[{"data":1,"prerenderedAt":7415},["ShallowReactive",2],{"framework-topics-hipaa":3,"framework-hipaa":4140,"related-glossary-hipaa-phi-covered-entity-business-associate":4701,"explore-glossary-hipaa-\u002Fframeworks\u002Fhipaa\u002Fsanctions-policy":5391,"explore-topics-hipaa-\u002Fframeworks\u002Fhipaa\u002Fsanctions-policy":6178,"explore-hub-hipaa":6508,"explore-compare-vs-\u002Fframeworks\u002Fhipaa\u002Fsanctions-policy":6848,"explore-compare-\u002Fframeworks\u002Fhipaa\u002Fsanctions-policy":7014,"explore-blog-hipaa-\u002Fframeworks\u002Fhipaa\u002Fsanctions-policy":7135,"explore-industry-hipaa":7334},[4,309,556,1159,1461,1748,2113,2378,2611,2968,3272,3587,3857],{"id":5,"title":6,"body":7,"description":277,"extension":278,"faq":279,"frameworkSlug":293,"lastUpdated":294,"meta":295,"navigation":296,"path":297,"relatedTerms":298,"relatedTopics":299,"seo":304,"stem":307,"__hash__":308},"frameworkTopics\u002F5.frameworks\u002Fhipaa\u002Fbreach-notification.md","HIPAA Breach Notification Rule",{"type":8,"value":9,"toc":256},"minimark",[10,15,19,43,47,50,55,63,67,70,98,101,105,108,112,115,119,126,129,133,136,151,154,158,165,169,181,184,188,195,199,206,209,223,230,234,241,249,253],[11,12,14],"h2",{"id":13},"what-is-the-hipaa-breach-notification-rule","What is the HIPAA Breach Notification Rule?",[16,17,18],"p",{},"The HIPAA Breach Notification Rule (45 CFR Sections 164.400–414) requires covered entities and their business associates to provide notification following a breach of unsecured protected health information (PHI). Established by the HITECH Act in 2009 and finalized in the 2013 Omnibus Rule, the Breach Notification Rule creates a structured process for informing affected individuals, the Department of Health and Human Services (HHS), and in certain cases the media when PHI has been compromised.",[16,20,21,22,27,28,32,33,37,38,42],{},"This rule works in concert with the ",[23,24,26],"a",{"href":25},"\u002Fframeworks\u002Fhipaa\u002Fsecurity-rule","HIPAA Security Rule"," and ",[23,29,31],{"href":30},"\u002Fframeworks\u002Fhipaa\u002Fprivacy-rule","HIPAA Privacy Rule"," to form the complete HIPAA compliance framework. For a high-level overview, visit the ",[23,34,36],{"href":35},"\u002Fframeworks\u002Fhipaa","HIPAA compliance"," page or consult the ",[23,39,41],{"href":40},"\u002Fglossary\u002Fhipaa","HIPAA glossary entry",".",[11,44,46],{"id":45},"what-constitutes-a-breach","What constitutes a breach?",[16,48,49],{},"A breach is defined as the acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI. This is a broad definition, and understanding its boundaries is critical for building an effective response program.",[51,52,54],"h3",{"id":53},"the-presumption-of-breach","The presumption of breach",[16,56,57,58,62],{},"Under the Omnibus Rule, any impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate can demonstrate a ",[59,60,61],"strong",{},"low probability"," that the PHI has been compromised. This is determined through a four-factor risk assessment.",[51,64,66],{"id":65},"the-four-factor-risk-assessment","The four-factor risk assessment",[16,68,69],{},"When an impermissible use or disclosure occurs, the organization must evaluate:",[71,72,73,80,86,92],"ol",{},[74,75,76,79],"li",{},[59,77,78],{},"The nature and extent of the PHI involved"," — disclosures involving names, Social Security numbers, and diagnosis codes carry higher risk than those with only zip codes.",[74,81,82,85],{},[59,83,84],{},"The unauthorized person who received the PHI"," — a misdirected fax to another provider presents different risks than a public database exposure.",[74,87,88,91],{},[59,89,90],{},"Whether the PHI was actually acquired or viewed"," — if forensic analysis confirms no access occurred, this weighs against a finding of compromise.",[74,93,94,97],{},[59,95,96],{},"The extent to which risk has been mitigated"," — if the recipient returned or destroyed the information, this reduces the probability of compromise.",[16,99,100],{},"If the risk assessment cannot demonstrate a low probability of compromise, the organization must treat the incident as a breach and proceed with notifications.",[51,102,104],{"id":103},"exceptions-to-the-breach-definition","Exceptions to the breach definition",[16,106,107],{},"Three narrow exceptions exist: unintentional access by a workforce member acting in good faith within the scope of authority, inadvertent disclosure between persons authorized to access PHI at the same entity, and disclosure to someone who could not reasonably retain the information. Even when an exception applies, organizations should document their analysis.",[11,109,111],{"id":110},"notification-requirements","Notification requirements",[16,113,114],{},"The Breach Notification Rule establishes distinct notification obligations depending on the size of the breach and the role of the organization.",[51,116,118],{"id":117},"individual-notification","Individual notification",[16,120,121,122,125],{},"Covered entities must notify each individual whose unsecured PHI has been breached. The notification must be provided without unreasonable delay and no later than ",[59,123,124],{},"60 calendar days"," from the date the breach was discovered.",[16,127,128],{},"The notification must describe the breach (including dates), the types of PHI involved, steps the individual should take for protection, what the entity is doing to investigate and prevent future breaches, and entity contact information. Notifications must be sent by first-class mail or email (if agreed). When contact information is unavailable for 10 or more individuals, substitute notice via the entity's website (90 days) or major media is required.",[51,130,132],{"id":131},"hhs-notification","HHS notification",[16,134,135],{},"The timeline and method for notifying HHS depend on the number of individuals affected:",[137,138,139,145],"ul",{},[74,140,141,144],{},[59,142,143],{},"Breaches affecting 500 or more individuals"," — the covered entity must notify HHS at the same time as individual notifications, no later than 60 days from discovery. These breaches are posted on the HHS \"Wall of Shame\" (the Breach Portal) and often attract media attention and regulatory scrutiny.",[74,146,147,150],{},[59,148,149],{},"Breaches affecting fewer than 500 individuals"," — the covered entity must notify HHS within 60 days of the end of the calendar year in which the breach was discovered. These notifications are submitted through the HHS breach reporting portal as an annual log.",[16,152,153],{},"All HHS notifications are made through the online portal maintained by the Office for Civil Rights.",[51,155,157],{"id":156},"media-notification","Media notification",[16,159,160,161,164],{},"When a breach affects ",[59,162,163],{},"500 or more residents of a single state or jurisdiction",", the covered entity must notify prominent media outlets serving that area. This notification must be provided without unreasonable delay and no later than 60 days from discovery. The media notice must contain the same elements required for individual notification.",[51,166,168],{"id":167},"business-associate-obligations","Business associate obligations",[16,170,171,172,175,176,180],{},"When a business associate discovers a breach of unsecured PHI, it must notify the covered entity without unreasonable delay and no later than ",[59,173,174],{},"60 days from discovery"," (or sooner if specified in the ",[23,177,179],{"href":178},"\u002Fframeworks\u002Fhipaa\u002Fbusiness-associate-agreements","Business Associate Agreement","). The notification must identify each individual whose PHI has been or is reasonably believed to have been affected, along with any other available information the covered entity needs to fulfill its own notification obligations.",[16,182,183],{},"The covered entity, not the business associate, is ultimately responsible for providing notifications to individuals, HHS, and the media. However, the BAA may allocate additional responsibilities.",[11,185,187],{"id":186},"when-is-a-breach-discovered","When is a breach \"discovered\"?",[16,189,190,191,194],{},"The 60-day clock starts on the date the breach is ",[59,192,193],{},"discovered",", not the date it occurred. A breach is considered discovered on the first day the entity knows of it or, by exercising reasonable diligence, would have known. Willful ignorance does not stop the clock, and delayed discovery from inadequate monitoring can itself become a compliance violation.",[11,196,198],{"id":197},"the-role-of-encryption","The role of encryption",[16,200,201,202,205],{},"The Breach Notification Rule applies only to ",[59,203,204],{},"unsecured PHI",". PHI that has been rendered unusable, unreadable, or indecipherable to unauthorized persons is considered secured and falls outside the notification requirements.",[16,207,208],{},"HHS has specified two methods for securing PHI:",[137,210,211,217],{},[74,212,213,216],{},[59,214,215],{},"Encryption"," — PHI encrypted in accordance with NIST standards (currently AES-128 or stronger for data at rest, and TLS 1.2+ for data in transit) is considered secured, provided the encryption key has not been compromised alongside the data.",[74,218,219,222],{},[59,220,221],{},"Destruction"," — paper PHI that has been shredded or destroyed such that it cannot be reconstructed, and electronic media that has been cleared, purged, or destroyed in accordance with NIST SP 800-88, is considered secured.",[16,224,225,226,229],{},"This creates a powerful incentive to encrypt ePHI at rest and in transit. If encrypted data is stolen but the key remains secure, no breach notification is required. This is why encryption, although technically an addressable specification under the ",[23,227,228],{"href":25},"Security Rule",", is implemented by virtually every organization that handles ePHI.",[11,231,233],{"id":232},"building-a-breach-response-process","Building a breach response process",[16,235,236,240],{},[23,237,239],{"href":238},"\u002Findustry\u002Fhealthcare","Healthcare organizations"," and their technology partners should build a documented breach response process before an incident occurs. Key components include incident detection and reporting channels, a defined team for conducting the four-factor risk assessment, pre-drafted notification templates and workflows, mitigation and containment steps, comprehensive documentation (retained for at least six years), and post-incident reviews to update policies and controls.",[16,242,243,244,248],{},"The ",[23,245,247],{"href":246},"\u002Fframeworks\u002Fhipaa\u002Fcompliance-checklist","HIPAA compliance checklist"," includes breach response requirements alongside the broader compliance program.",[11,250,252],{"id":251},"penalties-for-non-compliance","Penalties for non-compliance",[16,254,255],{},"Failure to comply with the Breach Notification Rule carries penalties ranging from $100 to $50,000 per violation with annual maximums of $1.5 million per category. Delayed or insufficient notifications are among the most common findings in HHS enforcement actions. State attorneys general may also bring actions under the HITECH Act. Breaches posted on the HHS Breach Portal are publicly accessible, creating significant reputational consequences.",{"title":257,"searchDepth":258,"depth":258,"links":259},"",2,[260,261,267,273,274,275,276],{"id":13,"depth":258,"text":14},{"id":45,"depth":258,"text":46,"children":262},[263,265,266],{"id":53,"depth":264,"text":54},3,{"id":65,"depth":264,"text":66},{"id":103,"depth":264,"text":104},{"id":110,"depth":258,"text":111,"children":268},[269,270,271,272],{"id":117,"depth":264,"text":118},{"id":131,"depth":264,"text":132},{"id":156,"depth":264,"text":157},{"id":167,"depth":264,"text":168},{"id":186,"depth":258,"text":187},{"id":197,"depth":258,"text":198},{"id":232,"depth":258,"text":233},{"id":251,"depth":258,"text":252},"The HIPAA Breach Notification Rule requires covered entities and business associates to notify individuals, HHS, and sometimes the media after a breach of unsecured PHI.","md",{"items":280},[281,284,287,290],{"label":282,"content":283},"How long do you have to report a HIPAA breach?","Covered entities must notify affected individuals no later than 60 calendar days from the date the breach was discovered. For breaches affecting 500 or more individuals, HHS must also be notified within the same 60-day window. Business associates must notify the covered entity within 60 days of discovery.",{"label":285,"content":286},"What triggers the HIPAA breach notification requirement?","Any impermissible acquisition, access, use, or disclosure of protected health information (PHI) is presumed to be a breach unless a four-factor risk assessment demonstrates a low probability that the PHI was compromised. The four factors evaluate the nature of the PHI, who received it, whether it was actually viewed, and the extent of mitigation.",{"label":288,"content":289},"Does encryption eliminate the need for breach notification?","Yes, if the PHI was encrypted according to NIST standards (AES-128 or stronger at rest, TLS 1.2+ in transit) and the encryption key was not compromised alongside the data, the information is considered secured and falls outside the breach notification requirements.",{"label":291,"content":292},"What are the penalties for failing to report a HIPAA breach?","Penalties range from $100 to $50,000 per violation, with annual maximums of $1.5 million per category. Breaches affecting 500+ individuals are posted publicly on the HHS Breach Portal. State attorneys general may also bring separate enforcement actions under the HITECH Act.","hipaa","2026-04-16",{},true,"\u002Fframeworks\u002Fhipaa\u002Fbreach-notification",[293],[300,301,302,303],"security-rule","privacy-rule","business-associate-agreements","compliance-checklist",{"title":305,"description":306},"HIPAA Breach Notification Rule: 60-Day Timeline, Requirements & Reporting Steps","HIPAA breach notification requirements — 60-day timeline, individual vs HHS vs media notification rules, risk assessment factors, and step-by-step reporting guide.","5.frameworks\u002Fhipaa\u002Fbreach-notification","8brHphtde3Ujctufl7f1XJYADy8eqT2qNH1Gyn-fOkQ",{"id":310,"title":311,"body":312,"description":545,"extension":278,"faq":546,"frameworkSlug":293,"lastUpdated":294,"meta":547,"navigation":296,"path":178,"relatedTerms":548,"relatedTopics":549,"seo":551,"stem":554,"__hash__":555},"frameworkTopics\u002F5.frameworks\u002Fhipaa\u002Fbusiness-associate-agreements.md","Business Associate Agreements (BAA)",{"type":8,"value":313,"toc":528},[314,318,321,324,332,336,345,348,352,355,359,366,370,373,377,380,383,443,447,454,458,461,465,468,472,475,479,484,488,491,523],[11,315,317],{"id":316},"what-is-a-business-associate-agreement","What is a Business Associate Agreement?",[16,319,320],{},"A Business Associate Agreement (BAA) is a legally binding contract required under HIPAA between a covered entity and a business associate, or between a business associate and a subcontractor. The agreement establishes the permitted and required uses and disclosures of protected health information (PHI) by the business associate, mandates appropriate safeguards, and defines each party's responsibilities for compliance.",[16,322,323],{},"No covered entity may share PHI with a vendor, contractor, or service provider until a BAA is executed. This requirement is absolute — even if a business associate has robust security practices and excellent intentions, the absence of a signed BAA is itself a HIPAA violation.",[16,325,326,327,329,330,42],{},"BAAs are a central element of ",[23,328,36],{"href":35},". For broader context on how they fit into the compliance framework, see the main HIPAA page and the ",[23,331,41],{"href":40},[11,333,335],{"id":334},"who-is-a-business-associate","Who is a business associate?",[16,337,338,339,341,342,42],{},"A business associate is any person or organization that performs functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of PHI. The HITECH Act expanded this definition significantly, making business associates directly subject to HIPAA's ",[23,340,228],{"href":25}," and certain provisions of the ",[23,343,344],{"href":30},"Privacy Rule",[16,346,347],{},"Common examples include cloud service providers, IT managed service providers, billing companies, EHR vendors, data analytics firms, consultants, shredding companies, email platforms used to transmit PHI, law firms, and accountants. A critical point: simply stating that a vendor \"will not access PHI\" does not eliminate the BAA requirement if the vendor's services involve PHI in any form. A cloud provider hosting encrypted ePHI is a business associate even if it never decrypts the data.",[51,349,351],{"id":350},"subcontractors","Subcontractors",[16,353,354],{},"Under the Omnibus Rule, subcontractors of business associates are themselves considered business associates. This means a business associate must execute BAAs with its own downstream vendors that handle PHI. The chain of contractual protection must extend to every entity that touches PHI.",[11,356,358],{"id":357},"when-is-a-baa-required","When is a BAA required?",[16,360,361,362,365],{},"A BAA is required whenever a covered entity engages a business associate to perform a function or service involving PHI, or whenever a business associate engages a subcontractor for the same purpose. The timing is important: the BAA must be in place ",[59,363,364],{},"before"," any PHI is shared.",[51,367,369],{"id":368},"when-a-baa-is-not-required","When a BAA is NOT required",[16,371,372],{},"A BAA is not needed when the vendor is a mere conduit (like the postal service), the relationship is between a covered entity and a patient, the vendor's services do not involve PHI, or covered entities share PHI for treatment purposes. The determination should always be documented — when in doubt, executing a BAA is the safer approach.",[11,374,376],{"id":375},"required-provisions-of-a-baa","Required provisions of a BAA",[16,378,379],{},"The Privacy Rule (45 CFR 164.504(e)) and Security Rule specify the provisions a BAA must contain. While organizations may negotiate additional terms, the following elements are mandatory:",[16,381,382],{},"The mandatory provisions are:",[137,384,385,394,403,413,419,425,431,437],{},[74,386,387,390,391,393],{},[59,388,389],{},"Permitted uses and disclosures"," — describe how the business associate may use PHI, consistent with the ",[23,392,344],{"href":30},". The BAA may not authorize uses that would violate the Privacy Rule if done by the covered entity itself.",[74,395,396,399,400,402],{},[59,397,398],{},"Appropriate safeguards"," — require the business associate to implement ",[23,401,228],{"href":25}," safeguards (administrative, physical, and technical) to prevent unauthorized use or disclosure.",[74,404,405,408,409,412],{},[59,406,407],{},"Breach reporting"," — require reporting of any impermissible use or disclosure, including breaches of unsecured PHI. The ",[23,410,411],{"href":297},"Breach Notification Rule"," sets a 60-day deadline, but many BAAs negotiate shorter timelines.",[74,414,415,418],{},[59,416,417],{},"Subcontractor compliance"," — require downstream vendors handling PHI to agree to the same