rather than a regulatory one.) No unencrypted fax-server replacements.
Breach · §164.400 Breach Notification 60-day clock · §164.404-410

When unsecured PHI is acquired, accessed, used, or disclosed in a manner not permitted, and you cannot demonstrate low probability of compromise via a documented four-factor risk assessment, you have a breach. The clock is 60 days from discovery, not from the incident. See the full clock.

§164.402
Definition & risk assessment
The four-factor LoProCo analysis, covering nature/extent of PHI, who acquired it, whether viewed/acquired, mitigation. Documented per incident.
§164.404
Individual notification
Written notice to each affected individual within 60 days of discovery. Plain-language template, contact mechanism, substitute notice if 10 or more are unreachable.
§164.406
Media notification
If more than 500 residents of a single state/jurisdiction, notice to prominent media outlets, also within 60 days.
§164.408
HHS notification
≥500: notify HHS contemporaneously with individuals. <500: log and submit annually within 60 days of year-end.
§164.410
BA notification to CE
BAs notify the CE without unreasonable delay, no later than 60 days. Most BAAs require 24-72 hours; honor the contract clock, not the regulatory floor.
§164.414
Burden of proof
The rule puts the burden on you. The CE/BA must demonstrate that notifications were made, or that the four-factor assessment showed a low probability of compromise. Documentation retained 6 years.
§ IV · Two roles, one statute

Covered Entity vs Business Associate, both are directly liable.

Pre-HITECH, BAs answered to the CE. Post-HITECH, BAs answer directly to OCR, with the same penalty schedule, same breach clock, same right of investigation. The distinction matters for which obligations attach. The penalties don’t care.

 

Covered Entity

Health plans, healthcare clearinghouses, and most providers transmitting any HHS-defined transaction electronically. Bears the full weight of Privacy + Security + Breach + Enforcement; owns the patient relationship and the Notice of Privacy Practices.

Obligations · Privacy → penalty exposure
  • Privacy RuleFull: NPP, individual rights, accounting
  • Security RuleFull: admin / physical / technical safeguards
  • Breach: to whomIndividual, HHS, media (≥500)
  • Breach clock startsOn discovery by anyone in the workforce
  • BAA chainIssues BAAs to every BA
  • OCR investigation triggerSelf-report, complaint, media
  • Civil-penalty exposureUp to $2.13M per violation type / yr
Most Nexurion engagements

Business Associate

Anyone who creates, receives, maintains, or transmits PHI on behalf of a CE, such as SaaS, hosting, analytics, billing, transcription, and AI vendors. Directly liable under HITECH. Subcontractors are themselves BAs and must sign downstream BAAs.

Obligations · Privacy → penalty exposure
  • Privacy RuleLimited: only as required by BAA + minimum necessary
  • Security RuleFull: same standards as a CE
  • Breach: to whomThe CE, without unreasonable delay (§164.410)
  • Breach clock startsOn discovery; CE’s 60-day clock starts when CE learns
  • BAA chainSigns CE’s BAA and issues BAAs to subcontractors
  • OCR investigation triggerCE’s breach report, the BA’s own report, complaint
  • Civil-penalty exposureSame penalty tiers; scoped to BA-applicable provisions
Breach response · the 60-day clock · §164.404
Stage 1 of 5 · Discovery

The clock starts.

A helpdesk ticket arrives, a patient saw someone else’s record. No legal review. No confirmation. No decision that it’s a breach. Under §164.404(b), the 60-day clock is already running.

ContainmentForensicsScopeNotificationOCR readiness
The dangerous move is waiting for certainty. The clock does not wait.
Discovery started the clock.Not confirmation.
TIME ELAPSED 0 OF 60 DAYS WINDOW REMAINING
§ V · The clock

The 60-day breach-notification clock: minute by minute.

The breach clock is the most visible moment the burden of proof comes due, though a complaint or access request can demand the same evidence with no clock at all. From discovery to filed notice: the clock starts when any member of your workforce first knows or should reasonably have known. Not when legal confirms. Not when the forensics report lands. Discovery.

