Rule Changes

Recent changes to HIPAA security & privacy rule enforcement and the the addition of the breach notification rules (under HITECH) have lead to more than just health care companies being impacted. Any company providing services to “covered entities” (health care organizations) will be required to sign Business Associate Agreements. These agreements generally require the service provider (your company) to agree that you are compliant with the HIPAA Security Rule as well as other provisions. Are you comfortable signing Business Associate Agreements? Regardless, if you have customers that are health care providers, you may be liable and subject to unwanted federal audits and penalties up to $1.5 million.

Leverage Existing Controls

Compliance with the HIPAA Security Rule is straightforward if you have other controls in place, such as those required to have a favorable SOC 2 Type II report issued. HIPAA requires that you have implemented “administrative, technical, and physical” controls. Administrative controls are covered by your policies, procedures, and risk analysis process. Technical and physical controls are dictated by your policies.


If you have any customers or partners that are health care providers, or have been asked to sign business associate agreements, don’t hold that extra liability. HIPAA compliance can often be achieved fairly quickly with minimal effort.

Learn More about HIPAA / HITECH

Have Questions About HIPAA?

Let us help you find out what compliance framework is best for your business.

SOC 1 / SSAE 18

Learn how SOC 1 reports can help businesses with services that impact financial reporting meet the needs of customers and partners.


Learn how SOC 2 reports differ from SOC 1 and are best-suited for companies providing information services such as SaaS and cloud companies.


Learn how HIPAA no longer impacts just healthcare companies. If your company stores any health data (even on behalf of a customer), you're liable.