restrictions and execute their own BAAs.",[74,420,421,424],{},[59,422,423],{},"Individual rights support"," — make PHI available for individual access requests, amendment requests, and accounting of disclosures.",[74,426,427,430],{},[59,428,429],{},"HHS access"," — make internal practices, books, and records available to HHS for compliance determinations.",[74,432,433,436],{},[59,434,435],{},"Return or destroy PHI"," — at termination, return or destroy all PHI. If infeasible, extend protections and limit further use.",[74,438,439,442],{},[59,440,441],{},"Termination authority"," — authorize the covered entity to terminate the agreement for material violations.",[11,444,446],{"id":445},"liability-under-a-baa","Liability under a BAA",[16,448,449,450,453],{},"The HITECH Act fundamentally changed the liability landscape for business associates. Before HITECH, business associates were liable only to the covered entity through the contractual terms of the BAA. After HITECH, business associates are ",[59,451,452],{},"directly liable"," to HHS for compliance with the Security Rule, the breach notification requirements, and certain Privacy Rule provisions.",[51,455,457],{"id":456},"covered-entity-liability","Covered entity liability",[16,459,460],{},"A covered entity is not liable for a business associate's HIPAA violations if the entity did not know (and by exercising reasonable diligence would not have known) of the violation pattern. However, if the covered entity knows of a violation and fails to take reasonable steps to cure the breach or terminate the agreement, the entity becomes liable.",[51,462,464],{"id":463},"business-associate-liability","Business associate liability",[16,466,467],{},"Business associates face the same tiered penalty structure as covered entities — from $100 to $50,000 per violation with annual maximums of $1.5 million per category. Criminal penalties of up to $250,000 and imprisonment also apply.",[51,469,471],{"id":470},"contractual-indemnification","Contractual indemnification",[16,473,474],{},"Beyond HIPAA's statutory penalties, BAAs frequently include indemnification clauses, limitation of liability provisions, and insurance requirements that allocate financial risk between the parties. These terms are negotiated commercially and are not required by HIPAA, but they are practically important for managing exposure.",[11,476,478],{"id":477},"managing-baas-at-scale","Managing BAAs at scale",[16,480,481,483],{},[23,482,239],{"href":238}," often maintain dozens or hundreds of BAAs. Effective management requires a centralized inventory tracking all agreements and their renewal dates, standardized templates with all required provisions, automated renewal tracking, periodic vendor risk assessments, ongoing compliance monitoring through certifications and audit reports, and thorough documentation of every decision and agreement.",[11,485,487],{"id":486},"common-baa-mistakes","Common BAA mistakes",[16,489,490],{},"Organizations frequently encounter these pitfalls with BAAs:",[137,492,493,499,505,511,517],{},[74,494,495,498],{},[59,496,497],{},"Missing BAAs entirely"," — the most basic and most common violation. Every vendor relationship should be evaluated for BAA necessity during procurement.",[74,500,501,504],{},[59,502,503],{},"Using outdated templates"," — BAAs drafted before the 2013 Omnibus Rule may lack required provisions for breach notification, subcontractor compliance, and Security Rule obligations.",[74,506,507,510],{},[59,508,509],{},"Failing to cascade to subcontractors"," — a business associate that does not execute BAAs with its own vendors breaks the chain of protection.",[74,512,513,516],{},[59,514,515],{},"Ignoring termination provisions"," — when a vendor relationship ends, the BAA's return-or-destroy provisions must be enforced. Orphaned PHI at former vendors is a significant risk.",[74,518,519,522],{},[59,520,521],{},"Not monitoring compliance"," — executing a BAA is not a one-time event. Ongoing oversight of business associate security practices is expected.",[16,524,243,525,527],{},[23,526,247],{"href":246}," includes BAA management requirements as a core component of the overall compliance program.",{"title":257,"searchDepth":258,"depth":258,"links":529},[530,531,534,537,538,543,544],{"id":316,"depth":258,"text":317},{"id":334,"depth":258,"text":335,"children":532},[533],{"id":350,"depth":264,"text":351},{"id":357,"depth":258,"text":358,"children":535},[536],{"id":368,"depth":264,"text":369},{"id":375,"depth":258,"text":376},{"id":445,"depth":258,"text":446,"children":539},[540,541,542],{"id":456,"depth":264,"text":457},{"id":463,"depth":264,"text":464},{"id":470,"depth":264,"text":471},{"id":477,"depth":258,"text":478},{"id":486,"depth":258,"text":487},"A Business Associate Agreement is a legally required contract ensuring that vendors and subcontractors handling PHI comply with HIPAA requirements.",null,{},[293],[300,301,550,303],"breach-notification",{"title":552,"description":553},"HIPAA Business Associate Agreements (BAA) - Requirements & Key Provisions","Learn what a BAA is, when one is required, the provisions it must include, and how liability flows between covered entities and business associates.","5.frameworks\u002Fhipaa\u002Fbusiness-associate-agreements","1WFenZxptMnDm8MgpXeSdLl1IXz9YOpO66HInGj2Tek",{"id":557,"title":558,"body":559,"description":1150,"extension":278,"faq":546,"frameworkSlug":293,"lastUpdated":294,"meta":1151,"navigation":296,"path":246,"relatedTerms":1152,"relatedTopics":1153,"seo":1154,"stem":1157,"__hash__":1158},"frameworkTopics\u002F5.frameworks\u002Fhipaa\u002Fcompliance-checklist.md","HIPAA Compliance Checklist",{"type":8,"value":560,"toc":1124},[561,565,568,589,593,598,602,633,637,664,668,689,693,698,702,717,721,766,770,827,831,837,841,868,872,923,927,966,970,973,977,1016,1020,1025,1029,1080,1084,1087,1114,1118],[11,562,564],{"id":563},"hipaa-compliance-checklist-overview","HIPAA compliance checklist overview",[16,566,567],{},"Building and maintaining a HIPAA compliance program requires coordinating across privacy, security, vendor management, workforce training, and incident response. This checklist provides a structured walkthrough of the major requirements that covered entities and business associates must address.",[16,569,570,571,573,574,573,576,578,579,582,583,585,586,588],{},"This checklist is not a substitute for legal counsel or a formal risk assessment, but it serves as a practical framework for identifying gaps and tracking progress. For detailed guidance on individual topics, refer to the dedicated pages for the ",[23,572,228],{"href":25},", ",[23,575,344],{"href":30},[23,577,411],{"href":297},", and ",[23,580,581],{"href":178},"Business Associate Agreements",". The main ",[23,584,36],{"href":35}," page provides a high-level overview, and the ",[23,587,41],{"href":40}," covers foundational terms.",[11,590,592],{"id":591},"privacy-rule-checklist","Privacy Rule checklist",[16,594,243,595,597],{},[23,596,344],{"href":30}," governs the use and disclosure of PHI in all forms. Every covered entity and business associate must address the following:",[51,599,601],{"id":600},"privacy-official-and-npp","Privacy official and NPP",[137,603,606,615,621,627],{"className":604},[605],"contains-task-list",[74,607,610,614],{"className":608},[609],"task-list-item",[611,612],"input",{"disabled":296,"type":613},"checkbox"," Appoint a privacy officer with authority to develop and enforce privacy policies",[74,616,618,620],{"className":617},[609],[611,619],{"disabled":296,"type":613}," Draft and distribute the Notice of Privacy Practices with all required content",[74,622,624,626],{"className":623},[609],[611,625],{"disabled":296,"type":613}," Post the NPP at physical locations and on the organization's website",[74,628,630,632],{"className":629},[609],[611,631],{"disabled":296,"type":613}," Revise and redistribute the NPP when material changes occur",[51,634,636],{"id":635},"minimum-necessary-and-individual-rights","Minimum necessary and individual rights",[137,638,640,646,652,658],{"className":639},[605],[74,641,643,645],{"className":642},[609],[611,644],{"disabled":296,"type":613}," Define role-based access ensuring workforce members access only the PHI needed for their role",[74,647,649,651],{"className":648},[609],[611,650],{"disabled":296,"type":613}," Establish standard protocols for routine disclosures and a review process for non-routine requests",[74,653,655,657],{"className":654},[609],[611,656],{"disabled":296,"type":613}," Create documented processes for access requests (30 days), amendment requests (60 days), and accounting of disclosures",[74,659,661,663],{"className":660},[609],[611,662],{"disabled":296,"type":613}," Establish procedures for restriction and confidential communication requests",[51,665,667],{"id":666},"authorizations-and-permitted-disclosures","Authorizations and permitted disclosures",[137,669,671,677,683],{"className":670},[605],[74,672,674,676],{"className":673},[609],[611,675],{"disabled":296,"type":613}," Develop authorization forms with all required elements and track expiration dates",[74,678,680,682],{"className":679},[609],[611,681],{"disabled":296,"type":613}," Document policies for each category of permitted use and disclosure",[74,684,686,688],{"className":685},[609],[611,687],{"disabled":296,"type":613}," Establish verification procedures for third-party disclosure requests",[11,690,692],{"id":691},"security-rule-checklist","Security Rule checklist",[16,694,243,695,697],{},[23,696,228],{"href":25}," requires administrative, physical, and technical safeguards for ePHI. These requirements apply to all covered entities and business associates.",[51,699,701],{"id":700},"designate-a-security-official","Designate a security official",[137,703,705,711],{"className":704},[605],[74,706,708,710],{"className":707},[609],[611,709],{"disabled":296,"type":613}," Appoint a security officer responsible for developing and implementing security policies (may be the same person as the privacy officer in smaller organizations)",[74,712,714,716],{"className":713},[609],[611,715],{"disabled":296,"type":613}," Document the appointment and ensure adequate authority and resources",[51,718,720],{"id":719},"conduct-and-maintain-a-risk-analysis","Conduct and maintain a risk analysis",[137,722,724,730,736,742,748,754,760],{"className":723},[605],[74,725,727,729],{"className":726},[609],[611,728],{"disabled":296,"type":613}," Identify all systems that create, receive, maintain, or transmit ePHI",[74,731,733,735],{"className":732},[609],[611,734],{"disabled":296,"type":613}," Identify and document reasonably anticipated threats and vulnerabilities for each system",[74,737,739,741],{"className":738},[609],[611,740],{"disabled":296,"type":613}," Assess current security measures in place",[74,743,745,747],{"className":744},[609],[611,746],{"disabled":296,"type":613}," Determine the likelihood and impact of each identified threat",[74,749,751,753],{"className":750},[609],[611,752],{"disabled":296,"type":613}," Assign risk levels and document a prioritized remediation plan",[74,755,757,759],{"className":756},[609],[611,758],{"disabled":296,"type":613}," Schedule regular risk analysis updates (at least annually and after significant changes)",[74,761,763,765],{"className":762},[609],[611,764],{"disabled":296,"type":613}," Maintain all risk analysis documentation for at least six years",[51,767,769],{"id":768},"implement-safeguards","Implement safeguards",[137,771,773,779,785,791,797,803,809,815,821],{"className":772},[605],[74,774,776,778],{"className":775},[609],[611,777],{"disabled":296,"type":613}," Develop a risk management plan and sanction policies",[74,780,782,784],{"className":781},[609],[611,783],{"disabled":296,"type":613}," Implement regular log reviews and workforce security procedures (authorization, supervision, termination)",[74,786,788,790],{"className":787},[609],[611,789],{"disabled":296,"type":613}," Establish security awareness training covering passwords, malware, and incident reporting",[74,792,794,796],{"className":793},[609],[611,795],{"disabled":296,"type":613}," Develop and test contingency plans: data backup, disaster recovery, and emergency operations",[74,798,800,802],{"className":799},[609],[611,801],{"disabled":296,"type":613}," Establish facility access controls, workstation use and security policies, and device\u002Fmedia controls",[74,804,806,808],{"className":805},[609],[611,807],{"disabled":296,"type":613}," Deploy technical access controls: unique user IDs, automatic logoff, encryption, and MFA",[74,810,812,814],{"className":811},[609],[611,813],{"disabled":296,"type":613}," Implement audit controls and ePHI integrity mechanisms",[74,816,818,820],{"className":817},[609],[611,819],{"disabled":296,"type":613}," Secure transmissions with encryption (TLS 1.2+)",[74,822,824,826],{"className":823},[609],[611,825],{"disabled":296,"type":613}," Document all addressable specification assessments, decisions, and rationale",[11,828,830],{"id":829},"business-associate-agreement-checklist","Business Associate Agreement checklist",[16,832,833,836],{},[23,834,835],{"href":178},"BAAs"," must be in place before any PHI is shared with vendors and subcontractors. Managing BAAs is an ongoing operational responsibility.",[51,838,840],{"id":839},"identify-business-associates","Identify business associates",[137,842,844,850,856,862],{"className":843},[605],[74,845,847,849],{"className":846},[609],[611,848],{"disabled":296,"type":613}," Inventory all vendors, contractors, and service providers that access, store, process, or transmit PHI",[74,851,853,855],{"className":852},[609],[611,854],{"disabled":296,"type":613}," Evaluate each relationship to determine whether a BAA is required",[74,857,859,861],{"className":858},[609],[611,860],{"disabled":296,"type":613}," Document the determination for each vendor, including rationale for cases where a BAA is deemed unnecessary",[74,863,865,867],{"className":864},[609],[611,866],{"disabled":296,"type":613}," Include BAA evaluation in the procurement and vendor onboarding process",[51,869,871],{"id":870},"execute-compliant-baas","Execute compliant BAAs",[137,873,875,881,887,893,899,905,911,917],{"className":874},[605],[74,876,878,880],{"className":877},[609],[611,879],{"disabled":296,"type":613}," Use a standardized BAA template that includes all required provisions under 45 CFR 164.504(e)",[74,882,884,886],{"className":883},[609],[611,885],{"disabled":296,"type":613}," Ensure each BAA establishes permitted uses and disclosures consistent with the Privacy Rule",[74,888,890,892],{"className":889},[609],[611,891],{"disabled":296,"type":613}," Include requirements for appropriate safeguards and Security Rule compliance",[74,894,896,898],{"className":895},[609],[611,897],{"disabled":296,"type":613}," Include breach notification obligations with defined timelines (60 days or less)",[74,900,902,904],{"className":901},[609],[611,903],{"disabled":296,"type":613}," Require subcontractor BAAs for downstream vendors handling PHI",[74,906,908,910],{"className":907},[609],[611,909],{"disabled":296,"type":613}," Include provisions for PHI access, amendment, and accounting of disclosures",[74,912,914,916],{"className":913},[609],[611,915],{"disabled":296,"type":613}," Include return-or-destroy provisions for PHI at agreement termination",[74,918,920,922],{"className":919},[609],[611,921],{"disabled":296,"type":613}," Include termination rights for material BAA violations",[51,924,926],{"id":925},"manage-baas-ongoing","Manage BAAs ongoing",[137,928,930,936,942,948,954,960],{"className":929},[605],[74,931,933,935],{"className":932},[609],[611,934],{"disabled":296,"type":613}," Maintain a centralized BAA inventory with effective dates, renewal dates, and scope of PHI",[74,937,939,941],{"className":938},[609],[611,940],{"disabled":296,"type":613}," Implement renewal tracking with automated reminders",[74,943,945,947],{"className":944},[609],[611,946],{"disabled":296,"type":613}," Review and update BAAs when regulations change, services change, or agreements expire",[74,949,951,953],{"className":950},[609],[611,952],{"disabled":296,"type":613}," Conduct periodic vendor risk assessments evaluating business associate security posture",[74,955,957,959],{"className":956},[609],[611,958],{"disabled":296,"type":613}," Enforce return-or-destroy provisions when vendor relationships end",[74,961,963,965],{"className":962},[609],[611,964],{"disabled":296,"type":613}," Monitor business associate compliance through certifications, audit reports, and incident reporting",[11,967,969],{"id":968},"workforce-training-checklist","Workforce training checklist",[16,971,972],{},"Training is required under both the Privacy Rule and Security Rule. Effective training reduces the likelihood of workforce-caused incidents and demonstrates organizational commitment to compliance.",[51,974,976],{"id":975},"develop-and-deliver-training","Develop and deliver training",[137,978,980,986,992,998,1004,1010],{"className":979},[605],[74,981,983,985],{"className":982},[609],[611,984],{"disabled":296,"type":613}," Create content covering Privacy Rule, Security Rule, breach reporting, and BAA awareness",[74,987,989,991],{"className":988},[609],[611,990],{"disabled":296,"type":613}," Tailor training to job roles (clinical, IT, billing, administrative)",[74,993,995,997],{"className":994},[609],[611,996],{"disabled":296,"type":613}," Train all new workforce members within a defined period after hiring",[74,999,1001,1003],{"className":1000},[609],[611,1002],{"disabled":296,"type":613}," Deliver refresher training at least annually and when policies change",[74,1005,1007,1009],{"className":1006},[609],[611,1008],{"disabled":296,"type":613}," Document all training: dates, attendees, content, and acknowledgments",[74,1011,1013,1015],{"className":1012},[609],[611,1014],{"disabled":296,"type":613}," Maintain training records for at least six years",[11,1017,1019],{"id":1018},"breach-response-checklist","Breach response checklist",[16,1021,243,1022,1024],{},[23,1023,411],{"href":297}," requires timely, documented responses to breaches of unsecured PHI.",[51,1026,1028],{"id":1027},"build-and-maintain-the-response-framework","Build and maintain the response framework",[137,1030,1032,1038,1044,1050,1056,1062,1068,1074],{"className":1031},[605],[74,1033,1035,1037],{"className":1034},[609],[611,1036],{"disabled":296,"type":613}," Develop a written incident response plan covering detection, investigation, assessment, notification, and remediation",[74,1039,1041,1043],{"className":1040},[609],[611,1042],{"disabled":296,"type":613}," Assign an incident response team with defined roles and escalation paths",[74,1045,1047,1049],{"className":1046},[609],[611,1048],{"disabled":296,"type":613}," Create pre-drafted notification templates for individuals, HHS, and media",[74,1051,1053,1055],{"className":1052},[609],[611,1054],{"disabled":296,"type":613}," Document the four-factor risk assessment process for evaluating potential breaches",[74,1057,1059,1061],{"className":1058},[609],[611,1060],{"disabled":296,"type":613}," Establish procedures for individual, HHS, and media