Hour 0
Discovery
An engineer notices a misconfigured S3 bucket. Helpdesk gets a ticket from a patient who saw someone else’s record. The clock has started: §164.404(b)(1). Activation of incident-response runbook is non-negotiable.
Hours 0 – 24
Containment + preservation
Stop the bleeding. Preserve evidence. Snapshot logs. Engage outside counsel under privilege. Begin the four-factor LoProCo analysis under §164.402. If you are a BA, notify the CE now: most BAAs require 24-72 hr.
Day 1 – 14
Forensics + scope
Forensic provider scopes affected records, individuals, jurisdictions. Workforce interviews. Log review. Cyber-insurance carrier engaged on day 1, not day 30. Determine 500-individual threshold: that flips multiple obligations.
Day 14 – 35
Notice drafting + carrier review
Individual letter, HHS submission, media draft if ≥500, state AG notifications under parallel state laws (CA, NY, TX, MA … up to 50 separate clocks). Print/mail vendor under contract. Call-center script approved.
Day 35 – 55
Notice issued
Letters mailed. HHS portal filed. Substitute notice posted if >10 individuals are unreachable. Media notice issued if ≥500 in a single state. Not on day 60. Day 55 at the latest: the buffer is for mail delivery.
Day 60 – + 18 mo
OCR investigation
Data Request Letter typically arrives 30-90 days after the HHS filing. Risk analysis, sanctions, training records, BAA library, IR runbook, the four-factor analysis. This is the work the entire program existed to make defensible.
Why teams hire Nexurion
§ VI · How Nexurion runs it

Senior partner from day one. Evidence-led from week one.

Partner-led from intake through any OCR response. Evidence-led from week one. The proof assembled before the request arrives, not reconstructed under a 60-day clock.

Methodology detail

Most HIPAA programs we inherit were sold by a portal vendor, with a policy template library, a training LMS, a BAA generator, and a green dashboard. They are not wrong; they are insufficient. None of them survive an OCR Data Request Letter. We are not a portal. Every Nexurion HIPAA engagement is led by a senior practitioner. The person on the engagement letter is the person re-doing your §164.308(a)(1)(ii)(A) risk analysis, sitting in your monthly Privacy Officer meeting, and on the call when an engineer reports something that might be a breach. Read our methodology.

Evidence-led methodology means we operate as if the burden of proof could be called tomorrow, by a breach, a complaint, or an access request. Risk analysis is dated, scoped to all ePHI, and re-run on material change, not annually as a calendar event. Safeguards documented in the analysis are demonstrated in the live environment within 90 days. The incident-response runbook is rehearsed at a tabletop with engineering, legal, comms, and the named Privacy Officer on the line, before the actual incident. We hand OCR (or a buyer’s assessor) a read-only audit-room with every artifact pre-mapped to the rule citation it satisfies. More on operational controls »

The goal is not a passed inspection. HIPAA has no inspection. The goal is a program that is boring on the day OCR opens the file, because every claim in it is already backed by dated, retrievable evidence. See engagement outcomes.

01
Senior practitioner from day one
The name on the engagement letter re-does your §164.308 risk analysis and sits in your Privacy Officer meetings. No junior hand-off.
02
Evidence-led from week one
We operate as if an OCR request lands tomorrow, with dated risk analysis, safeguards demonstrated in the live environment, and the runbook rehearsed.
03
Proof ready before it’s demanded
A read-only audit-room with every artifact pre-mapped to the rule citation it satisfies, produced in days, not weeks.
04
Between counsel and the CPA
Not your lawyer, not an auditor, but the senior practitioner who makes the evidence hold under both.
Engagement structure

We are not a CPA firm. We are not your lawyer. We are the senior practitioner between them.

HIPAA breaches are also legal events. We work alongside your healthcare-privacy counsel under privilege when warranted, in support of the lawyers who lead breach responses, not in their place. The CE’s Privacy Officer is yours; the runbook the workforce executes the morning after is ours. OCR & enforcement reality »

§ VII · Where engagements stall

Six places HIPAA programs go sideways.

After a few dozen of these, the failure modes are remarkably consistent. Almost none are technical. Read another way, each is a way the proof goes missing, goes stale, or can’t be produced the moment it’s asked for.

