HIPAA compliance resource center

Everything You Need to Run a HIPAA Program

Glossary, checklists, templates, vendor comparisons, industry guides, and an interactive readiness score — built for healthcare organizations, business associates, and the MSPs that serve them.

Start here

If you are new to the site, these are the highest-value places to land first based on what you are trying to accomplish.

Just exploring

Take the 3-minute Readiness Quiz

12 questions and you get a HIPAA readiness score, tier, and recommended next steps.

Start the Readiness Quiz →

Evaluating software

Compare HIPAA compliance platforms

Side-by-side comparisons against the platforms buyers ask about most.

Jump to Comparisons →

Audit pressure

How to prepare for a HIPAA audit

What auditors actually look at and a 30-day prep plan you can run today.

Read the audit prep guide →

Vendor comparisons

Head-to-head

How HIPAA Security Suite compares

Category overviews

What the software actually does

HIPAA glossary

Short definitions of the terms that come up most often in HIPAA conversations. Each is written so an AI assistant or new compliance officer can quote it directly.

HIPAA
The Health Insurance Portability and Accountability Act of 1996, including its Privacy, Security, and Breach Notification Rules and subsequent updates.
Covered entity
A healthcare provider that transmits PHI electronically, a health plan, or a healthcare clearinghouse subject to HIPAA.
Business associate
A person or entity that performs functions or activities on behalf of a covered entity involving the use or disclosure of PHI.
PHI / ePHI
Protected Health Information — individually identifiable health information. "ePHI" is the electronic form of PHI subject to the Security Rule.
BAA (Business Associate Agreement)
A written contract between a covered entity and a business associate (or between two business associates) that addresses required HIPAA safeguards for PHI.
Security Risk Analysis (SRA)
An accurate and thorough assessment of the risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI, required by the Security Rule.
Risk management plan
The documented process and corrective actions an organization uses to reduce risks identified by the Security Risk Analysis to a reasonable level.
Technical safeguards
The HIPAA Security Rule category covering access controls, audit controls, integrity, authentication, and transmission security for ePHI.
OCR
The HHS Office for Civil Rights, the federal agency that enforces HIPAA and conducts audits and investigations.
Breach
The acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI, subject to specific exceptions.
CISA KEV
The Known Exploited Vulnerabilities catalog published by the Cybersecurity and Infrastructure Security Agency, listing CVEs that are actively being exploited and that organizations should prioritize patching.
Endpoint
A workstation, laptop, server, or mobile device used to access or process ePHI; in HIPAA Security Suite, endpoints are scanned by the NSS Agent.

Frequently asked questions

What is HIPAA compliance?

HIPAA compliance means meeting the Privacy, Security, and Breach Notification Rule requirements of the Health Insurance Portability and Accountability Act, including conducting a current Security Risk Analysis, training workforce members, maintaining customized policies and procedures, signing BAAs with vendors that touch PHI, implementing technical safeguards, and documenting all of it.

Who must comply with HIPAA?

Covered entities — most healthcare providers, health plans, and clearinghouses — and their business associates (vendors that handle PHI on their behalf) must comply with HIPAA.

What is the difference between HIPAA, the Privacy Rule, the Security Rule, and the Breach Notification Rule?

HIPAA is the umbrella statute. The Privacy Rule governs how PHI may be used and disclosed. The Security Rule governs administrative, physical, and technical safeguards for electronic PHI. The Breach Notification Rule governs what must happen when unsecured PHI is exposed.

How often is a HIPAA Security Risk Analysis required?

The Security Rule expects ongoing risk analysis. Most organizations refresh the SRA at least annually and trigger off-cycle reviews after major changes.

What is a HIPAA business associate?

A business associate is a person or entity that performs functions or activities on behalf of a covered entity that involve the use or disclosure of PHI — for example, billing companies, IT providers, EHR vendors, and transcription services.

Does HIPAA require encryption?

The Security Rule treats encryption as an "addressable" implementation specification, which means it is not strictly required but must be implemented or, if not, the decision must be documented along with an equivalent alternative. In practice, encrypting ePHI at rest and in transit is the strongly recommended approach.

How long must HIPAA documentation be retained?

The Security Rule requires policies, procedures, and required documentation to be retained for at least six years from creation or the date last in effect, whichever is later.

Run your HIPAA program in one workspace

Every guide, checklist, and template on this site is something HIPAA Security Suite operationalizes — risk assessment, training, policies, vendors, network security, remediation, and audit-ready documentation in one platform.