notification",[74,1063,1065,1067],{"className":1064},[609],[611,1066],{"disabled":296,"type":613}," Conduct tabletop exercises at least annually",[74,1069,1071,1073],{"className":1070},[609],[611,1072],{"disabled":296,"type":613}," Maintain incident documentation for at least six years",[74,1075,1077,1079],{"className":1076},[609],[611,1078],{"disabled":296,"type":613}," Maintain a log of smaller breaches (under 500 individuals) for annual HHS submission",[11,1081,1083],{"id":1082},"documentation-and-record-retention","Documentation and record retention",[16,1085,1086],{},"HIPAA requires policies, procedures, and certain records be maintained for at least six years.",[137,1088,1090,1096,1102,1108],{"className":1089},[605],[74,1091,1093,1095],{"className":1092},[609],[611,1094],{"disabled":296,"type":613}," Maintain all HIPAA policies and procedures in a central, accessible location",[74,1097,1099,1101],{"className":1098},[609],[611,1100],{"disabled":296,"type":613}," Retain risk analysis, training, BAA, and incident documentation",[74,1103,1105,1107],{"className":1104},[609],[611,1106],{"disabled":296,"type":613}," Establish a document retention schedule with assigned responsibility",[74,1109,1111,1113],{"className":1110},[609],[611,1112],{"disabled":296,"type":613}," Implement version control for policies so prior versions remain accessible",[11,1115,1117],{"id":1116},"putting-the-checklist-to-work","Putting the checklist to work",[16,1119,1120,1121,1123],{},"This checklist is most effective as a living document. ",[23,1122,239],{"href":238}," should conduct an initial gap assessment, prioritize remediation based on risk, assign ownership for each item, set deadlines, and review at minimum annually. Compliance is an ongoing process — regular review combined with thorough risk analysis forms the foundation of a sustainable HIPAA program.",{"title":257,"searchDepth":258,"depth":258,"links":1125},[1126,1127,1132,1137,1142,1145,1148,1149],{"id":563,"depth":258,"text":564},{"id":591,"depth":258,"text":592,"children":1128},[1129,1130,1131],{"id":600,"depth":264,"text":601},{"id":635,"depth":264,"text":636},{"id":666,"depth":264,"text":667},{"id":691,"depth":258,"text":692,"children":1133},[1134,1135,1136],{"id":700,"depth":264,"text":701},{"id":719,"depth":264,"text":720},{"id":768,"depth":264,"text":769},{"id":829,"depth":258,"text":830,"children":1138},[1139,1140,1141],{"id":839,"depth":264,"text":840},{"id":870,"depth":264,"text":871},{"id":925,"depth":264,"text":926},{"id":968,"depth":258,"text":969,"children":1143},[1144],{"id":975,"depth":264,"text":976},{"id":1018,"depth":258,"text":1019,"children":1146},[1147],{"id":1027,"depth":264,"text":1028},{"id":1082,"depth":258,"text":1083},{"id":1116,"depth":258,"text":1117},"A comprehensive HIPAA compliance checklist covering the Privacy Rule, Security Rule, Business Associate Agreements, workforce training, and breach response procedures.",{},[293],[300,301,550,302],{"title":1155,"description":1156},"HIPAA Compliance Checklist - Complete Privacy, Security & Breach Guide","Use this HIPAA compliance checklist to cover Privacy Rule, Security Rule, BAAs, training, and breach procedures. Actionable steps for covered entities.","5.frameworks\u002Fhipaa\u002Fcompliance-checklist","TgjvUi6RZsVUtlwvZmd13fSd6pLgzAnqh-iCyksuoQw",{"id":1160,"title":1161,"body":1162,"description":1432,"extension":278,"faq":1433,"frameworkSlug":293,"lastUpdated":294,"meta":1447,"navigation":296,"path":1448,"relatedTerms":1449,"relatedTopics":1453,"seo":1456,"stem":1459,"__hash__":1460},"frameworkTopics\u002F5.frameworks\u002Fhipaa\u002Fcontingency-planning.md","HIPAA Contingency Planning",{"type":8,"value":1163,"toc":1417},[1164,1168,1171,1174,1189,1193,1196,1200,1203,1206,1217,1221,1224,1228,1231,1234,1238,1241,1245,1248,1252,1255,1293,1296,1300,1303,1329,1332,1336,1352,1355,1359,1403,1407,1410],[11,1165,1167],{"id":1166},"why-hipaa-contingency-planning-matters","Why HIPAA contingency planning matters",[16,1169,1170],{},"HIPAA §164.308(a)(7) — the Contingency Plan standard — requires covered entities and business associates to \"establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.\" Availability is one of the three security objectives of the Security Rule, alongside confidentiality and integrity, and contingency planning is the primary control for meeting it.",[16,1172,1173],{},"Cloud outages, ransomware, data center fires, hurricanes, and insider errors are all forecasted risks. A tested contingency plan is what turns each of these from a crisis into an incident — and a missing plan is one of the fastest ways to escalate an operational disruption into a HIPAA breach. The 2016 OCR ransomware guidance made this explicit: if a ransomware attack renders ePHI unavailable, that unavailability itself can constitute a breach absent a demonstration that the data was not compromised.",[16,1175,1176,1177,1179,1180,1183,1184,1188],{},"For the broader administrative safeguards context, see the ",[23,1178,26],{"href":25}," guide and the ",[23,1181,1182],{"href":35},"HIPAA hub page",". Contingency planning is tightly coupled with the ",[23,1185,1187],{"href":1186},"\u002Fframeworks\u002Fhipaa\u002Frisk-analysis","HIPAA risk analysis"," that prioritizes which systems get the most investment.",[11,1190,1192],{"id":1191},"the-five-implementation-specifications","The five implementation specifications",[16,1194,1195],{},"§164.308(a)(7)(ii) lists five implementation specifications. Three are required and two are addressable.",[51,1197,1199],{"id":1198},"data-backup-plan-required-164308a7iia","Data backup plan — required — §164.308(a)(7)(ii)(A)",[16,1201,1202],{},"The data backup plan establishes procedures to create and maintain retrievable exact copies of ePHI. At minimum it should define which systems are in scope, the frequency of backups, the retention period, the storage location, and the controls that protect backup data (encryption, access controls, immutability against ransomware).",[16,1204,1205],{},"A defensible backup plan answers three practical questions.",[137,1207,1208,1211,1214],{},[74,1209,1210],{},"Can we restore a single record, an entire table, and an entire system? Test each level.",[74,1212,1213],{},"Are backups isolated from the systems they protect? Ransomware routinely deletes online backups.",[74,1215,1216],{},"Does the backup itself meet the Security Rule? Encrypted backups stored with the same vendor as production often fail this test.",[51,1218,1220],{"id":1219},"disaster-recovery-plan-required-164308a7iib","Disaster recovery plan — required — §164.308(a)(7)(ii)(B)",[16,1222,1223],{},"The disaster recovery plan establishes procedures to restore any loss of data. It is the operational companion to the backup plan: backups give you something to restore from, while the DR plan tells you who does what, in what order, on what timeline. Recovery Time Objective (RTO) and Recovery Point Objective (RPO) targets anchor the plan, and both should be derived from the criticality analysis described below.",[51,1225,1227],{"id":1226},"emergency-mode-operation-plan-required-164308a7iic","Emergency mode operation plan — required — §164.308(a)(7)(ii)(C)",[16,1229,1230],{},"The emergency mode operation plan defines how critical business processes continue during an emergency that impairs the organization's normal operations — while continuing to protect ePHI. It answers: who has authority to declare emergency mode, which systems and staff are essential, what fallback procedures apply (paper records, manual processes, alternate facilities), and how the organization returns to normal operation.",[16,1232,1233],{},"This is the specification most programs underinvest in. Backup and DR are familiar engineering problems; emergency mode operation is an organizational problem that requires coordination across clinical, operational, security, and legal teams.",[51,1235,1237],{"id":1236},"testing-and-revision-procedures-addressable-164308a7iid","Testing and revision procedures — addressable — §164.308(a)(7)(ii)(D)",[16,1239,1240],{},"Testing validates that the other three specifications actually work. Tabletop exercises, restore drills, and full failover tests each surface different failure modes. The implementation specification is addressable, but in practice untested plans fail when they are needed most — and OCR audit protocol treats testing as the primary evidence that contingency planning is operational rather than paper.",[51,1242,1244],{"id":1243},"applications-and-data-criticality-analysis-addressable-164308a7iie","Applications and data criticality analysis — addressable — §164.308(a)(7)(ii)(E)",[16,1246,1247],{},"Criticality analysis ranks applications and data by how important they are to the organization's operations. This is what tells you which systems need a 15-minute RTO and which can tolerate 72 hours. Without it, every system is treated as equally critical (which is unaffordable) or equally non-critical (which is catastrophic when the wrong system fails).",[11,1249,1251],{"id":1250},"building-the-plan","Building the plan",[16,1253,1254],{},"A workable HIPAA contingency plan has six components, regardless of organization size.",[71,1256,1257,1263,1269,1275,1281,1287],{},[74,1258,1259,1262],{},[59,1260,1261],{},"Scope statement."," Which systems, data, facilities, and vendors are covered. Reference the same asset inventory that feeds your risk analysis.",[74,1264,1265,1268],{},[59,1266,1267],{},"Criticality analysis."," RTO and RPO for each in-scope system, with written justification. Customer contractual commitments are part of this analysis.",[74,1270,1271,1274],{},[59,1272,1273],{},"Backup procedures."," Frequency, retention, encryption, storage, restore testing cadence, and responsible owners.",[74,1276,1277,1280],{},[59,1278,1279],{},"Disaster recovery runbooks."," Step-by-step procedures for failing over each critical system, including dependencies, communication templates, and roll-back criteria.",[74,1282,1283,1286],{},[59,1284,1285],{},"Emergency mode operations."," Authority, triggers, fallback processes, coordination with clinical or operational leadership, and return-to-normal criteria.",[74,1288,1289,1292],{},[59,1290,1291],{},"Testing and revision calendar."," A 12-month schedule that rotates through tabletop exercises, restore tests, and full failover drills.",[16,1294,1295],{},"Each component should have a named owner, a review cadence, and a last-reviewed date. Contingency plans decay fastest among Security Rule artifacts — systems change constantly, and a plan that described last quarter's architecture is no plan at all.",[11,1297,1299],{"id":1298},"testing-the-only-evidence-that-counts","Testing: the only evidence that counts",[16,1301,1302],{},"There is no substitute for live testing. A reasonable 12-month rotation looks like this.",[137,1304,1305,1311,1317,1323],{},[74,1306,1307,1310],{},[59,1308,1309],{},"Q1 — Tabletop exercise."," Walk through a scenario (ransomware detonation, regional cloud outage, data center fire) with the full incident response team. Capture decisions, gaps, and open questions.",[74,1312,1313,1316],{},[59,1314,1315],{},"Q2 — Restore drill."," Restore a production system from backup into an isolated environment. Validate data integrity, time-to-restore, and the runbook accuracy.",[74,1318,1319,1322],{},[59,1320,1321],{},"Q3 — Partial failover."," Fail over one critical system to its DR target. Measure RTO, RPO, and any customer-facing impact.",[74,1324,1325,1328],{},[59,1326,1327],{},"Q4 — Emergency mode exercise."," Simulate an extended disruption that forces fallback processes. Exercise the human workflows that the technical runbooks assume will work.",[16,1330,1331],{},"Document every test: scenario, participants, timeline, findings, and corrective actions. Those findings feed the next iteration of both the contingency plan and the risk analysis.",[11,1333,1335],{"id":1334},"how-this-fits-into-your-hipaa-program","How this fits into your HIPAA program",[16,1337,1338,1339,1341,1342,1346,1347,1351],{},"Contingency planning does not sit alone. It connects to the ",[23,1340,1187],{"href":1186}," that sizes the risks to availability. It connects to ",[23,1343,1345],{"href":1344},"\u002Fframeworks\u002Fhipaa\u002Ffacility-access-controls","facility access controls"," through the contingency operations implementation specification at §164.310(a)(2)(i), which requires procedures allowing facility access during recovery. It connects to ",[23,1348,1350],{"href":1349},"\u002Fframeworks\u002Fhipaa\u002Fworkforce-training","workforce training"," because the plan only works if the people executing it have rehearsed their roles. It connects to BAAs, because most covered entities depend on business associates for critical systems, and the contingency plan must account for vendor failures as well as internal ones.",[16,1353,1354],{},"It also connects to breach notification. When ransomware or extended downtime exposes ePHI, the contingency response and the breach response run in parallel and share evidence. Design them to share templates, logs, and decision gates.",[11,1356,1358],{"id":1357},"common-pitfalls","Common pitfalls",[137,1360,1361,1367,1373,1379,1385,1391,1397],{},[74,1362,1363,1366],{},[59,1364,1365],{},"Backup and DR without emergency mode."," Engineers build strong recovery tooling, but there is no written answer for how clinical or operational staff continue their work during the hours before recovery completes.",[74,1368,1369,1372],{},[59,1370,1371],{},"Untested plans."," The plan is thorough on paper and has never been exercised. The first real incident exposes assumptions that do not match reality.",[74,1374,1375,1378],{},[59,1376,1377],{},"Backups in the same failure domain as production."," Backups stored on the same platform, region, or account as production systems are one ransomware event away from being useless.",[74,1380,1381,1384],{},[59,1382,1383],{},"Criticality analysis is missing or generic."," Every system is \"critical,\" so investment scatters and the systems that actually matter are under-protected.",[74,1386,1387,1390],{},[59,1388,1389],{},"Vendor gaps."," The plan assumes a business associate will restore its own systems within an RTO that the BAA never committed to. Renegotiate or document the risk.",[74,1392,1393,1396],{},[59,1394,1395],{},"No return-to-normal."," Plans cover failover but not failback. Weeks later, the organization is still operating in the emergency mode environment with degraded controls.",[74,1398,1399,1402],{},[59,1400,1401],{},"Stale documentation."," The plan references systems, vendors, or personnel that no longer exist. During an incident, this wastes the hours that matter most.",[11,1404,1406],{"id":1405},"how-episki-helps","How episki helps",[16,1408,1409],{},"episki brings contingency planning into the same workspace as the rest of your HIPAA program. Asset inventories feed the criticality analysis; backup, DR, and emergency mode runbooks live alongside the policies they implement; testing calendars and post-test findings stay linked to the systems they affect; and evidence rolls up automatically for OCR audits and customer reviews. When a real incident lands, the runbook, the contact list, and the decision log are in one place — not in a shared drive nobody has opened in nine months.",[16,1411,1412,1413,1416],{},"See the full ",[23,1414,1415],{"href":35},"HIPAA platform overview"," or start a free trial from the top of the hub page.",{"title":257,"searchDepth":258,"depth":258,"links":1418},[1419,1420,1427,1428,1429,1430,1431],{"id":1166,"depth":258,"text":1167},{"id":1191,"depth":258,"text":1192,"children":1421},[1422,1423,1424,1425,1426],{"id":1198,"depth":264,"text":1199},{"id":1219,"depth":264,"text":1220},{"id":1226,"depth":264,"text":1227},{"id":1236,"depth":264,"text":1237},{"id":1243,"depth":264,"text":1244},{"id":1250,"depth":258,"text":1251},{"id":1298,"depth":258,"text":1299},{"id":1334,"depth":258,"text":1335},{"id":1357,"depth":258,"text":1358},{"id":1405,"depth":258,"text":1406},"HIPAA §164.308(a)(7) requires covered entities and business associates to maintain data backup, disaster recovery, and emergency mode operation plans. Here is how to build them.",{"items":1434},[1435,1438,1441,1444],{"label":1436,"content":1437},"Is a HIPAA contingency plan required?","Yes. §164.308(a)(7) is a required standard, and three of its five implementation specifications — data backup, disaster recovery, and emergency mode operation — are also required. The other two (testing and applications\u002Fdata criticality analysis) are addressable, meaning you must implement them, document an equivalent, or justify their absence.",{"label":1439,"content":1440},"How often should we test our HIPAA contingency plan?","HIPAA does not prescribe a cadence, but mature programs test at least annually and after any material change to the environment. Tabletop exercises, restore-from-backup drills, and full DR failover tests each serve different purposes — most programs rotate through them over a calendar year.",{"label":1442,"content":1443},"What is emergency mode operation under HIPAA?","Emergency mode operation is the procedure your organization follows during a disruption to continue critical business processes while protecting ePHI. It defines who has authority, which systems must stay running, what fallback processes apply, and how you return to normal operations once the incident is resolved.",{"label":1445,"content":1446},"Do cloud SaaS companies still need a contingency plan?","Yes. The HIPAA Security Rule applies regardless of where ePHI lives. Inherited controls from your cloud provider cover portions of the infrastructure, but your own contingency plan must address application-layer recovery, RTO and RPO commitments to customers, and coordination with your BAA partners.",{},"\u002Fframeworks\u002Fhipaa\u002Fcontingency-planning",[293,1450,1451,1452],"phi","covered-entity","business-associate",[300,1454,1455,303],"risk-analysis","facility-access-controls",{"title":1457,"description":1458},"HIPAA Contingency Planning - §164.308(a)(7) Backup, DR & Testing","Build a HIPAA contingency plan that satisfies §164.308(a)(7). Data backup, disaster recovery, emergency mode operations, testing, and criticality analysis.","5.frameworks\u002Fhipaa\u002Fcontingency-planning","KhxjEUzMIykO_6ZX-W43j9Y9TaiAZYnR7SQPWZJK2Ho",{"id":1462,"title":1463,"body":1464,"description":1723,"extension":278,"faq":1724,"frameworkSlug":293,"lastUpdated":294,"meta":1738,"navigation":296,"path":1344,"relatedTerms":1739,"relatedTopics":1740,"seo":1743,"stem":1746,"__hash__":1747},"frameworkTopics\u002F5.frameworks\u002Fhipaa\u002Ffacility-access-controls.md","HIPAA Facility Access Controls",{"type":8,"value":1465,"toc":1708},[1466,1470,1473,1476,1483,1487,1490,1494,1501,1504,1508,1511,1514,1518,1521,1524,1528,1531,1534,1538,1541,1544,1561,1567,1571,1574,1606,1609,1613,1616,1636,1638,1653,1659,1661,1699,1701,1704],[11,1467,1469],{"id":1468},"why-hipaa-facility-access-controls-matter","Why HIPAA facility access controls matter",[16,1471,1472],{},"HIPAA §164.310(a) — the Facility Access Controls standard — requires covered entities and business associates to \"implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.