01 / Risk-analysis theater

A questionnaire is not a risk analysis.
Among the most-cited deficiencies in OCR breach settlements. §164.308(a)(1)(ii)(A) requires an accurate and thorough assessment of risks to all ePHI, threat-source-specific, asset-by-asset, with likelihood and impact. A 200-question yes/no checklist is not that. Re-do it properly. Date it. Update on material change.
02 / Annual training, no sanctions

Training without enforcement.
Workforce completes training, signs the acknowledgment, then violates the minimum-necessary rule six months later with no consequence. §164.530(e) requires a sanctions policy, applied. Without sanction evidence, training records prove the opposite of what you want them to.
03 / BAA chain rot

Sub-BAs nobody owns.
A BA signed your BAA in 2022 and onboarded three subprocessors since. None signed downstream BAAs. PHI flows; liability flows. We rebuild the chain on intake, with full inventory, signature dates, flow-down clauses present, current addresses on file.
04 / Encryption "addressable"

Choosing not to encrypt, without the memo.
§164.312(a)(2)(iv) makes encryption "addressable." In practice, if you don’t do it, document why and what you did instead. Most programs simply don’t do it and don’t document. Encrypted PHI on a stolen laptop is not a breach under the safe-harbor; unencrypted PHI is.
05 / Right-of-access

Patient asked. Nobody answered.
OCR has run a Right-of-Access Initiative since 2019 with dozens of settlements, most into five and six figures. No breach required, a single complaint is enough. §164.524 requires a response within 30 days, in the format requested, with capped fees. Most providers blow this and don’t know they did until OCR calls.
06 / Discovery delay

The helpdesk sat on it.
A patient called Tuesday. Helpdesk routed the ticket to engineering Friday. Engineering escalated to security Monday. Security looped in legal the following Tuesday. The clock has been running since Tuesday-one. Train the helpdesk to escalate on the words "my record" and "someone else."
§ VIII · OCR & enforcement

There is no auditor. There is the regulator.

HIPAA has no certifying body and no annual external audit. What it has is the HHS Office for Civil Rights, the regulator that opens a matter when you self-report a breach, when a patient files a complaint (including a right-of-access complaint), when the press reports an incident, or on its own initiative through a compliance review. The periodic HIPAA Audit Program has been dormant since the 2016–17 Phase 2 cycle, though OCR has signaled intent to resume it. Each of these is the same thing wearing a different hat, a demand that you prove the program. Plan for all of them, not just the breach.

How OCR enforces — settlements, penalties, our role

OCR resolves most matters via Resolution Agreement and Corrective Action Plan, a settlement that includes a money payment and 1-3 years of mandated program work, monitored. Recent settlements have repeatedly cited failure to conduct an accurate and thorough risk analysis, failure to implement appropriate safeguards, and impermissible disclosures, the same three deficiencies, year after year. The HHS “Wall of Shame” publishes every breach affecting 500 or more individuals; your filing is posted there once OCR processes it.

Civil monetary penalties are tiered by culpability under §160.404 and inflation-adjusted annually, from no knowledge through willful neglect / corrected to willful neglect / not corrected, with the top tier’s annual cap approaching $2.13M per identical violation (2024 figures); the lower tiers are capped far below that. Criminal referrals to DOJ are rare but real for knowing wrongful disclosure. State attorneys general hold parallel HITECH authority and have used it in cases of their own.

Our role begins when an OCR Data Request Letter arrives, after a breach, a complaint, or a review, we reconstruct the program from your live evidence in days, not weeks, and sit with your privacy counsel through the response. The work is judged on whether the evidence holds, not on a promise about the outcome.

Reference & lookup Everything below stays on the page in full: cross-mappings, the 2025 rulemaking outlook, frequently-asked questions, and field notes. It is here when you need it, and out of the way until you do.
§ IX · Cross-mapping

HIPAA against the rest of the stack.

HIPAA is the regulatory floor; almost every healthcare engagement also runs a framework on top: for assurance, for procurement, for AI governance. Where they overlap; where they don’t.

The stack

HIPAA against the rest of the stack.

HIPAA the floor HITRUST CSF ~90% overlap ISO 27001 ~75% overlap SOC 2 Type 2 ~70% overlap NIST 800-66 r2 Security Rule GDPR ~25% overlap
Line weight indicates approximate control overlap with HIPAA. Higher overlap means more of the safeguard work carries directly into that framework. Detailed crosswalk below.
The stack

HIPAA is the regulatory floor.

