What Is HIPAA?
The federal law every business touching patient data needs to understand.
HIPAA (the Health Insurance Portability and Accountability Act) is a U.S. federal law passed in 1996 that sets national standards for protecting individuals’ health information. Unlike SOC 2 or ISO 27001, it isn’t an attestation or a certificate an organisation chooses to pursue – it’s a binding legal requirement, enforced by the Department of Health and Human Services’ Office for Civil Rights (OCR).
There’s no audit firm hired to issue a HIPAA report and no accreditation body to display a badge from. An organisation is either meeting its obligations under the law or it isn’t, and that gets tested through OCR investigations, breach reports, and increasingly, the due-diligence questions customers ask before signing a contract.

| HIPAA is built from several rules rather than one, and almost all of the practical compliance work comes down to satisfying three of them. | THE THREE CORE HIPAA RULES
|
HIPAA applies through two categories of organisation – covered entities and business associates – and which one an organisation falls into changes what it’s directly on the hook for. That distinction is worth its own explanation.
Related reading: Protected Health Information & Safeguards · Covered Entities vs Business Associates · Who Needs HIPAA Compliance?
How GCAI helps: GCAI runs a HIPAA gap assessment against the Privacy, Security, and Breach Notification Rules before any policy gets rewritten, so remediation starts from an accurate picture of where PHI actually moves through your systems.
Protected Health Information & The Security Rule Safeguards

The definition matters more than most guides let on, and the requirements break down into three categories.
Most explanations of HIPAA jump straight to “protect patient data” without defining what counts as PHI in the first place. Protected Health Information is any individually identifiable health information – not just diagnoses or treatment records, but any of a defined set of identifiers when it’s tied to health, payment, or care information. A patient’s name alone isn’t PHI; that same name attached to an appointment date or a billing code is.
| PHI covers a wider net than most people assume, and the identifier only counts once it’s linked to health information. | PHI ISN’T JUST MEDICAL RECORDS
|
Once data qualifies as PHI, the Security Rule sets out what protecting it actually looks like in practice. It groups requirements into three categories rather than a single checklist, which is part of why so many organisations underestimate the physical and administrative pieces.
| Technical controls get most of the attention, but administrative and physical safeguards carry equal weight under the rule. | THE SECURITY RULE’S THREE SAFEGUARDS
|
The Privacy Rule adds a second layer on top of those safeguards: a set of rights patients hold over their own information, regardless of how well it’s technically secured. Patients can request access to their records, ask for corrections, and request a list of who their information has been shared with – rights that exist independently of whether a breach ever occurs.
Related reading: What Is HIPAA? · Covered Entities vs Business Associates · The HIPAA Compliance Process
How GCAI helps: GCAI maps your actual data flows against the HIPAA identifiers before scoping safeguards, so you’re protecting PHI specifically – not every piece of data that merely looks sensitive.
Covered Entities vs Business Associates: What’s the Difference?
Same law, two very different relationships to the data.
HIPAA doesn’t apply to “the healthcare industry” as a blanket category. It applies specifically to covered entities and business associates, and the obligations that follow depend on which one an organisation is.
A covered entity is an organisation that directly provides or pays for healthcare – hospitals, clinics, health insurers, and healthcare clearinghouses. A business associate is any vendor or partner that creates, receives, maintains, or transmits PHI on a covered entity’s behalf, which is how most SaaS and tech companies first encounter HIPAA at all.
| Covered Entity | Business Associate | |
|---|---|---|
| Who it is | Hospitals, clinics, health insurers, clearinghouses | Vendors and partners handling PHI on their behalf |
| Relationship to PHI | Holds the direct patient relationship | Accesses PHI only to perform a contracted service |
| Governing contract | Requires a signed BAA before sharing PHI | Signs the BAA and inherits its obligations |
| Direct OCR liability | Always | Yes – HITECH extended liability directly to business associates |
| Typical examples | Hospital, clinic, health plan | Billing platform, cloud host, health app, MSP |

| Most healthtech and SaaS companies that get pulled into HIPAA discover they’re a business associate, not a covered entity – and that status is usually triggered by a single customer contract rather than the nature of the business itself. | WHO SIGNS THE BAA?
|
Related reading: What Is HIPAA? · Who Needs HIPAA Compliance? · HIPAA FAQ
How GCAI helps: GCAI helps you determine which category your organisation actually falls into before a customer’s BAA lands on your desk, so you’re not agreeing to obligations you haven’t scoped.
Who Needs HIPAA Compliance?
Unlike SOC 2 or ISO 27001, this one isn’t optional once PHI enters the picture.
HIPAA applies to any organisation that creates, receives, stores, or transmits protected health information, whether directly or as a service provider. It shows up by default in a handful of sectors:
Healthcare providers and health plans. Hospitals, clinics, insurers, and clearinghouses are covered entities by definition – HIPAA isn’t a choice for them, it’s the baseline.
Healthtech and digital health SaaS. Any platform that stores patient records, appointment data, or clinical results on behalf of a provider becomes a business associate the moment that contract is signed.
Billing, payments, and health-adjacent fintech. Claims processing, medical billing software, and payment platforms that touch healthcare transactions routinely fall under HIPAA even when health isn’t their core product.
MSPs, cloud hosts, and IT vendors. Any vendor with access to a healthcare client’s systems – hosting, backups, helpdesk, analytics – inherits HIPAA obligations through the BAA, regardless of how incidental the access feels.