\" It is one of the four standards in the physical safeguards category, alongside workstation use, workstation security, and device and media controls.",[16,1474,1475],{},"Physical safeguards sit at an uncomfortable intersection for modern SaaS companies. The hyperscale cloud providers that host most production ePHI inherit the bulk of data center controls, but that does not end the obligation — it shifts it. Workforce offices, co-working spaces, home offices, warehouses, and any location where physical media moves are still in scope. And for clinical settings, physical safeguards are front-line compliance work.",[16,1477,1478,1479,1179,1481,42],{},"For the broader physical safeguards context, see the ",[23,1480,26],{"href":25},[23,1482,1182],{"href":35},[11,1484,1486],{"id":1485},"the-four-implementation-specifications","The four implementation specifications",[16,1488,1489],{},"§164.310(a)(2) lists four implementation specifications. All four are addressable — meaning you must implement each, document an equivalent, or justify its absence based on your risk analysis.",[51,1491,1493],{"id":1492},"contingency-operations-164310a2i","Contingency operations — §164.310(a)(2)(i)",[16,1495,1496,1497,1500],{},"Contingency operations establish procedures that allow facility access in support of the restoration of lost data under the ",[23,1498,1499],{"href":1448},"HIPAA contingency plan",". In other words, when you are recovering from a disaster, the people who need to enter a facility to restore systems must be able to do so — without bypassing your normal access controls entirely.",[16,1502,1503],{},"This specification is often neglected because it sits at the intersection of physical security and disaster recovery. Neither team owns it completely. The fix is to name an owner, define who has emergency access authority, document how access is granted during a contingency, and exercise the procedure during your DR tests.",[51,1505,1507],{"id":1506},"facility-security-plan-164310a2ii","Facility security plan — §164.310(a)(2)(ii)",[16,1509,1510],{},"The facility security plan documents policies and procedures that safeguard the facility and the equipment inside it from unauthorized physical access, tampering, and theft. It should describe the physical boundaries of each facility, the controls at each boundary (locks, badge readers, cameras, alarms), monitoring expectations, and the responsible owners.",[16,1512,1513],{},"A defensible facility security plan is not generic. It describes your buildings, your controls, and your threats — not a template's buildings. Include floor plans, control inventories, and risk notes for each location.",[51,1515,1517],{"id":1516},"access-control-and-validation-164310a2iii","Access control and validation — §164.310(a)(2)(iii)",[16,1519,1520],{},"Access control and validation procedures govern who gets in and how their identity is validated. This includes workforce members, visitors, vendors, maintenance personnel, and contractors. For workforce members, validation usually rides on the same identity infrastructure as logical access: badge plus PIN, badge plus biometric, or badge plus escort for lower-trust areas. For visitors, the industry standard is photo identification, sign-in, a visible badge for the duration of the visit, and escort in sensitive areas.",[16,1522,1523],{},"Access levels should be role-based and reviewed periodically. When a workforce member changes roles or leaves the organization, their physical access must be revoked promptly — this is one of the most common and most embarrassing OCR findings.",[51,1525,1527],{"id":1526},"maintenance-records-164310a2iv","Maintenance records — §164.310(a)(2)(iv)",[16,1529,1530],{},"Maintenance records document repairs and modifications to the physical components of the facility that are related to security — hardware, walls, doors, locks, badge readers, alarms, and cameras. The point is traceability: if a door is cut for cabling and then poorly resealed, the record is how you catch it on the next audit.",[16,1532,1533],{},"Modern facility management systems handle most of this automatically. The gap is usually the tenant-improvement and office-move scenarios where construction work bypasses the normal ticket flow.",[11,1535,1537],{"id":1536},"extending-the-perimeter-to-remote-work","Extending the perimeter to remote work",[16,1539,1540],{},"The traditional facility access model assumes a building with a door, a badge reader, and a receptionist. That model covers fewer workforce members every year. Modern HIPAA programs treat the facility boundary as wherever a workforce member handles PHI.",[16,1542,1543],{},"Your controls should answer practical questions for remote workers.",[137,1545,1546,1549,1552,1555,1558],{},[74,1547,1548],{},"What is the expectation for a home office workspace? Locked door? Locked filing cabinet for any printed PHI?",[74,1550,1551],{},"How is PHI handled in shared living spaces, coffee shops, and during travel?",[74,1553,1554],{},"Who is allowed to be present when the workforce member is viewing PHI on a screen?",[74,1556,1557],{},"How are corporate devices secured when not in use?",[74,1559,1560],{},"What is the process for returning devices at offboarding, especially when the workforce member never set foot in a corporate office?",[16,1562,1563,1564,1566],{},"Bake these expectations into the acceptable use policy and the ",[23,1565,1350],{"href":1349}," curriculum, then validate adherence through attestations, device management telemetry, and spot checks.",[11,1568,1570],{"id":1569},"visitor-management","Visitor management",[16,1572,1573],{},"Visitor management is the most visible facility access control and the most common source of awkward findings during on-site audits. A defensible process includes five elements.",[71,1575,1576,1582,1588,1594,1600],{},[74,1577,1578,1581],{},[59,1579,1580],{},"Pre-arrival notification."," Hosts announce expected visitors in advance.",[74,1583,1584,1587],{},[59,1585,1586],{},"Identity verification."," Government-issued photo identification at sign-in.",[74,1589,1590,1593],{},[59,1591,1592],{},"Visible badge."," A badge that differs from workforce member badges, valid only for the day.",[74,1595,1596,1599],{},[59,1597,1598],{},"Escort requirement."," Visitors are escorted in sensitive areas — server rooms, clinical areas, wherever PHI is physically accessible.",[74,1601,1602,1605],{},[59,1603,1604],{},"Sign-out and badge return."," A clean closeout so the log reflects who is actually in the building.",[16,1607,1608],{},"Camera coverage of entrances, reception areas, and sensitive zones supports the visitor log as corroborating evidence. Retain footage per your policy and review after any incident.",[11,1610,1612],{"id":1611},"cloud-inheritance-and-the-baa","Cloud inheritance and the BAA",[16,1614,1615],{},"For the portion of your ePHI that lives with a hyperscale cloud provider, the provider's physical controls are inherited through the BAA. You should still do three things.",[137,1617,1618,1624,1630],{},[74,1619,1620,1623],{},[59,1621,1622],{},"Document the inheritance."," Map each §164.310(a) specification to the provider control that covers it, and cite the provider's compliance attestations (SOC 2, HITRUST, or equivalent).",[74,1625,1626,1629],{},[59,1627,1628],{},"Scope the boundary."," Make explicit what is and is not inherited. A cloud provider does not cover your office, your laptop, or your home workspace.",[74,1631,1632,1635],{},[59,1633,1634],{},"Keep the BAA current."," Provider BAAs change. Track versions and re-review when providers update their terms.",[11,1637,1335],{"id":1334},[16,1639,1640,1641,1645,1646,1649,1650,1652],{},"Facility access controls pair with several other safeguards. ",[23,1642,1644],{"href":1643},"\u002Fframeworks\u002Fhipaa\u002Fworkstation-and-device-controls","Workstation and device controls"," pick up where facility controls end, governing the endpoints inside the facility. ",[23,1647,1648],{"href":1448},"Contingency planning"," shares the contingency operations specification and exercises it during DR tests. The ",[23,1651,1187],{"href":1186}," identifies which facilities, regions, and configurations carry the greatest physical risk and directs investment there.",[16,1654,1655,1656,1658],{},"Access control and validation also tie back to ",[23,1657,1350],{"href":1349},". Workforce members need to know what to do when they see an unbadged visitor in a restricted area, how to handle tailgating at the main entrance, and where to escalate suspected physical security concerns. Training transforms the policy into active vigilance.",[11,1660,1358],{"id":1357},[137,1662,1663,1669,1675,1681,1687,1693],{},[74,1664,1665,1668],{},[59,1666,1667],{},"Office-only thinking."," The plan covers the main office but not co-working spaces, satellite facilities, or home offices where workforce members routinely handle PHI.",[74,1670,1671,1674],{},[59,1672,1673],{},"Orphaned badge access."," Terminated workforce members retain badge access for days or weeks because deprovisioning is not tied to the HR offboarding event.",[74,1676,1677,1680],{},[59,1678,1679],{},"Untested contingency access."," When a DR event actually happens, no one can prove they have authority to enter a facility, and recovery is delayed.",[74,1682,1683,1686],{},[59,1684,1685],{},"Visitor log on paper only."," The log is on a clipboard at reception, no photo ID is captured, and the book is discarded annually. There is nothing to review after an incident.",[74,1688,1689,1692],{},[59,1690,1691],{},"No maintenance record trail."," Construction and facility work bypass the normal ticket flow, so a door cut for cabling six months ago never made it into the security record.",[74,1694,1695,1698],{},[59,1696,1697],{},"Cloud inheritance undocumented."," The organization relies on a cloud provider for physical safeguards but cannot produce the mapping during an audit, and the cloud provider's BAA in the evidence locker is two years old.",[11,1700,1406],{"id":1405},[16,1702,1703],{},"episki maps §164.310(a) to your facilities, cloud providers, and remote work program so the full scope of physical safeguards is visible in one place. Visitor management, badge review, maintenance records, and cloud inheritance attestations feed the evidence locker; facility risk notes feed the HIPAA risk analysis; and role-based physical access reviews run on the same schedule as logical access reviews. When a customer asks for your physical security posture, the answer is ready.",[16,1705,1412,1706,1416],{},[23,1707,1415],{"href":35},{"title":257,"searchDepth":258,"depth":258,"links":1709},[1710,1711,1717,1718,1719,1720,1721,1722],{"id":1468,"depth":258,"text":1469},{"id":1485,"depth":258,"text":1486,"children":1712},[1713,1714,1715,1716],{"id":1492,"depth":264,"text":1493},{"id":1506,"depth":264,"text":1507},{"id":1516,"depth":264,"text":1517},{"id":1526,"depth":264,"text":1527},{"id":1536,"depth":258,"text":1537},{"id":1569,"depth":258,"text":1570},{"id":1611,"depth":258,"text":1612},{"id":1334,"depth":258,"text":1335},{"id":1357,"depth":258,"text":1358},{"id":1405,"depth":258,"text":1406},"HIPAA §164.310(a) requires physical safeguards over the facilities that house ePHI. Here is how to implement access controls, visitor management, and contingency operations.",{"items":1725},[1726,1729,1732,1735],{"label":1727,"content":1728},"Do cloud-only SaaS companies need facility access controls?","Yes, but the scope is narrower. Your hyperscale cloud provider inherits most data center controls through its BAA, but you still need facility access controls for your offices, any location where workforce members handle PHI, and any physical media you ship or receive.",{"label":1730,"content":1731},"What counts as a facility under HIPAA?","A facility is the physical premises and interior and exterior of any building that contains electronic information systems or ePHI. This includes data centers, offices, clinics, warehouses holding devices, and any location where workforce members routinely access ePHI.",{"label":1733,"content":1734},"Are visitor logs required under HIPAA?","Visitor logs are not explicitly required by rule, but they are the most common evidence that facility access controls are operating. OCR audit protocol asks how the organization controls access for visitors, vendors, and maintenance personnel, and a log is the standard answer.",{"label":1736,"content":1737},"How does remote work change facility access controls?","Remote work shifts the facility boundary to the workforce member's home. Your controls must address home office expectations, shared spaces, physical security of devices, and the handling of printed PHI — because all of those are now inside the facility for HIPAA purposes.",{},[293,1450,1451,1452],[300,1741,1742,1454],"workstation-and-device-controls","contingency-planning",{"title":1744,"description":1745},"HIPAA Facility Access Controls - §164.310(a) Physical Safeguards Guide","Implement HIPAA facility access controls under §164.310(a). Contingency operations, facility security plans, access validation, and maintenance records.","5.frameworks\u002Fhipaa\u002Ffacility-access-controls","8840pyLYjYlEDDgbJIxRgnyBuP1Jq9iorYZyb9_20gY",{"id":1749,"title":1750,"body":1751,"description":2088,"extension":278,"faq":2089,"frameworkSlug":293,"lastUpdated":294,"meta":2103,"navigation":296,"path":2104,"relatedTerms":2105,"relatedTopics":2107,"seo":2108,"stem":2111,"__hash__":2112},"frameworkTopics\u002F5.frameworks\u002Fhipaa\u002Fhitech-and-omnibus.md","HITECH Act and the HIPAA Omnibus Rule",{"type":8,"value":1752,"toc":2064},[1753,1757,1760,1763,1777,1781,1784,1788,1791,1794,1798,1801,1804,1808,1811,1815,1818,1822,1825,1829,1832,1836,1839,1846,1850,1853,1857,1860,1864,1867,1871,1874,1878,1881,1885,1888,1892,1990,1994,1997,2000,2002,2015,2017,2055,2057,2060],[11,1754,1756],{"id":1755},"why-hitech-and-the-omnibus-rule-matter","Why HITECH and the Omnibus Rule matter",[16,1758,1759],{},"Original HIPAA — the 1996 law and its initial Privacy and Security Rules — created the framework for protecting patient health information in the United States. But by the mid-2000s, two realities had outgrown that framework. First, business associates handled a huge and growing share of PHI, yet their only legal obligation was through contract, not regulation. Second, electronic health records were about to be adopted at unprecedented scale, dramatically expanding the volume and mobility of ePHI.",[16,1761,1762],{},"HITECH and the Omnibus Rule addressed both realities. HITECH — the Health Information Technology for Economic and Clinical Health Act, enacted February 17, 2009 as Title XIII of the American Recovery and Reinvestment Act — statutorily extended HIPAA obligations to business associates, created a federal Breach Notification Rule, increased civil penalties, and funded EHR adoption through the Meaningful Use program. The 2013 HIPAA Omnibus Rule then translated HITECH into binding regulation and layered on additional changes, producing the modern HIPAA framework that every covered entity and business associate operates under today.",[16,1764,1765,1766,1768,1769,1771,1772,1774,1775,42],{},"For the broader HIPAA framework context, see the ",[23,1767,1182],{"href":35},". For related detail, see the ",[23,1770,31],{"href":30},", the ",[23,1773,26],{"href":25},", and the ",[23,1776,411],{"href":297},[11,1778,1780],{"id":1779},"what-hitech-changed","What HITECH changed",[16,1782,1783],{},"HITECH is the larger of the two shifts in substance, even though the Omnibus Rule is where most of the regulatory text actually lives.",[51,1785,1787],{"id":1786},"direct-liability-for-business-associates","Direct liability for business associates",[16,1789,1790],{},"Before HITECH, the Security Rule and most of the Privacy Rule applied only to covered entities. Business associates were bound to HIPAA only through their BAAs — contractual, not regulatory. HITECH changed that at §13401, making the Security Rule and specified Privacy Rule obligations directly applicable to business associates. OCR can now enforce HIPAA against a business associate directly, without the covered entity in the middle.",[16,1792,1793],{},"In practice, this is the change that pulled every healthcare-facing SaaS company directly into the HIPAA enforcement orbit.",[51,1795,1797],{"id":1796},"federal-breach-notification-requirements","Federal breach notification requirements",[16,1799,1800],{},"HITECH §13402 created the first federal Breach Notification Rule. Before HITECH, breach notification was governed by a patchwork of state laws with inconsistent definitions and timelines. HITECH established a uniform federal floor for unsecured PHI: notify affected individuals without unreasonable delay and no later than 60 days, notify HHS (annually for smaller breaches, within 60 days for breaches of 500 or more), and notify the media for breaches of 500 or more in a state or jurisdiction.",[16,1802,1803],{},"Business associates must notify the covered entity, who in turn notifies the individuals. The four-factor risk assessment that determines whether a violation constitutes a reportable breach originates here, though the Omnibus Rule tightened it.",[51,1805,1807],{"id":1806},"increased-civil-penalties","Increased civil penalties",[16,1809,1810],{},"HITECH §13410(d) restructured HIPAA civil monetary penalties into the four-tier scheme that remains in effect: unknowing violations, reasonable cause, willful neglect corrected, and willful neglect uncorrected. Maximum annual penalties reached $1.5 million per violation category, adjusted annually for inflation. State attorneys general gained authority to bring enforcement actions.",[51,1812,1814],{"id":1813},"meaningful-use-and-the-ehr-buildout","Meaningful Use and the EHR buildout",[16,1816,1817],{},"HITECH also funded the nationwide rollout of electronic health records through Medicare and Medicaid incentive payments, later restructured as the Promoting Interoperability programs. The effect was to multiply the volume of electronic PHI subject to HIPAA protections — and to multiply the number of SaaS vendors building in the healthcare space.",[51,1819,1821],{"id":1820},"patient-access-to-electronic-records","Patient access to electronic records",[16,1823,1824],{},"HITECH §13405(e) strengthened individual access rights for ePHI held in EHRs. Individuals could request an electronic copy and direct that copy to a third party. Fees for electronic copies were limited to labor costs, eliminating the markup that some providers had applied to paper copies.",[11,1826,1828],{"id":1827},"what-the-2013-omnibus-rule-changed","What the 2013 Omnibus Rule changed",[16,1830,1831],{},"The HIPAA Omnibus Rule — published January 25, 2013, effective March 26, 2013, with compliance required by September 23, 2013 — implemented HITECH and added further changes across all four HIPAA rules. Seven changes stand out.",[51,1833,1835],{"id":1834},"baa-obligations-extended-to-subcontractors","BAA obligations extended to subcontractors",[16,1837,1838],{},"Before Omnibus, BAAs flowed one hop: covered entity to business associate. Omnibus required business associates to execute BAAs with any subcontractor that creates, receives, maintains, or