Overlap from HIPAA’s perspective, tap any row for detail
HITRUST CSF
90%
What HIPAA covers
HITRUST was built around the HIPAA Security Rule; controls map almost directly.
What’s still needed
HITRUST assessment program (e1 / i1 / r2), authorized assessor, MyCSF licensing.
ISO 27001
75%
What HIPAA covers
Annex A controls map cleanly to HIPAA administrative and technical safeguards.
What’s still needed
BAA chain, breach clock, individual rights, accounting of disclosures, notice of privacy practices.
SOC 2 Type 2
70%
What HIPAA covers
CC6 / CC7 cover most of the Security Rule’s technical safeguards.
What’s still needed
BAAs, breach-notification procedures, minimum-necessary rule, OCR-defensible risk analysis.
NIST 800-66 r2
60%
What HIPAA covers
800-66 r2 is the federal implementation guide for the HIPAA Security Rule itself.
What’s still needed
Privacy Rule, Breach Notification, and individual rights, 800-66 does not cover them.
GDPR
25%
What HIPAA covers
Largely orthogonal; some breach-notification parallels.
What’s still needed
Lawful basis, DPIAs, controller / processor split, cross-border transfers, DSARs.
FrameworkOverlap with HIPAAWhat you still need to do
HITRUST CSFVery high: HITRUST was built around HIPAA Security; r2 is the de-facto attestation many payers ask for in lieu of HIPAA proof.HITRUST assessment program (e1 / i1 / r2), authorized assessor, MyCSF licensing.
SOC 2 Type 2Substantial: CC6 / CC7 cover most of the Security Rule’s technical safeguards.HIPAA-specific obligations: BAAs, breach-notification procedures, minimum-necessary rule, OCR-defensible risk analysis.
ISO 27001 : 2022High: Annex A controls map cleanly to administrative + technical safeguards.HIPAA-specific: BAA chain, breach clock, individual rights, accounting of disclosures, NPP.
NIST SP 800-66 r2Security Rule only: NIST’s implementation guide for the HIPAA Security Rule. The federal “how to” reference for that one rule.Privacy Rule, Breach Notification, and individual rights, 800-66 doesn’t cover them.
GDPRLimited: largely orthogonal frameworks; some breach-notification overlap.Lawful basis, DPIAs, controller / processor split, cross-border transfers, DSARs. HIPAA does not address these.
U.S. state privacy (CCPA, etc.)PHI is often exempt, but the exemption is narrow and varies by statute.Non-PHI consumer data is in scope of state laws; map carefully where the same record straddles both.
ISO 42001 (AI)Minimal: orthogonal. AI risk applies on top of HIPAA.AIMS, AI impact assessment, model lifecycle, BA-style coverage of AI vendors. See governance »
§ X · 2025 NPRM & what’s coming

The first material Security-Rule update in twenty years.

On December 27, 2024, HHS published a Notice of Proposed Rulemaking that, if finalized, would overhaul the HIPAA Security Rule for the first time since 2003. The comment period closed in March 2025. A final rule would then follow the standard rulemaking pipeline, but timing is uncertain and the proposal could change materially, or stall, before it is finalized. The NPRM proposed a general compliance window of roughly 180 days after the rule takes effect. None of the items below is in force today; treat them as direction of travel, and begin preparing now.

  • The “addressable” distinction would go away. Encryption, MFA, vulnerability management, anti-malware, network segmentation: all proposed as required, with documented exceptions narrow and time-bound. If finalized, the defensible-memo era ends.
  • Asset inventory + network map. Annual technology asset inventory and a current network map of ePHI flow, updated on material change. Most programs do not have this and have not for decades.
  • Risk analysis specifications. The proposed rule is prescriptive about what “accurate and thorough” means: threat catalog, vulnerability catalog, predisposing conditions, likelihood, impact, risk level, and a written assessment.
  • BA verification. Proposed annual written verification from BAs that the technical safeguards required by the rule are deployed. Your BAA template will need rewriting; your sub-BA inventory needs to support attestation.
  • Compliance audit + penetration testing. Proposed annual compliance audit; pen-testing every 12 months. Vulnerability scanning every 6 months.
  • 72-hour restoration objective. Critical relevant electronic information systems and data would be required to be restored within 72 hours of a loss (as proposed). Most contingency plans do not commit to this.

Read our deeper take in Field Notes Vol. III: “What the 2024 HIPAA Security Rule NPRM means if you’re a BA today.”

§ XI · Pairs with

HIPAA is rarely the only framework.

A short list of what we typically scope alongside it: in order of how often the question comes up.