| If it’s not obvious yet whether HIPAA applies, a few questions usually settle it: | DO YOU NEED HIPAA?
|
Early-stage healthtech companies often assume HIPAA can wait until they land a larger enterprise customer. In practice, the obligation starts the moment PHI touches a system, not when a logo asks for proof of it.
Related reading: What Is HIPAA? · Covered Entities vs Business Associates · The HIPAA Compliance Process
How GCAI helps: GCAI scopes HIPAA around the specific PHI flows in your product, rather than applying every safeguard to every system, so you’re not over-building controls for data you don’t actually touch.
HIPAA vs SOC 2: Which Do You Need?
A federal law and a voluntary attestation that solve different problems – and increasingly travel together.
HIPAA and SOC 2 get bundled together constantly because healthtech companies often need both, but they’re fundamentally different instruments solving different problems.
The two efforts overlap more than they compete. Access control, encryption, incident response, and vendor management show up in both, which means evidence gathered for one can usually support the other rather than duplicating the work.
It’s also worth distinguishing HIPAA from HITRUST CSF, its certifiable cousin. HITRUST maps directly onto HIPAA’s Security Rule but goes further by issuing an actual certificate through an accredited assessor – organisations that want a badge to point to, rather than a law, often pursue HITRUST alongside HIPAA itself.

| HIPAA | SOC 2 | |
|---|---|---|
| What it is | Federal law | Voluntary attestation framework |
| Mandatory? | Yes, the moment PHI is involved | No – market and customer driven |
| Who issues it | No certificate; OCR enforces the law | A licensed CPA firm issues a report |
| What you get | Compliance status, not a document | A Type I or Type II report |
| Proves to a buyer | Legal compliance with patient data law | Operational control maturity over time |
The two efforts overlap more than they compete. Access control, encryption, incident response, and vendor management show up in both, which means evidence gathered for one can usually support the other rather than duplicating the work.
It’s also worth distinguishing HIPAA from HITRUST CSF, its certifiable cousin. HITRUST maps directly onto HIPAA’s Security Rule but goes further by issuing an actual certificate through an accredited assessor – organisations that want a badge to point to, rather than a law, often pursue HITRUST alongside HIPAA itself.
Related reading: What Is HIPAA? · Who Needs HIPAA Compliance? · HIPAA FAQ
How GCAI helps: GCAI supports both tracks – HIPAA gap remediation and SOC 2 readiness – mapped against a shared control library, so evidence collected for one isn’t recreated from scratch for the other.
The HIPAA Compliance Process
There’s no audit deadline forcing the pace – which is exactly why most programmes stall.
Unlike SOC 2 or ISO 27001, HIPAA compliance isn’t built around a single audit event. It’s an ongoing programme that typically moves through the same phases, though there’s no external clock forcing the sequence:
| Phase | What happens | Typical duration |
|---|---|---|
| Risk assessment | Identify where PHI lives, flows, and is exposed | 2-6 weeks |
| Gap remediation | Close identified gaps; write or update required policies | 1-3 months |
| Safeguard implementation | Put administrative, physical, and technical safeguards in place | 1-3 months |
| Workforce training | Train everyone with PHI access on policies and procedures | Ongoing, at least annually |
| BAA management | Execute and review Business Associate Agreements with vendors | Ongoing |
| Monitoring and review | Repeat risk assessments, access reviews, and incident log checks | Ongoing, annual minimum |

| Without an external audit cycle forcing renewal, the biggest risk isn’t a missing safeguard – it’s treating HIPAA as a one-time project instead of a maintained programme. | HIPAA BY THE NUMBERS
|
OCR investigations almost always start with one document: the risk assessment. Organisations that can’t produce a current one are exposed regardless of how good their actual safeguards are, because there’s no record to demonstrate it.
Related reading: Covered Entities vs Business Associates · Who Needs HIPAA Compliance? · HIPAA FAQ
How GCAI helps: GCAI runs your risk assessment and keeps it current year over year, not just at kickoff, so there’s a defensible record the moment OCR or an enterprise customer asks for one.
HIPAA FAQ
The questions that come up most once the basics are out of the way.
Is HIPAA a certification? No. HIPAA is a federal law, not a certificate or an attestation. There’s no accreditation body and no official seal to display – phrases like “HIPAA certified” describe a self-assessed posture, not a credential anyone issued.
Who enforces HIPAA? The Department of Health and Human Services’ Office for Civil Rights (OCR) handles federal enforcement, and state attorneys general can pursue violations independently under HITECH.
What happens if there’s a violation? Penalties are tiered by the level of culpability, from unaware violations to wilful neglect that goes uncorrected, with fines scaling sharply at the higher tiers and the possibility of corrective action plans or criminal referral in serious cases.
Can we display a “HIPAA Certified” badge? Not officially – no such certification exists under the law itself. Vendors selling “HIPAA certification” badges are offering a marketing claim, not a recognised credential; HITRUST CSF is the closest thing to an actual certifiable equivalent.
How long does it take to become HIPAA compliant? A focused gap remediation typically takes two to four months for an organisation with reasonable security hygiene already in place; building a programme from nothing takes longer.
Does HIPAA require an annual external audit? No. There’s no mandated third-party audit, but periodic risk assessments are expected, and OCR can investigate at any time, often triggered by a breach report or a complaint.
Related reading: What Is HIPAA? · Protected Health Information & Safeguards · HIPAA vs SOC 2
How GCAI helps: GCAI’s HIPAA gap assessment can answer most of the questions above for your specific business in a single working session, including whether you’re a covered entity or a business associate in the first place.