transmits PHI on their behalf, and made those subcontractors business associates in their own right. The effect was to close the pass-through loophole and align the chain of PHI custody with the chain of legal responsibility.",[16,1840,1841,1842,1845],{},"See the ",[23,1843,1844],{"href":178},"business associate agreements"," guide for the full BAA content requirements.",[51,1847,1849],{"id":1848},"breach-definition-tightened","Breach definition tightened",[16,1851,1852],{},"Omnibus replaced the HITECH \"significant risk of harm\" test with a presumption of breach and a four-factor risk assessment. Under the revised rule, any impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates through the four factors that there is a low probability the PHI has been compromised. The shift favored notification over non-notification and made marginal cases more likely to be reported.",[51,1854,1856],{"id":1855},"genetic-information-protections","Genetic information protections",[16,1858,1859],{},"Omnibus incorporated the Genetic Information Nondiscrimination Act (GINA) into HIPAA, clarifying that genetic information is PHI and prohibiting the use or disclosure of genetic information by health plans for underwriting purposes.",[51,1861,1863],{"id":1862},"stronger-patient-rights","Stronger patient rights",[16,1865,1866],{},"Patients gained the right to restrict disclosures to health plans when they pay out of pocket in full for a service, the right to receive electronic copies of their ePHI in EHR systems within 30 days, and stronger authorization requirements for the sale of PHI and for marketing communications.",[51,1868,1870],{"id":1869},"updated-notice-of-privacy-practices","Updated Notice of Privacy Practices",[16,1872,1873],{},"Every covered entity had to update its Notice of Privacy Practices to reflect the new rules, including the breach notification obligation, the expanded patient rights, and the uses of PHI for marketing and fundraising that now required authorization.",[51,1875,1877],{"id":1876},"enforcement-teeth","Enforcement teeth",[16,1879,1880],{},"Omnibus codified the HITECH penalty tiers, required HHS to conduct periodic audits, and clarified that willful neglect findings require formal investigation and penalty. The era of informal OCR letters closing investigations without consequence ended.",[51,1882,1884],{"id":1883},"liability-for-agents","Liability for agents",[16,1886,1887],{},"Omnibus made clear that covered entities are liable for the acts of their business associates that are agents under federal common law — a narrow but meaningful exposure that forced sharper scrutiny of control over business associate operations.",[11,1889,1891],{"id":1890},"original-hipaa-vs-post-omnibus-hipaa-at-a-glance","Original HIPAA vs post-Omnibus HIPAA at a glance",[1893,1894,1895,1911],"table",{},[1896,1897,1898],"thead",{},[1899,1900,1901,1905,1908],"tr",{},[1902,1903,1904],"th",{},"Topic",[1902,1906,1907],{},"Original HIPAA (pre-2009)",[1902,1909,1910],{},"Post-HITECH \u002F Omnibus",[1912,1913,1914,1925,1935,1946,1957,1968,1979],"tbody",{},[1899,1915,1916,1919,1922],{},[1917,1918,464],"td",{},[1917,1920,1921],{},"Contractual only (via BAA)",[1917,1923,1924],{},"Direct regulatory liability",[1899,1926,1927,1929,1932],{},[1917,1928,351],{},[1917,1930,1931],{},"Not explicitly covered",[1917,1933,1934],{},"Covered as business associates",[1899,1936,1937,1940,1943],{},[1917,1938,1939],{},"Breach notification",[1917,1941,1942],{},"State-law patchwork",[1917,1944,1945],{},"Federal rule, 60-day deadline",[1899,1947,1948,1951,1954],{},[1917,1949,1950],{},"Civil penalties",[1917,1952,1953],{},"Up to $25,000 per year, per violation category",[1917,1955,1956],{},"Four-tier structure, up to $1.5M per year, per category",[1899,1958,1959,1962,1965],{},[1917,1960,1961],{},"State attorney general enforcement",[1917,1963,1964],{},"Not authorized",[1917,1966,1967],{},"Authorized by HITECH",[1899,1969,1970,1973,1976],{},[1917,1971,1972],{},"Electronic access to PHI",[1917,1974,1975],{},"Paper-oriented",[1917,1977,1978],{},"Electronic copy within 30 days",[1899,1980,1981,1984,1987],{},[1917,1982,1983],{},"Genetic information",[1917,1985,1986],{},"Covered in part",[1917,1988,1989],{},"Covered explicitly, underwriting prohibited",[11,1991,1993],{"id":1992},"how-hitech-and-omnibus-changed-operational-practice","How HITECH and Omnibus changed operational practice",[16,1995,1996],{},"For covered entities, the biggest operational change was BAA renegotiation — every BAA in force had to be updated to meet the Omnibus content requirements. For business associates, the change was existential: overnight, every vendor with PHI access was directly on the hook for the Security Rule, the Breach Notification Rule, and the relevant Privacy Rule obligations.",[16,1998,1999],{},"For modern healthcare SaaS companies, the practical implication is that \"we are a business associate\" is no longer a contractual fact — it is a regulatory status with its own documentation, risk analysis, breach reporting, and audit exposure. The HITECH and Omnibus changes are the reason a small SaaS vendor can now receive an OCR enforcement letter in its own right.",[11,2001,1335],{"id":1334},[16,2003,2004,2005,1771,2007,1771,2009,2011,2012,2014],{},"HITECH and Omnibus are not separate frameworks to track — they are layered into the modern HIPAA rules. You satisfy them by complying with the ",[23,2006,31],{"href":30},[23,2008,26],{"href":25},[23,2010,411],{"href":297},", and the BAA requirements at ",[23,2013,1844],{"href":178},". The reason to understand the history is that it explains which obligations apply to which parties, and why the BAA flow-down, breach notification, and penalty structures look the way they do today.",[11,2016,1358],{"id":1357},[137,2018,2019,2025,2031,2037,2043,2049],{},[74,2020,2021,2024],{},[59,2022,2023],{},"Stale BAAs."," Some BAAs on file still reflect pre-Omnibus templates, missing subcontractor flow-down, breach notification language, and updated permitted use categories.",[74,2026,2027,2030],{},[59,2028,2029],{},"Outdated Notice of Privacy Practices."," The notice has not been refreshed since 2013, missing language required by subsequent guidance and regulatory updates.",[74,2032,2033,2036],{},[59,2034,2035],{},"Breach analyses that apply the old test."," Analysts still ask whether a disclosure caused \"significant risk of harm,\" rather than applying the four-factor test from Omnibus. The old test is defunct.",[74,2038,2039,2042],{},[59,2040,2041],{},"Undercounted subcontractors."," A business associate has not papered BAAs with its subcontractors because it treats them as \"just vendors.\" Omnibus closed that gap.",[74,2044,2045,2048],{},[59,2046,2047],{},"No risk analysis refresh after material change."," HITECH and Omnibus introduced new obligations that should have triggered a risk analysis update. Many organizations never did one.",[74,2050,2051,2054],{},[59,2052,2053],{},"Confusing HITECH, HITRUST, and HIPAA."," Operators sometimes use the three names interchangeably. HITECH is federal law, HIPAA is federal law and regulations, and HITRUST is a private certification.",[11,2056,1406],{"id":1405},[16,2058,2059],{},"episki carries the modern HIPAA regulatory structure in its bones. BAA templates reflect Omnibus Rule requirements; breach analysis workflows apply the four-factor test automatically; risk analyses incorporate HITECH-era threats like EHR interoperability and vendor sprawl; and policy libraries reference the underlying regulation so you always know which clause a control satisfies.",[16,2061,1412,2062,1416],{},[23,2063,1415],{"href":35},{"title":257,"searchDepth":258,"depth":258,"links":2065},[2066,2067,2074,2083,2084,2085,2086,2087],{"id":1755,"depth":258,"text":1756},{"id":1779,"depth":258,"text":1780,"children":2068},[2069,2070,2071,2072,2073],{"id":1786,"depth":264,"text":1787},{"id":1796,"depth":264,"text":1797},{"id":1806,"depth":264,"text":1807},{"id":1813,"depth":264,"text":1814},{"id":1820,"depth":264,"text":1821},{"id":1827,"depth":258,"text":1828,"children":2075},[2076,2077,2078,2079,2080,2081,2082],{"id":1834,"depth":264,"text":1835},{"id":1848,"depth":264,"text":1849},{"id":1855,"depth":264,"text":1856},{"id":1862,"depth":264,"text":1863},{"id":1869,"depth":264,"text":1870},{"id":1876,"depth":264,"text":1877},{"id":1883,"depth":264,"text":1884},{"id":1890,"depth":258,"text":1891},{"id":1992,"depth":258,"text":1993},{"id":1334,"depth":258,"text":1335},{"id":1357,"depth":258,"text":1358},{"id":1405,"depth":258,"text":1406},"The 2009 HITECH Act and the 2013 HIPAA Omnibus Rule reshaped HIPAA - extending it to business associates, creating breach notification, and raising penalties. Here is what changed.",{"items":2090},[2091,2094,2097,2100],{"label":2092,"content":2093},"What is the HITECH Act?","The Health Information Technology for Economic and Clinical Health Act was signed into law in 2009 as part of the American Recovery and Reinvestment Act. It extended HIPAA obligations directly to business associates, introduced federal breach notification requirements, increased civil monetary penalties, and funded the nationwide adoption of electronic health records.",{"label":2095,"content":2096},"What is the HIPAA Omnibus Rule?","The 2013 HIPAA Omnibus Rule is the regulation that implemented HITECH and made additional changes to the Privacy, Security, Breach Notification, and Enforcement Rules. It extended the Privacy and Security Rules to business associates and their subcontractors, tightened the breach definition, strengthened patient access rights, and aligned HIPAA with the Genetic Information Nondiscrimination Act.",{"label":2098,"content":2099},"Do business associates have direct HIPAA liability?","Yes, since HITECH. Before 2009, business associates were bound to HIPAA only through the contractual obligations of a BAA. After HITECH, business associates became directly liable for compliance with the HIPAA Security Rule and certain Privacy Rule obligations, and OCR can enforce against them directly.",{"label":2101,"content":2102},"What did the Omnibus Rule change for BAAs?","The Omnibus Rule extended BAA requirements to subcontractors of business associates, tightened what a compliant BAA must contain, and made subcontractors directly liable under HIPAA. It also required covered entities and business associates to update their BAA templates by the compliance date in 2013 and 2014.",{},"\u002Fframeworks\u002Fhipaa\u002Fhitech-and-omnibus",[293,1450,2106,1451,1452],"baa",[550,302,301,300],{"title":2109,"description":2110},"HITECH Act & HIPAA Omnibus Rule - What Changed From Original HIPAA","How the 2009 HITECH Act and 2013 HIPAA Omnibus Rule expanded HIPAA to business associates, introduced breach notification, and increased civil penalties.","5.frameworks\u002Fhipaa\u002Fhitech-and-omnibus","MfJqKIqi-cHUA-dvwY87Y4hwnTFsW3lArdJ8FBLVgoM",{"id":2114,"title":2115,"body":2116,"description":2353,"extension":278,"faq":2354,"frameworkSlug":293,"lastUpdated":294,"meta":2368,"navigation":296,"path":2369,"relatedTerms":2370,"relatedTopics":2371,"seo":2373,"stem":2376,"__hash__":2377},"frameworkTopics\u002F5.frameworks\u002Fhipaa\u002Fminimum-necessary-rule.md","HIPAA Minimum Necessary Rule",{"type":8,"value":2117,"toc":2337},[2118,2122,2125,2128,2135,2139,2142,2146,2149,2153,2156,2160,2163,2167,2170,2174,2177,2197,2200,2204,2207,2239,2242,2246,2249,2252,2256,2259,2262,2264,2279,2282,2284,2328,2330,2333],[11,2119,2121],{"id":2120},"why-the-hipaa-minimum-necessary-rule-matters","Why the HIPAA minimum necessary rule matters",[16,2123,2124],{},"The HIPAA minimum necessary standard — codified at 45 CFR §164.502(b) and elaborated at §164.514(d) — is one of the Privacy Rule's most consequential provisions. In a single sentence, it requires covered entities and business associates to \"make reasonable efforts to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.\"",[16,2126,2127],{},"The rule is the Privacy Rule equivalent of least privilege. It operates on four planes simultaneously: internal uses of PHI by the workforce, routine disclosures to outside parties, non-routine disclosures evaluated case by case, and requests the organization makes to others. Each plane requires different controls, and most OCR enforcement actions that cite minimum necessary violations fail on at least one of them.",[16,2129,2130,2131,1179,2133,42],{},"For the broader Privacy Rule context, see the ",[23,2132,31],{"href":30},[23,2134,1182],{"href":35},[11,2136,2138],{"id":2137},"what-the-standard-actually-requires","What the standard actually requires",[16,2140,2141],{},"§164.502(b) establishes the general obligation, and §164.514(d) details how to implement it. The implementing rule requires four things.",[51,2143,2145],{"id":2144},"policies-and-procedures-for-internal-uses-164514d2","Policies and procedures for internal uses — §164.514(d)(2)",[16,2147,2148],{},"Covered entities must identify the persons or classes of persons in the workforce who need access to PHI to carry out their duties, specify the categories of PHI to which access is needed, and identify any conditions appropriate to such access. The practical output is a role-based access model.",[51,2150,2152],{"id":2151},"standard-protocols-for-routine-disclosures-164514d3i","Standard protocols for routine disclosures — §164.514(d)(3)(i)",[16,2154,2155],{},"For disclosures that happen repeatedly — billing submissions, lab result transmissions, utilization review exchanges — the organization must develop standard protocols that limit the PHI disclosed to what is reasonably necessary for the stated purpose. The protocols themselves become policy documents.",[51,2157,2159],{"id":2158},"criteria-for-non-routine-disclosures-164514d3ii","Criteria for non-routine disclosures — §164.514(d)(3)(ii)",[16,2161,2162],{},"For disclosures that are not routine, the organization must establish criteria designed to limit the disclosure and a review procedure that applies those criteria. Each non-routine disclosure then gets an individualized review against the criteria.",[51,2164,2166],{"id":2165},"reliance-on-requester-representations-164514d3iii","Reliance on requester representations — §164.514(d)(3)(iii)",[16,2168,2169],{},"When another covered entity, a public official, or a professional asserts that the information requested is the minimum necessary for a stated purpose, the disclosing entity may reasonably rely on that representation in many circumstances. The reliance is not automatic — it depends on the requester and the context — and the organization must document its reasoning.",[11,2171,2173],{"id":2172},"exceptions-to-the-minimum-necessary-standard","Exceptions to the minimum necessary standard",[16,2175,2176],{},"§164.502(b)(2) lists six specific situations where the minimum necessary standard does not apply.",[137,2178,2179,2182,2185,2188,2191,2194],{},[74,2180,2181],{},"Disclosures to, or requests by, a healthcare provider for treatment.",[74,2183,2184],{},"Uses or disclosures made to the individual who is the subject of the PHI.",[74,2186,2187],{},"Uses or disclosures made pursuant to a valid authorization signed by the individual.",[74,2189,2190],{},"Disclosures made to HHS for enforcement or compliance purposes.",[74,2192,2193],{},"Uses or disclosures required by law.",[74,2195,2196],{},"Uses or disclosures required for HIPAA compliance with Subparts A and E of Part 164.",[16,2198,2199],{},"The treatment exception is the most significant and the most misunderstood. It applies to disclosures between healthcare providers for treatment purposes — the receiving clinician may need information the requesting clinician cannot predict. It does not apply to internal uses of PHI within an organization's treatment workforce, which are still governed by the general least-access principle of role-based access.",[11,2201,2203],{"id":2202},"role-based-access-as-the-default-implementation","Role-based access as the default implementation",[16,2205,2206],{},"Most organizations implement the internal-use portion of the minimum necessary standard through role-based access control (RBAC). A defensible RBAC implementation has five components.",[71,2208,2209,2215,2221,2227,2233],{},[74,2210,2211,2214],{},[59,2212,2213],{},"Role inventory."," Every workforce member is assigned to one or more defined roles. Undefined roles are not allowed.",[74,2216,2217,2220],{},[59,2218,2219],{},"Role-to-data mapping."," Each role is mapped to the categories of PHI necessary for its functions. Mappings are reviewed at least annually and after material organizational change.",[74,2222,2223,2226],{},[59,2224,2225],{},"System enforcement."," RBAC is enforced in production systems, not just in policy documents. Access controls in EHRs, CRMs, data warehouses, and internal tools align to the mapping.",[74,2228,2229,2232],{},[59,2230,2231],{},"Access review."," At least quarterly, access is reviewed and reconciled with current role assignments. Reviews produce evidence, not just affirmations.",[74,2234,2235,2238],{},[59,2236,2237],{},"Exception handling."," When a workforce member needs access outside their role for a specific task, the exception is time-bounded, approved, documented, and revoked automatically on expiration.",[16,2240,2241],{},"Attribute-based access control (ABAC) and policy-based access control layer on top of RBAC for cases where the necessary access depends on patient relationship, episode of care, or data sensitivity. These are increasingly common in mature EHR deployments.",[11,2243,2245],{"id":2244},"routine-disclosures-where-the-protocol-lives","Routine disclosures: where the protocol lives",[16,2247,2248],{},"Routine disclosures are the quiet backbone of most covered entities. Claims submissions, lab orders, referrals, public health reporting, and payment inquiries are all routine. Each one should be governed by a written protocol that specifies the purpose, the permitted recipients, the specific data elements, and the form or channel used.",[16,2250,2251],{},"The protocol is also where de-identification and limited data sets enter the picture. If a disclosure purpose can be accomplished with a limited data set, requiring a signed data use agreement from the recipient, the minimum necessary obligation pushes strongly toward that option. If it can be accomplished with de-identified data, the obligation pushes further.",[11,2253,2255],{"id":2254},"non-routine-disclosures-the-review-step","Non-routine disclosures: the review step",[16,2257,2258],{},"Non-routine disclosures are the ones that show up most often in breach investigations. A law enforcement request, a subpoena, an insurer audit, a researcher's data request — each is different enough to require individual review. The policy should specify who reviews non-routine requests, what criteria they apply, and what documentation they produce.",[16,2260,2261],{},"Keep the criteria short and binding: purpose, minimum data elements, recipient authority, and retention expectation. The review record should reference the criteria explicitly.",[11,2263,1335],{"id":1334},[16,2265,2266,2267,2270,2271,2273,2274,2278],{},"The minimum necessary standard is a Privacy Rule obligation, but it depends on Security Rule controls to operate. ",[23,2268,2269],{"href":1349},"Workforce training"," teaches workforce members the difference between access they have and access they should use. The ",[23,2272,1187],{"href":1186}," surfaces systems where technical controls do not enforce the role-based access model your policy describes. The ",[23,2275,2277],{"href":2276},"\u002Fframeworks\u002Fhipaa\u002Fsanctions-policy","sanctions policy"," gives enforcement authority to the access rules the standard establishes.",[16,2280,2281],{},"It also connects directly to audit controls. Unique user identification and activity logging are the evidence that role-based access is working as intended — and the mechanism that surfaces minimum necessary violations.",[11,2283,1358],{"id":1357},[137,2285,2286,2292,2298,2304,2310,2316,2322],{},[74,2287,2288,2291],{},[59,2289,2290],{},"Policy without system enforcement."," The written policy describes role-based access, but the EHR and internal tools grant every workforce member broad access. The gap is the finding.",[74,2293,2294,2297],{},[59,2295,2296],{},"Role sprawl."," The role inventory has ballooned to hundreds of ad hoc roles, each with slight permission differences. The mapping is no longer reviewable in practice.",[74,2299,2300,2303],{},[59,2301,2302],{},"No access recertification."," Access was appropriate at provisioning, but workforce members have changed roles repeatedly without a scheduled review, accumulating permissions.",[74,2305,2306,2309],{},[59,2307,2308],{},"Treatment exception stretched."," The organization treats the treatment exception as license for any workforce member in a care setting to view any patient record. OCR has disagreed loudly and publicly.",[74,2311,2312,2315],{},[59,2313,2314],{},"Routine disclosure by habit."," Claims and lab flows include more PHI than the receiving party actually needs, because \"that is how the template has always been built.