Most-asked pair
HITRUST CSF
When payers / health systems require attestable HIPAA proof. r2 is the heavy lift; e1 / i1 are stepping stones.
For B2B buyers
SOC 2 Type 2
For non-payer enterprise buyers asking about your security program. Pairs with HIPAA via overlapping evidence.
For international
ISO 27001 : 2022
When the customer is non-U.S. or your data flows cross border. Three-year cert cycle.
If AI in product
ISO 42001
AI management system: pairs with HIPAA when models touch PHI. Governance »
Edge cases
U.S. state privacy
For non-PHI consumer data adjacent to your HIPAA scope. CA, CO, CT, VA, etc.
§ XII · FAQ

Frequently asked.

Are we HIPAA certified after readiness? +
No, and nobody else is either. HIPAA is a federal statute, not a certification framework. There is no certifying body, no logo, no register. What you have after readiness is a defensible program: the evidence you can produce the day someone asks you to prove it: dated risk analysis, deployed safeguards, executable breach runbook, signed BAA chain. Marketing should say "we maintain a HIPAA-compliant program," never "we are HIPAA certified." If a vendor tells you they are HIPAA certified, that is a tell.
When does the 60-day clock actually start? +
On the first calendar day a member of your workforce knew or, by exercising reasonable diligence, would have known of the breach, under §164.404(b)(2). Not when legal confirms. Not when forensics finishes. Not when you decide it’s a breach. The discovery date is what OCR uses to count, and it is the date you must be able to defend in writing.
Is every security incident a breach? +
No. §164.402 lets you classify an incident as not a breach if a documented four-factor risk assessment shows a low probability of compromise, weighing nature/extent of PHI, who acquired it, whether it was actually viewed, mitigation effectiveness. The analysis must be written, dated, and retained, because the burden is on you to prove it. “Low probability” is a defensible legal conclusion, not a vibe.
We’re a BA, do we need our own breach-notification process? +
Yes, distinct from the CE’s. §164.410 requires you to notify the CE without unreasonable delay, no later than 60 days. Most BAAs require 24-72 hours; honor the contract clock. Your breach starts the CE’s 60-day clock, so getting notice to them quickly is part of being a competent BA.
What does HIPAA readiness cost? +
Highly scope-dependent. For a first-time BA, $40-90k for a senior-led readiness + risk analysis + BAA program rebuild + tabletop, plus ongoing privacy-officer support. CEs run higher, especially with a clinical footprint. We do not sell the SaaS portal, the deliverable is a defensible program, not a dashboard. See pricing structure »
Does SOC 2 satisfy HIPAA? +
No. They overlap on the technical and administrative safeguards, but SOC 2 has no concept of BAAs, the minimum-necessary rule, individual rights, accounting of disclosures, or the breach-notification clock. A clean SOC 2 report is good evidence on a HIPAA RFP; it is not a substitute for a HIPAA program.
Does HITRUST r2 satisfy HIPAA? +
In practice, yes, for proof to other private parties. Most major payers and health systems accept a HITRUST r2 attestation as evidence of HIPAA Security Rule compliance. OCR is not bound by it; OCR will still investigate a breach on its own terms. HITRUST is a procurement asset, not a regulatory shield.
Does the 2024 NPRM change what we should do today? +
Yes. Stop treating encryption, MFA, asset inventory, network mapping, and annual pen-testing as optional. The NPRM telegraphs the direction of travel; programs already aligned to HITRUST or ISO 27001 are largely there. Programs running on policy templates and annual training are not.
§ XIII · From the Brief

Field notes on HIPAA.

Pieces from Nexurion Field Notes directly relevant to the statute.

Vol. I · Field note
Why your annual training certificate isn’t evidence.
A senior practitioner’s case for treating workforce training as a sanctions program, not a compliance certificate: and what OCR actually wants to see.
Coming · Vol. II
The 60-day clock, by the hour.
A breach-response runbook reconstructed from a real incident: what to do hours 0-24, days 1-14, days 14-55, and the day OCR’s letter arrives.
Coming · Vol. III
What the 2024 Security Rule NPRM means if you’re a BA today.
The end of “addressable.” The new asset-inventory and BA-verification expectations. What to start in 2025 to land soft when the final rule lands.
Field Notes

Field Notes on HIPAA

HIPAA on the calendar? Get the 5-minute scoping memo.

Five questions. One reply. Within 48 hours, a senior practitioner sends a written scoping memo: CE/BA verdict, BAA-chain triage, an honest read on whether your current risk analysis would hold up if OCR asked you to prove it, and a remediation calendar. The booking link is at the bottom of the memo.

Contact us See the four offers
N Senior practitioner Book the scoping call · 48-hr memo