\"",[74,2317,2318,2321],{},[59,2319,2320],{},"Non-routine reviews are informal."," Non-routine disclosures get an email blessing from counsel but no structured review record, so the rationale is unretrievable years later.",[74,2323,2324,2327],{},[59,2325,2326],{},"Reliance without documentation."," Disclosures are made in reliance on another party's minimum-necessary representation, but the reasoning is not recorded, so OCR cannot verify the reasonableness of the reliance.",[11,2329,1406],{"id":1405},[16,2331,2332],{},"episki brings role-to-data mappings, access review campaigns, routine disclosure protocols, and non-routine disclosure workflows into a single HIPAA workspace. Reviews run on a schedule, evidence accumulates automatically, and exceptions are time-bounded and auditable. When a customer asks how you implement the minimum necessary standard — or when an OCR investigation asks for a specific disclosure record — you produce it in minutes, not days.",[16,2334,1412,2335,1416],{},[23,2336,1415],{"href":35},{"title":257,"searchDepth":258,"depth":258,"links":2338},[2339,2340,2346,2347,2348,2349,2350,2351,2352],{"id":2120,"depth":258,"text":2121},{"id":2137,"depth":258,"text":2138,"children":2341},[2342,2343,2344,2345],{"id":2144,"depth":264,"text":2145},{"id":2151,"depth":264,"text":2152},{"id":2158,"depth":264,"text":2159},{"id":2165,"depth":264,"text":2166},{"id":2172,"depth":258,"text":2173},{"id":2202,"depth":258,"text":2203},{"id":2244,"depth":258,"text":2245},{"id":2254,"depth":258,"text":2255},{"id":1334,"depth":258,"text":1335},{"id":1357,"depth":258,"text":1358},{"id":1405,"depth":258,"text":1406},"The HIPAA minimum necessary standard at §164.502(b) limits PHI use and disclosure to what is reasonably necessary. Here is how to implement it in role-based access.",{"items":2355},[2356,2359,2362,2365],{"label":2357,"content":2358},"What is the HIPAA minimum necessary rule?","The minimum necessary standard at §164.502(b) requires covered entities and business associates to make reasonable efforts to limit the use, disclosure, and request of PHI to the minimum amount necessary to accomplish the intended purpose. It is a Privacy Rule requirement and applies to most uses and disclosures.",{"label":2360,"content":2361},"When does the minimum necessary rule not apply?","The standard does not apply to disclosures to the individual who is the subject of the information, uses or disclosures made pursuant to a valid authorization, uses or disclosures required for treatment, uses or disclosures required by law, or disclosures to HHS for enforcement investigations.",{"label":2363,"content":2364},"Does minimum necessary apply to treatment?","No. Disclosures for treatment purposes between providers are exempt from the minimum necessary standard — a receiving clinician may need information the requesting clinician cannot anticipate. The exception is narrow to treatment; payment and operations disclosures remain bound by the standard.",{"label":2366,"content":2367},"How does minimum necessary relate to role-based access?","Role-based access is the most common implementation technique for the internal-use portion of the standard. Define roles, map each role to the categories of PHI necessary for job functions, enforce those mappings in systems, and review them periodically.",{},"\u002Fframeworks\u002Fhipaa\u002Fminimum-necessary-rule",[293,1450,1451,1452],[301,300,2372,1454],"workforce-training",{"title":2374,"description":2375},"HIPAA Minimum Necessary Rule - §164.502(b) Standard & Implementation","Implement the HIPAA minimum necessary standard under §164.502(b). Role-based access, exceptions, routine versus non-routine disclosures, and documentation.","5.frameworks\u002Fhipaa\u002Fminimum-necessary-rule","oW0aLoDhMfyQxXI33hAZwo8yFsSrk2aMZGNG0yhWEkU",{"id":2379,"title":31,"body":2380,"description":2602,"extension":278,"faq":546,"frameworkSlug":293,"lastUpdated":294,"meta":2603,"navigation":296,"path":30,"relatedTerms":2604,"relatedTopics":2605,"seo":2606,"stem":2609,"__hash__":2610},"frameworkTopics\u002F5.frameworks\u002Fhipaa\u002Fprivacy-rule.md",{"type":8,"value":2381,"toc":2583},[2382,2386,2389,2395,2404,2408,2411,2415,2418,2421,2447,2454,2458,2461,2465,2468,2472,2475,2479,2482,2486,2489,2493,2496,2499,2519,2522,2525,2528,2532,2535,2539,2542,2546,2553,2557,2560,2573,2577],[11,2383,2385],{"id":2384},"what-is-the-hipaa-privacy-rule","What is the HIPAA Privacy Rule?",[16,2387,2388],{},"The HIPAA Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164) establishes national standards for the protection of individually identifiable health information. It defines who may access protected health information (PHI), under what circumstances PHI may be used or disclosed, and what rights patients have over their own health data.",[16,2390,2391,2392,2394],{},"Unlike the ",[23,2393,26],{"href":25},", which focuses exclusively on electronic PHI, the Privacy Rule covers PHI in any form — electronic, paper, or oral. It applies to all covered entities (healthcare providers, health plans, and healthcare clearinghouses) and, through the HITECH Act, to business associates as well.",[16,2396,2397,2398,2400,2401,2403],{},"For a complete overview of ",[23,2399,36],{"href":35}," requirements, visit the main framework page. The ",[23,2402,41],{"href":40}," provides foundational definitions of key terms.",[11,2405,2407],{"id":2406},"protected-health-information-defined","Protected health information defined",[16,2409,2410],{},"PHI is any individually identifiable health information held or transmitted by a covered entity or business associate in any form. The Privacy Rule identifies 18 specific identifiers (names, dates, Social Security numbers, medical record numbers, email addresses, biometric identifiers, and others) that make health information individually identifiable. Removing all 18 identifiers through proper de-identification produces data that falls outside the Privacy Rule's scope.",[11,2412,2414],{"id":2413},"the-minimum-necessary-standard","The minimum necessary standard",[16,2416,2417],{},"One of the Privacy Rule's most consequential requirements is the minimum necessary standard. This principle states that covered entities and business associates must make reasonable efforts to limit the use, disclosure, and request of PHI to the minimum amount necessary to accomplish the intended purpose.",[16,2419,2420],{},"The minimum necessary standard applies to:",[137,2422,2423,2429,2435,2441],{},[74,2424,2425,2428],{},[59,2426,2427],{},"Internal uses"," — workforce members should have access only to the PHI they need for their job functions. Role-based access policies are the most common implementation.",[74,2430,2431,2434],{},[59,2432,2433],{},"Routine disclosures"," — for recurring types of disclosures, organizations should establish standard protocols that limit the information shared.",[74,2436,2437,2440],{},[59,2438,2439],{},"Non-routine disclosures"," — for individual requests, the organization must review each request and limit the disclosure to what is reasonably necessary.",[74,2442,2443,2446],{},[59,2444,2445],{},"Requests to other entities"," — when requesting PHI from another covered entity, the organization must limit its request to what is reasonably necessary.",[16,2448,2449,2450,2453],{},"The minimum necessary standard does ",[59,2451,2452],{},"not"," apply to disclosures made to the individual who is the subject of the information, disclosures authorized by the individual, uses or disclosures required for treatment, disclosures required by law, or disclosures to HHS for compliance investigations.",[11,2455,2457],{"id":2456},"patient-rights-under-the-privacy-rule","Patient rights under the Privacy Rule",[16,2459,2460],{},"The Privacy Rule grants individuals significant control over their health information. These rights are enforceable, and organizations must have documented processes to honor them.",[51,2462,2464],{"id":2463},"right-to-access","Right to access",[16,2466,2467],{},"Individuals may inspect and obtain copies of their PHI. The covered entity must respond within 30 days (one 30-day extension permitted) and may charge a reasonable, cost-based fee.",[51,2469,2471],{"id":2470},"right-to-request-amendment","Right to request amendment",[16,2473,2474],{},"Individuals may request amendments to inaccurate or incomplete PHI. The entity must act within 60 days and provide written denial with an opportunity for the individual to submit a disagreement statement.",[51,2476,2478],{"id":2477},"right-to-an-accounting-of-disclosures","Right to an accounting of disclosures",[16,2480,2481],{},"Individuals may request a list of PHI disclosures made during the prior six years, excluding disclosures for treatment, payment, operations, and those authorized by the individual.",[51,2483,2485],{"id":2484},"right-to-request-restrictions-and-confidential-communications","Right to request restrictions and confidential communications",[16,2487,2488],{},"Individuals may request restrictions on PHI use for treatment, payment, or operations. The entity must comply when the individual pays out of pocket and requests non-disclosure to a health plan. Individuals may also request alternative communication methods or locations.",[11,2490,2492],{"id":2491},"notice-of-privacy-practices-npp","Notice of Privacy Practices (NPP)",[16,2494,2495],{},"The Notice of Privacy Practices is a foundational document under the Privacy Rule. It must be provided to every individual at the first point of service (for healthcare providers with a direct treatment relationship) or upon request.",[16,2497,2498],{},"The NPP must include:",[137,2500,2501,2504,2507,2510,2513,2516],{},[74,2502,2503],{},"A description of how the entity may use and disclose PHI",[74,2505,2506],{},"The individual's rights regarding their PHI",[74,2508,2509],{},"The entity's legal duties with respect to PHI",[74,2511,2512],{},"Contact information for the entity's privacy official",[74,2514,2515],{},"Contact information for filing complaints with the entity and with HHS",[74,2517,2518],{},"The effective date of the notice",[16,2520,2521],{},"The NPP must be prominently posted at the entity's physical location and on its website if it maintains one. Any material change to privacy practices requires a revised NPP and updated distribution.",[11,2523,389],{"id":2524},"permitted-uses-and-disclosures",[16,2526,2527],{},"The Privacy Rule defines specific categories of permitted uses and disclosures. Understanding these categories is essential for compliance, as any use or disclosure that falls outside them requires written patient authorization.",[51,2529,2531],{"id":2530},"uses-and-disclosures-without-authorization","Uses and disclosures without authorization",[16,2533,2534],{},"PHI may be used or disclosed without individual authorization for treatment, payment, healthcare operations, public health activities, health oversight, judicial and administrative proceedings, law enforcement purposes, research (with IRB approval), preventing serious threats to health or safety, essential government functions, workers' compensation, and reporting abuse or neglect.",[51,2536,2538],{"id":2537},"uses-and-disclosures-requiring-authorization","Uses and disclosures requiring authorization",[16,2540,2541],{},"Any use or disclosure not covered by the permitted categories above requires a valid written authorization from the individual. Authorizations must include a description of the information, the persons authorized to make and receive the disclosure, an expiration date, and the individual's signature. Marketing communications, the sale of PHI, and psychotherapy notes almost always require authorization.",[11,2543,2545],{"id":2544},"business-associates-and-the-privacy-rule","Business associates and the Privacy Rule",[16,2547,2548,2549,2552],{},"The Privacy Rule requires covered entities to obtain satisfactory assurances from business associates that they will appropriately safeguard PHI. These assurances are formalized through ",[23,2550,2551],{"href":178},"Business Associate Agreements (BAAs)",". The HITECH Act extended many Privacy Rule requirements directly to business associates, making them independently liable for compliance.",[11,2554,2556],{"id":2555},"enforcement","Enforcement",[16,2558,2559],{},"The HHS Office for Civil Rights enforces the Privacy Rule through investigations triggered by complaints or compliance reviews. Penalties mirror those of the Security Rule, ranging from $100 to $50,000 per violation with annual maximums of $1.5 million per category. State attorneys general may also bring actions for Privacy Rule violations under the HITECH Act.",[16,2561,2562,2563,2566,2567,2569,2570,2572],{},"For ",[23,2564,2565],{"href":238},"healthcare organizations"," establishing or strengthening their privacy program, the ",[23,2568,247],{"href":246}," includes a complete walkthrough of Privacy Rule obligations alongside Security Rule and ",[23,2571,411],{"href":297}," requirements.",[11,2574,2576],{"id":2575},"practical-steps-for-compliance","Practical steps for compliance",[16,2578,2579,2580,2582],{},"Organizations building a Privacy Rule compliance program should designate a privacy official, conduct a PHI inventory across all systems and workflows, develop and distribute the Notice of Privacy Practices, implement minimum necessary policies with role-based access controls, train all workforce members at onboarding and regularly thereafter, establish documented procedures for patient rights requests, execute ",[23,2581,835],{"href":178}," with all business associates before sharing PHI, and implement a complaint process allowing individuals to report privacy concerns without retaliation.",{"title":257,"searchDepth":258,"depth":258,"links":2584},[2585,2586,2587,2588,2594,2595,2599,2600,2601],{"id":2384,"depth":258,"text":2385},{"id":2406,"depth":258,"text":2407},{"id":2413,"depth":258,"text":2414},{"id":2456,"depth":258,"text":2457,"children":2589},[2590,2591,2592,2593],{"id":2463,"depth":264,"text":2464},{"id":2470,"depth":264,"text":2471},{"id":2477,"depth":264,"text":2478},{"id":2484,"depth":264,"text":2485},{"id":2491,"depth":258,"text":2492},{"id":2524,"depth":258,"text":389,"children":2596},[2597,2598],{"id":2530,"depth":264,"text":2531},{"id":2537,"depth":264,"text":2538},{"id":2544,"depth":258,"text":2545},{"id":2555,"depth":258,"text":2556},{"id":2575,"depth":258,"text":2576},"The HIPAA Privacy Rule governs the use and disclosure of protected health information, establishes patient rights, and sets the minimum necessary standard.",{},[293],[300,550,302,303],{"title":2607,"description":2608},"HIPAA Privacy Rule - Patient Rights, PHI Disclosures & Compliance Guide","Understand the HIPAA Privacy Rule including minimum necessary standard, patient rights, permitted disclosures, and Notice of Privacy Practices requirements.","5.frameworks\u002Fhipaa\u002Fprivacy-rule","OfUJph-DV0iDq4L1N_bzj2O5Zhe8YsiW1zB5h1yu8I8",{"id":2612,"title":2613,"body":2614,"description":2945,"extension":278,"faq":2946,"frameworkSlug":293,"lastUpdated":294,"meta":2960,"navigation":296,"path":1186,"relatedTerms":2961,"relatedTopics":2962,"seo":2963,"stem":2966,"__hash__":2967},"frameworkTopics\u002F5.frameworks\u002Fhipaa\u002Frisk-analysis.md","HIPAA Risk Analysis",{"type":8,"value":2615,"toc":2933},[2616,2620,2623,2626,2629,2636,2640,2643,2699,2702,2706,2709,2712,2726,2729,2733,2736,2739,2765,2768,2772,2775,2778,2781,2784,2788,2791,2817,2820,2824,2827,2847,2858,2860,2872,2874,2924,2926,2929],[11,2617,2619],{"id":2618},"why-hipaa-risk-analysis-matters","Why HIPAA risk analysis matters",[16,2621,2622],{},"HIPAA §164.308(a)(1)(ii)(A) — the Risk Analysis implementation specification — requires covered entities and business associates to \"conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.\" It sits at the top of the Security Management Process standard and is the foundation on which the rest of the Security Rule is built.",[16,2624,2625],{},"Everything downstream — the policies you write, the controls you deploy, the contingency plan you exercise, the sanctions you apply — should trace back to findings in the risk analysis. Without it, compliance becomes a checklist exercise divorced from actual risk. With it, limited time and budget flow to the systems and scenarios that matter most.",[16,2627,2628],{},"OCR has made the point repeatedly. In its published resolution agreements, missing or inadequate risk analyses are the single most cited finding — present in a majority of major enforcement actions from the last decade. That pattern reflects a consistent regulator view: an organization that cannot demonstrate an accurate and thorough HIPAA risk analysis has not started its compliance program.",[16,2630,2631,2632,1179,2634,42],{},"For the broader Security Rule context, see the ",[23,2633,26],{"href":25},[23,2635,1182],{"href":35},[11,2637,2639],{"id":2638},"what-accurate-and-thorough-actually-requires","What \"accurate and thorough\" actually requires",[16,2641,2642],{},"HHS guidance — most notably the 2010 Final Guidance on Risk Analysis Requirements — defines what \"accurate and thorough\" means in practice. Nine elements must be addressed.",[71,2644,2645,2651,2657,2663,2669,2675,2681,2687,2693],{},[74,2646,2647,2650],{},[59,2648,2649],{},"Scope of the analysis."," Cover every system, application, and process that creates, receives, maintains, or transmits ePHI, including portable media, remote access, and third-party systems.",[74,2652,2653,2656],{},[59,2654,2655],{},"Data collection."," Gather information about how ePHI is stored, received, maintained, and transmitted. This includes interviewing workforce members and reviewing documentation, not just running scans.",[74,2658,2659,2662],{},[59,2660,2661],{},"Identification and documentation of potential threats and vulnerabilities."," Threats are the sources of harm — natural, human, environmental. Vulnerabilities are the weaknesses threats can exploit.",[74,2664,2665,2668],{},[59,2666,2667],{},"Assessment of current security measures."," Document the controls already in place and how effectively they reduce risk.",[74,2670,2671,2674],{},[59,2672,2673],{},"Determination of the likelihood of threat occurrence."," Qualitatively or quantitatively, assess how likely each threat is to materialize given current controls.",[74,2676,2677,2680],{},[59,2678,2679],{},"Determination of the potential impact of threat occurrence."," Assess the consequence to confidentiality, integrity, and availability of ePHI if the threat materializes.",[74,2682,2683,2686],{},[59,2684,2685],{},"Determination of the level of risk."," Combine likelihood and impact to produce a risk rating.",[74,2688,2689,2692],{},[59,2690,2691],{},"Finalized documentation."," Written output that can be produced on demand.",[74,2694,2695,2698],{},[59,2696,2697],{},"Periodic review and updates."," A living document, refreshed at defined intervals and after material change.",[16,2700,2701],{},"These nine elements map cleanly onto NIST Special Publication 800-30 Revision 1, which is why most HIPAA programs adopt 800-30 as their methodology.",[11,2703,2705],{"id":2704},"scope-the-most-common-source-of-failure","Scope: the most common source of failure",[16,2707,2708],{},"The single most common HIPAA risk analysis failure is an incomplete scope. OCR repeatedly finds that organizations assessed the EHR, the email system, and the main file server — but not the developer laptops, the analytics warehouse, the backup tapes, the clinical tablets, the text message workflow a customer support team built on the side, or the twenty business associates whose systems jointly touch the same PHI.",[16,2710,2711],{},"A defensible scope begins with a PHI data flow map. Answer four questions for every system in the organization.",[137,2713,2714,2717,2720,2723],{},[74,2715,2716],{},"Does this system create, receive, maintain, or transmit ePHI?",[74,2718,2719],{},"If yes, what categories of PHI, and at what volume?",[74,2721,2722],{},"Who else touches the data — upstream, downstream, or in parallel?",[74,2724,2725],{},"What happens when the data leaves the system?",[16,2727,2728],{},"Every system that answers yes to the first question is in scope. Systems that currently answer no but are planned to answer yes in the next twelve months should also be captured so the analysis stays ahead of the build plan.",[11,2730,2732],{"id":2731},"threats-and-vulnerabilities","Threats and vulnerabilities",[16,2734,2735],{},"NIST SP 800-30 separates threats from vulnerabilities — a useful distinction that prevents the common error of treating a missing control as a threat.",[16,2737,2738],{},"Threat categories include:",[137,2740,2741,2747,2753,2759],{},[74,2742,2743,2746],{},[59,2744,2745],{},"Adversarial threats"," — external attackers, malicious insiders, organized crime, nation-state actors.",[74,2748,2749,2752],{},[59,2750,2751],{},"Accidental threats"," — workforce errors, misconfigured systems, mis-sent emails, lost devices.",[74,2754,2755,2758],{},[59,2756,2757],{},"Structural threats"," — hardware failures, software bugs, vendor outages, capacity exhaustion.",[74,2760,2761,2764],{},[59,2762,2763],{},"Environmental threats"," — fire, flood, power failure, pandemic.",[16,2766,2767],{},"For each in-scope system, inventory the threats that realistically apply and the vulnerabilities that could let those threats materialize. Industry threat intelligence, OCR enforcement patterns, and your own incident history are all valid inputs.",[11,2769,2771],{"id":2770},"likelihood-and-impact","Likelihood and impact",[16,2773,2774],{},"Likelihood and impact can be expressed qualitatively (low, moderate, high, very high) or quantitatively (probability ranges and dollar figures). Most HIPAA programs start qualitative and tighten over time as better data becomes available.",[16,2776,2777],{},"A defensible likelihood assessment considers the threat source's motivation, capability, and opportunity; the effectiveness of current controls; and the frequency with which similar events have occurred historically in the organization's sector.",[16,2779,2780],{},"A defensible impact assessment considers the confidentiality, integrity, and availability consequences; the volume and sensitivity of PHI affected; the regulatory and contractual consequences; and the downstream effects on patients or end users.",[16,2782,2783],{},"The risk level is a function of the two, often represented in a heat map. Risks above a defined threshold feed the risk management plan required by §164.308(a)(1)(ii)(B).",[11,2785,2787],{"id":2786},"documentation-that-survives-audit","Documentation that survives audit",[16,2789,2790],{},"The risk analysis artifact itself must be written, retrievable, and referenced throughout the rest of the program. A defensible artifact includes:",[137,2792,2793,2796,2799,2802,2805,2808,2811,2814],{},[74,2794,2795],{},"Scope statement and asset inventory.",[74,2797,2798],{},"Methodology used, with explicit reference to NIST SP 800-30 or the equivalent.",[74,2800,2801],{},"Threat catalog and vulnerability catalog.",[74,2803,2804],{},"Inventory of current controls.",[74,2806,2807],{},"Likelihood and impact ratings for each risk, with rationale.",[74,2809,2810],{},"Risk register sorted by priority, feeding the risk management plan.",[74,2812,2813],{},"Change log documenting updates.",[74,2815,2816],{},"Signatures or approvals from the HIPAA security official and executive leadership.",[16,2818,2819],{},"Retain for at least six years from creation or last effective date. Because this is a living document, the retention clock resets every time the artifact is updated.",[11,2821,2823],{"id":2822},"integrating-risk-analysis-into-the-operating-rhythm","Integrating risk analysis into the operating rhythm",[16,2825,2826],{},"A risk analysis that runs once and then gathers dust is the worst possible outcome — it creates a false sense of completion. Build the refresh into the operating rhythm.",[137,2828,2829,2835,2841],{},[74,2830,2831,2834],{},[59,2832,2833],{},"Quarterly."," Review the risk register, update ratings as controls mature or threats evolve, and close risks that have been adequately mitigated.",[74,2836,2837,2840],{},[59,2838,2839],{},"Annually."," Run a full refresh. Revisit scope, re-interview owners, re-run threat modeling, and produce an updated artifact.",[74,2842,2843,2846],{},[59,2844,2845],{},"Event-driven."," Trigger a targeted refresh after a material change — new system, new customer segment, significant incident, regulatory update, organizational restructuring.",[16,2848,2849,2850,2853,2854,2857],{},"Tie the refresh cadence to the ",[23,2851,2852],{"href":1448},"contingency planning"," test calendar and the ",[23,2855,2856],{"href":246},"compliance checklist"," review calendar so the full program moves together.",[11,2859,1335],{"id":1334},[16,2861,2862,2863,2865,2866,2868,2869,2871],{},"The risk analysis is the connective tissue of a HIPAA program. It sets priorities for the ",[23,2864,26],{"href":25}," controls you invest in. It shapes the risk management plan at §164.308(a)(1)(ii)(B). It informs the testing calendar for ",[23,2867,2852],{"href":1448},". It surfaces the scenarios that ",[23,2870,1350],{"href":1349}," should address. It feeds the threat scenarios your incident response runbooks rehearse. And it anchors the conversation with customers and regulators when they ask how you prioritize your compliance program.",[11,2873,1358],{"id":1357},[137,2875,2876,2882,2888,2894,2900,2906,2912,2918],{},[74,2877,2878,2881],{},[59,2879,2880],{},"Scope gaps."," The analysis covers the obvious systems and misses the edges — developer laptops, shadow IT, analytics warehouses, third-party SaaS with ad hoc BAAs.",[74,2883,2884,2887],{},[59,2885,2886],{},"Vulnerability scan as risk analysis."," A pen test report or a CVE scan gets stapled to a cover page and labeled a risk analysis. OCR has rejected this pattern consistently.",[74,2889,2890,2893],{},[59,2891,2892],{},"Generic threat catalog."," The threat list is a copy of a consultant template with no tailoring to the organization's actual technology and workforce.",[74,2895,2896,2899],{},[59,2897,2898],{},"No likelihood or impact reasoning."," Risks are rated \"high\" or \"medium\" with no written justification, so the ratings are not defensible a year later.",[74,2901,2902,2905],{},[59,2903,2904],{},"Artifact from two years ago."," The risk analysis on file predates significant changes in the environment, and the change log is empty.",[74,2907,2908,2911],{},[59,2909,2910],{},"No linkage to the risk management plan."," Risks are identified but not prioritized, and there is no mitigation plan tied to the register.",[74,2913,2914,2917],{},[59,2915,2916],{},"Single-person exercise."," The security officer wrote the risk analysis alone, without input from engineering, operations, clinical, or legal. Gaps are inevitable.",[74,2919,2920,2923],{},[59,2921,2922],{},"Business associates excluded."," Risks the organization inherits from its BAAs are missing, even though OCR has made clear those risks are in scope.",[11,2925,1406],{"id":1405},[16,2927,2928],{},"episki brings HIPAA risk analysis into the same workspace as the rest of your compliance program. The risk register is linked to assets, controls, and policies; scope is refreshed automatically as systems are added to inventory; threat and vulnerability catalogs are pre-built and tailored to healthtech; likelihood, impact, and rationale are captured in structured fields that survive personnel changes; and the annual refresh runs as a guided workflow with evidence rolling up for auditors and customers.",[16,2930,1412,2931,1416],{},[23,2932,1415],{"href":35},{"title":257,"searchDepth":258,"depth":258,"links":2934},[2935,2936,2937,2938,2939,2940,2941,2942,2943,2944],{"id":2618,"depth":258,"text":2619},{"id":2638,"depth":258,"text":2639},{"id":2704,"depth":258,"text":2705},{"id":2731,"depth":258,"text":2732},{"id":2770,"depth":258,"text":2771},{"id":2786,"depth":258,"text":2787},{"id":2822,"depth":258,"text":2823},{"id":1334,"depth":258,"text":1335},{"id":1357,"depth":258,"text":1358},{"id":1405,"depth":258,"text":1406},"HIPAA §164.308(a)(1)(ii)(A) requires an accurate and thorough risk analysis for every system that handles ePHI. Here is how to run one using NIST SP 800-30.",{"items":2947},[2948,2951,2954,2957],{"label":2949,"content":2950},"Is a HIPAA risk analysis required?","Yes. §164.308(a)(1)(ii)(A) is a required implementation specification within the Security Management Process standard. Covered entities and business associates must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.",{"label":2952,"content":2953},"How often should we refresh our HIPAA risk analysis?","HIPAA does not specify a cadence, but OCR guidance and mature practice converge on refreshing at least annually and after any material change — new systems, new customers with bespoke requirements, significant incidents, or regulatory updates. A stale risk analysis is one of the most common OCR findings.",{"label":2955,"content":2956},"What framework should we use for HIPAA risk analysis?","NIST Special Publication 800-30 is the methodology OCR cites most frequently. It provides a structured approach to asset identification, threat identification, vulnerability identification, likelihood and impact determination, and risk prioritization. HHS has published its own risk analysis guidance that aligns with NIST SP 800-30.",{"label":2958,"content":2959},"Does a vulnerability scan count as a HIPAA risk analysis?","No. A vulnerability scan is one input to a risk analysis, not a substitute for it. A HIPAA risk analysis must cover organizational, physical, administrative, and technical risks — not just technical vulnerabilities. OCR has explicitly rejected vulnerability-scan-only approaches as insufficient.",{},[293,1450,1451,1452],[300,1742,303,2372],{"title":2964,"description":2965},"HIPAA Risk Analysis - §164.308(a)(1)(ii)(A) NIST 800-30 Methodology","Run a defensible HIPAA risk analysis under §164.308(a)(1)(ii)(A) using NIST SP 800-30. Asset inventory, threat modeling, likelihood, impact, and documentation.","5.frameworks\u002Fhipaa\u002Frisk-analysis","if1-x0W6KLoHNWUYA_lcod_9bulcnf4cn1-aiE7pLiA",{"id":2969,"title":2970,"body":2971,"description":3249,"extension":278,"faq":3250,"frameworkSlug":293,"lastUpdated":294,"meta":3264,"navigation":296,"path":2276,"relatedTerms":3265,"relatedTopics":3266,"seo":3267,"stem":3270,"__hash__":3271},"frameworkTopics\u002F5.frameworks\u002Fhipaa\u002Fsanctions-policy.md","HIPAA Sanctions Policy",{"type":8,"value":2972,"toc":3232},[2973,2977,2980,2983,2990,2994,2997,3008,3011,3014,3018,3021,3059,3062,3066,3069,3073,3076,3080,3083,3087,3090,3094,3097,3101,3104,3108,3111,3125,3128,3130,3133,3165,3168,3170,3180,3183,3185,3223,3225,3228],[11,2974,2976],{"id":2975},"why-a-hipaa-sanctions-policy-matters","Why a HIPAA sanctions policy matters",[16,2978,2979],{},"HIPAA §164.308(a)(1)(ii)(C) is short but mandatory: covered entities and business associates must \"apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.\" It is one of the required implementation specifications within the Security Management Process standard — there is no addressable alternative. Either you have a sanctions policy that you actually enforce, or you are out of compliance.",[16,2981,2982],{},"The purpose of the policy is twofold. First, it deters policy violations by making consequences explicit. Second, it creates an auditable record that the organization takes its HIPAA obligations seriously — which matters not only during OCR investigations but also during customer security reviews, where a consistently enforced sanctions policy signals a mature program.",[16,2984,2985,2986,1179,2988,42],{},"For the broader context of administrative safeguards, see the ",[23,2987,26],{"href":25},[23,2989,1182],{"href":35},[11,2991,2993],{"id":2992},"what-the-rule-actually-requires","What the rule actually requires",[16,2995,2996],{},"§164.308(a)(1)(ii)(C) requires three things.",[71,2998,2999,3002,3005],{},[74,3000,3001],{},"A written sanctions policy that applies to workforce members who fail to comply with security policies and procedures.",[74,3003,3004],{},"Consistent application of that policy when violations occur.",[74,3006,3007],{},"Documentation of sanctions imposed, retained for at least six years.",[16,3009,3010],{},"The rule does not prescribe specific sanctions. OCR guidance and enforcement history make clear that sanctions must be proportionate to the violation, applied consistently regardless of seniority, and documented in a way that survives personnel changes.",[16,3012,3013],{},"The Privacy Rule at §164.530(e) imposes a parallel sanctions obligation for violations of the Privacy Rule. Most programs write a single policy that covers both Security and Privacy Rule violations, which simplifies administration and messaging.",[11,3015,3017],{"id":3016},"defining-what-counts-as-a-violation","Defining what counts as a violation",[16,3019,3020],{},"A sanctions policy is only enforceable if workforce members know what would trigger it. Your policy should enumerate representative categories of violations, not an exhaustive list.",[137,3022,3023,3029,3035,3041,3047,3053],{},[74,3024,3025,3028],{},[59,3026,3027],{},"Unauthorized access to PHI."," Looking up a patient, customer, or co-worker's record without a legitimate business reason.",[74,3030,3031,3034],{},[59,3032,3033],{},"Improper disclosure of PHI."," Sharing PHI with a person not authorized to receive it — including family members, friends, or unvetted vendors.",[74,3036,3037,3040],{},[59,3038,3039],{},"Policy shortcuts."," Sharing passwords, disabling multi-factor, using personal email to send PHI, or loading PHI onto unencrypted personal devices.",[74,3042,3043,3046],{},[59,3044,3045],{},"Failure to report."," Knowing about a suspected breach and failing to report it through the documented incident path.",[74,3048,3049,3052],{},[59,3050,3051],{},"Retaliation."," Punishing or discouraging a workforce member who reports a suspected HIPAA violation in good faith.",[74,3054,3055,3058],{},[59,3056,3057],{},"Willful misuse."," Selling, altering, or destroying PHI for personal gain, curiosity, or malice — the category that most often triggers criminal penalties.",[16,3060,3061],{},"Define each category in plain language and reference the underlying HIPAA requirement. That linkage matters: if you later sanction someone for \"unauthorized access,\" the violation cited in the record should be clearly tied to the written policy.",[11,3063,3065],{"id":3064},"progressive-discipline","Progressive discipline",[16,3067,3068],{},"Progressive discipline is the most common sanctions structure because it scales fairly across a wide range of violations. A typical ladder looks like this.",[51,3070,3072],{"id":3071},"step-1-verbal-counseling-plus-retraining","Step 1 — Verbal counseling plus retraining",[16,3074,3075],{},"For minor, first-time, accidental violations — for example, a new workforce member sending PHI over unencrypted email because they misunderstood the acceptable use policy — verbal counseling plus targeted retraining is usually appropriate. Document the conversation, the retraining completed, and the workforce member's acknowledgment.",[51,3077,3079],{"id":3078},"step-2-written-warning","Step 2 — Written warning",[16,3081,3082],{},"For repeated minor violations or a first violation that created real but containable risk, a written warning enters the workforce member's HIPAA file. The warning cites the policy, describes the behavior, and specifies what must change.",[51,3084,3086],{"id":3085},"step-3-suspension-and-access-review","Step 3 — Suspension and access review",[16,3088,3089],{},"For significant violations — for example, unauthorized access to the record of a person known to the workforce member — consider suspending system access pending investigation, conducting a full access review, and retraining before reinstatement. Suspension communicates that the organization distinguishes between carelessness and deliberate policy breach.",[51,3091,3093],{"id":3092},"step-4-termination","Step 4 — Termination",[16,3095,3096],{},"For egregious, willful, or repeated violations, termination is the appropriate sanction. Terminations tied to PHI misuse should include immediate revocation of all access, legal review, and consideration of law enforcement referral. Where the facts warrant it, report to OCR under the breach notification rule.",[51,3098,3100],{"id":3099},"step-5-referral-for-criminal-prosecution","Step 5 — Referral for criminal prosecution",[16,3102,3103],{},"Willful misuse of PHI for personal gain, transfer for commercial advantage, or malicious harm can trigger criminal penalties up to $250,000 and 10 years of imprisonment under 42 USC §1320d-6. Coordinate with counsel before any referral, but do not treat this as theoretical — OCR has publicly pursued these cases.",[11,3105,3107],{"id":3106},"consistency-is-the-hardest-part","Consistency is the hardest part",[16,3109,3110],{},"The policy works only if it applies the same way across the organization. OCR resolution agreements consistently cite inconsistent sanctions as evidence of a broken program. Two patterns create the most exposure.",[137,3112,3113,3119],{},[74,3114,3115,3118],{},[59,3116,3117],{},"Status asymmetry."," A junior employee is sanctioned for accessing a record they should not have seen, while a senior clinician or executive commits the same violation and is counseled informally. The gap undermines every sanction that follows.",[74,3120,3121,3124],{},[59,3122,3123],{},"Context asymmetry."," The same violation is treated as minor when it comes from the CEO's favorite team and serious when it comes from another. Both asymmetries are visible in the long tail of sanction records.",[16,3126,3127],{},"Build a review step into serious sanctions. A short panel — legal, HR, and the privacy or security official — can ensure consistency across cases and create a defensible record of deliberation.",[11,3129,2787],{"id":2786},[16,3131,3132],{},"Your sanctions records should answer five questions without ambiguity.",[137,3134,3135,3141,3147,3153,3159],{},[74,3136,3137,3140],{},[59,3138,3139],{},"Who was sanctioned?"," Keyed to unique workforce identifier.",[74,3142,3143,3146],{},[59,3144,3145],{},"What happened?"," A factual narrative of the violation, including systems involved, PHI at risk, and how it was discovered.",[74,3148,3149,3152],{},[59,3150,3151],{},"Which policy was violated?"," The specific section of the sanctions policy and any underlying security or privacy policies.",[74,3154,3155,3158],{},[59,3156,3157],{},"What sanction was applied?"," The specific action, its effective date, and any conditions (retraining, access review, probation).",[74,3160,3161,3164],{},[59,3162,3163],{},"Who approved it?"," Signatures from the approving manager, HR, and — for serious sanctions — the privacy or security official.",[16,3166,3167],{},"Retain these records for at least six years. Keep them in a location separate from general HR files so they can be produced without exposing unrelated personnel information.",[11,3169,1335],{"id":1334},[16,3171,3172,3173,3175,3176,3179],{},"A sanctions policy is part of a connected set of administrative safeguards. It pairs with ",[23,3174,1350],{"href":1349},", because you cannot fairly sanction a workforce member for a policy they were never taught. It pairs with the ",[23,3177,3178],{"href":2369},"minimum necessary rule",", because role-based access is only enforceable if violations carry consequences. It pairs with audit controls, because audit logs surface the unauthorized access patterns that sanctions are intended to address.",[16,3181,3182],{},"It also pairs with your breach response. Many sanctions cases begin as incident investigations, and the quality of the investigation — the evidence captured, the systems reviewed, the timeline reconstructed — determines whether the sanction will hold up in a subsequent dispute.",[11,3184,1358],{"id":1357},[137,3186,3187,3193,3199,3205,3211,3217],{},[74,3188,3189,3192],{},[59,3190,3191],{},"Policy in a drawer."," A sanctions policy exists, but no one at the organization can name a single case where it was applied. Either violations are being missed or they are being handled inconsistently.",[74,3194,3195,3198],{},[59,3196,3197],{},"No escalation path."," Managers apply informal sanctions on their own without involving HR, legal, or the privacy or security official, creating inconsistent outcomes and poor documentation.",[74,3200,3201,3204],{},[59,3202,3203],{},"Sanctions are treated as HR-only."," The privacy officer learns about a PHI misuse case months later, after OCR reporting windows have closed.",[74,3206,3207,3210],{},[59,3208,3209],{},"Retaliation risk."," A workforce member who reports a suspected violation is later sanctioned for an unrelated performance issue, creating the appearance of retaliation. Separate the processes visibly.",[74,3212,3213,3216],{},[59,3214,3215],{},"Contractor gaps."," The policy covers employees but not contractors with equivalent access, even though HIPAA's definition of workforce covers both.",[74,3218,3219,3222],{},[59,3220,3221],{},"Missing sanctions for senior staff."," No executive has ever been sanctioned, even after clear policy violations. During audits this is a leading indicator of selective enforcement.",[11,3224,1406],{"id":1405},[16,3226,3227],{},"episki ties sanctions records directly to the workforce member, the policy they violated, and the systems involved — so sanctions feed your broader HIPAA program instead of living in a siloed HR folder. Pre-built templates cover progressive discipline, documentation requirements, and escalation routing; workflow automation routes serious cases to the privacy or security official; and retention timers keep sanction records available for the full six-year window.",[16,3229,1412,3230,1416],{},[23,3231,1415],{"href":35},{"title":257,"searchDepth":258,"depth":258,"links":3233},[3234,3235,3236,3237,3244,3245,3246,3247,3248],{"id":2975,"depth":258,"text":2976},{"id":2992,"depth":258,"text":2993},{"id":3016,"depth":258,"text":3017},{"id":3064,"depth":258,"text":3065,"children":3238},[3239,3240,3241,3242,3243],{"id":3071,"depth":264,"text":3072},{"id":3078,"depth":264,"text":3079},{"id":3085,"depth":264,"text":3086},{"id":3092,"depth":264,"text":3093},{"id":3099,"depth":264,"text":3100},{"id":3106,"depth":258,"text":3107},{"id":2786,"depth":258,"text":2787},{"id":1334,"depth":258,"text":1335},{"id":1357,"depth":258,"text":1358},{"id":1405,"depth":258,"text":1406},"HIPAA §164.308(a)(1)(ii)(C) requires a sanctions policy for workforce members who violate HIPAA. Here is how to design one that is fair, consistent, and defensible.",{"items":3251},[3252,3255,3258,3261],{"label":3253,"content":3254},"Is a sanctions policy required by HIPAA?","Yes. 45 CFR §164.308(a)(1)(ii)(C) is a required — not addressable — implementation specification. Every covered entity and business associate must apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures.",{"label":3256,"content":3257},"What happens if a workforce member violates HIPAA?","The response depends on the severity, intent, and harm caused. Progressive discipline typically starts with retraining for minor accidental violations and escalates through written warnings, suspension, termination, and referral for criminal prosecution for willful misuse of PHI.",{"label":3259,"content":3260},"Do we have to fire employees for HIPAA violations?","No. HIPAA requires appropriate sanctions, not specific sanctions. Termination is appropriate for egregious, willful, or repeated violations. For honest mistakes, retraining plus documented counseling is often more appropriate and more likely to change behavior across the workforce.",{"label":3262,"content":3263},"How long must we retain sanction records?","HIPAA requires retention of policies and documentation for at least six years from creation or last effective date. Individual sanction records should be retained for the same period and kept in a location separate from general HR files so they can be produced on demand during an audit.",{},[293,1450,1451,1452],[2372,300,301,303],{"title":3268,"description":3269},"HIPAA Sanctions Policy - §164.308(a)(1)(ii)(C) Requirements & Examples","Build a HIPAA sanctions policy that satisfies §164.308(a)(1)(ii)(C). Progressive discipline, documentation, and common OCR findings for workforce violations.","5.frameworks\u002Fhipaa\u002Fsanctions-policy","3t3ZLT-67YrHlg2YxS8tWwiQIhmAqpbTHNm9HUWBH7s",{"id":3273,"title":26,"body":3274,"description":3578,"extension":278,"faq":546,"frameworkSlug":293,"lastUpdated":294,"meta":3579,"navigation":296,"path":25,"relatedTerms":3580,"relatedTopics":3581,"seo":3582,"stem":3585,"__hash__":3586},"frameworkTopics\u002F5.frameworks\u002Fhipaa\u002Fsecurity-rule.md",{"type":8,"value":3275,"toc":3562},[3276,3280,3286,3289,3298,3302,3306,3309,3312,3359,3363,3366,3369,3395,3399,3402,3404,3436,3440,3450,3454,3457,3461,3464,3484,3487,3491,3494,3497,3501,3508,3512,3515,3547,3555,3559],[11,3277,3279],{"id":3278},"what-is-the-hipaa-security-rule","What is the HIPAA Security Rule?",[16,3281,3282,3283,3285],{},"The HIPAA Security Rule (45 CFR Part 160 and Subparts A and C of Part 164) sets the national floor for protecting electronic protected health information (ePHI). While the ",[23,3284,31],{"href":30}," covers all forms of PHI, the Security Rule focuses exclusively on ePHI — any protected health information that is created, received, maintained, or transmitted in electronic form.",[16,3287,3288],{},"Every covered entity and business associate that handles ePHI must implement a set of safeguards designed to ensure the confidentiality, integrity, and availability of that data. The rule is intentionally flexible: it recognizes that a two-person dental practice faces different risks than a national hospital chain, so it allows organizations to choose how they meet each standard based on their size, complexity, and risk profile.",[16,3290,3291,3292,3294,3295,3297],{},"For a broader overview of ",[23,3293,36],{"href":35}," requirements, see the main framework page. You can also review the ",[23,3296,41],{"href":40}," for foundational definitions.",[11,3299,3301],{"id":3300},"the-three-safeguard-categories","The three safeguard categories",[51,3303,3305],{"id":3304},"administrative-safeguards","Administrative safeguards",[16,3307,3308],{},"Administrative safeguards are the policies, procedures, and organizational measures that manage the selection, development, and implementation of security controls. They typically consume the most time and resources because they touch every part of the organization.",[16,3310,3311],{},"Key standards within administrative safeguards include:",[137,3313,3314,3320,3326,3332,3342,3348,3353],{},[74,3315,3316,3319],{},[59,3317,3318],{},"Security management process"," — conduct a thorough risk analysis, implement risk management measures, apply sanctions for policy violations, and review information system activity regularly.",[74,3321,3322,3325],{},[59,3323,3324],{},"Assigned security responsibility"," — designate a single security official accountable for developing and implementing security policies. This person does not need to perform every task, but they must own the program.",[74,3327,3328,3331],{},[59,3329,3330],{},"Workforce security"," — establish procedures for authorizing access, supervising workforce members who interact with ePHI, and terminating access when employment ends.",[74,3333,3334,3337,3338,3341],{},[59,3335,3336],{},"Information access management"," — implement policies that grant access to ePHI only when a workforce member's role requires it. This aligns closely with the ",[23,3339,3340],{"href":30},"Privacy Rule's"," minimum necessary standard.",[74,3343,3344,3347],{},[59,3345,3346],{},"Security awareness and training"," — deliver periodic training on password management, malicious software protection, log-in monitoring, and security reminders.",[74,3349,3350,3352],{},[59,3351,1648],{}," — maintain a data backup plan, disaster recovery plan, and emergency mode operation plan. Test and revise these plans on a defined schedule.",[74,3354,3355,3358],{},[59,3356,3357],{},"Evaluation"," — perform periodic technical and non-technical evaluations in response to environmental or operational changes.",[51,3360,3362],{"id":3361},"physical-safeguards","Physical safeguards",[16,3364,3365],{},"Physical safeguards protect the electronic systems, equipment, and buildings that house ePHI from unauthorized physical access, tampering, and natural hazards.",[16,3367,3368],{},"Key standards include:",[137,3370,3371,3377,3383,3389],{},[74,3372,3373,3376],{},[59,3374,3375],{},"Facility access controls"," — implement policies governing who may physically enter areas where ePHI systems reside. This covers contingency operations, facility security plans, access control and validation procedures, and maintenance records.",[74,3378,3379,3382],{},[59,3380,3381],{},"Workstation use"," — define the functions performed at each workstation and the physical attributes of its surroundings that protect ePHI. A laptop used in a public coffee shop carries different risks than a desktop inside a locked server room.",[74,3384,3385,3388],{},[59,3386,3387],{},"Workstation security"," — implement physical safeguards for all workstations that access ePHI, restricting access to authorized users only.",[74,3390,3391,3394],{},[59,3392,3393],{},"Device and media controls"," — govern the receipt, removal, backup, storage, reuse, and disposal of hardware and electronic media containing ePHI. This includes maintaining records of device movements and creating retrievable exact copies of ePHI before equipment is moved.",[51,3396,3398],{"id":3397},"technical-safeguards","Technical safeguards",[16,3400,3401],{},"Technical safeguards are the technology and related policies that protect ePHI and control access to it. These are the controls most familiar to engineering and IT teams.",[16,3403,3368],{},[137,3405,3406,3412,3418,3424,3430],{},[74,3407,3408,3411],{},[59,3409,3410],{},"Access control"," — implement technical measures allowing only authorized persons to access ePHI. This includes unique user identification, emergency access procedures, automatic logoff, and encryption and decryption mechanisms.",[74,3413,3414,3417],{},[59,3415,3416],{},"Audit controls"," — deploy hardware, software, and procedural mechanisms that record and examine activity in systems containing ePHI.",[74,3419,3420,3423],{},[59,3421,3422],{},"Integrity"," — protect ePHI from improper alteration or destruction, including mechanisms to authenticate that data has not been changed without authorization.",[74,3425,3426,3429],{},[59,3427,3428],{},"Person or entity authentication"," — verify that any person or entity seeking access to ePHI is who they claim to be.",[74,3431,3432,3435],{},[59,3433,3434],{},"Transmission security"," — guard against unauthorized access to ePHI during electronic transmission, including integrity controls and encryption.",[11,3437,3439],{"id":3438},"required-vs-addressable-specifications","Required vs addressable specifications",[16,3441,3442,3443,27,3446,3449],{},"One of the most misunderstood aspects of the Security Rule is the distinction between ",[59,3444,3445],{},"required",[59,3447,3448],{},"addressable"," implementation specifications.",[51,3451,3453],{"id":3452},"required-specifications","Required specifications",[16,3455,3456],{},"A required specification must be implemented exactly as described. There is no flexibility. Examples include conducting a risk analysis, assigning a security official, and implementing audit controls. If a standard has a required specification, the organization must put it in place — period.",[51,3458,3460],{"id":3459},"addressable-specifications","Addressable specifications",[16,3462,3463],{},"An addressable specification does not mean optional. Instead, the organization must perform a documented assessment to determine whether the specification is a reasonable and appropriate safeguard in its environment. There are three possible outcomes:",[71,3465,3466,3472,3478],{},[74,3467,3468,3471],{},[59,3469,3470],{},"Implement the specification as written"," — if the assessment concludes the specification is reasonable and appropriate, implement it.",[74,3473,3474,3477],{},[59,3475,3476],{},"Implement an equivalent alternative"," — if the specification is not reasonable and appropriate but the underlying standard still needs to be met, implement an alternative measure that achieves the same protective purpose and document the rationale.",[74,3479,3480,3483],{},[59,3481,3482],{},"Do not implement"," — if the specification is not reasonable and appropriate and the standard can be met without it, document the rationale and the factors considered.",[16,3485,3486],{},"The critical requirement is documentation. Regardless of the path chosen, the organization must maintain written records of its analysis and decision. Auditors and the HHS Office for Civil Rights expect to see evidence of thoughtful evaluation, not blanket dismissals.",[11,3488,3490],{"id":3489},"risk-analysis-the-foundation-of-compliance","Risk analysis: the foundation of compliance",[16,3492,3493],{},"The Security Rule's risk analysis requirement underpins the entire program. A compliant risk analysis should identify all systems that handle ePHI, document anticipated threats and vulnerabilities, assess current security measures, determine likelihood and impact of threats, assign risk levels, and prioritize remediation. Every step must be documented.",[16,3495,3496],{},"Risk analysis is not a one-time activity. Organizations must review and update their analysis in response to environmental or operational changes, new threats, and security incidents.",[11,3498,3500],{"id":3499},"organizational-requirements","Organizational requirements",[16,3502,3503,3504,3507],{},"Covered entities must obtain satisfactory assurances from their business associates — typically through a ",[23,3505,3506],{"href":178},"Business Associate Agreement (BAA)"," — that the associate will appropriately safeguard ePHI. Business associates are directly liable for Security Rule compliance under the HITECH Act.",[11,3509,3511],{"id":3510},"common-security-rule-gaps","Common Security Rule gaps",[16,3513,3514],{},"Organizations preparing for audits frequently discover recurring gaps:",[137,3516,3517,3523,3529,3535,3541],{},[74,3518,3519,3522],{},[59,3520,3521],{},"Incomplete or outdated risk analysis"," — the single most cited deficiency in HHS enforcement actions.",[74,3524,3525,3528],{},[59,3526,3527],{},"Lack of encryption"," — organizations that skip encryption must document an equivalent alternative, and many cannot.",[74,3530,3531,3534],{},[59,3532,3533],{},"Missing audit logs"," — logging capability alone is insufficient if no one reviews the output.",[74,3536,3537,3540],{},[59,3538,3539],{},"Inadequate access management"," — role changes and departures create orphaned accounts with unnecessary ePHI access.",[74,3542,3543,3546],{},[59,3544,3545],{},"No contingency testing"," — an untested disaster recovery plan provides little real protection.",[16,3548,2562,3549,3551,3552,3554],{},[23,3550,2565],{"href":238}," building their Security Rule program, the ",[23,3553,247],{"href":246}," provides a structured walkthrough of every major requirement.",[11,3556,3558],{"id":3557},"enforcement-and-penalties","Enforcement and penalties",[16,3560,3561],{},"The HHS Office for Civil Rights (OCR) enforces the Security Rule through complaint investigations, compliance reviews, and audits. Penalties range from $100 to $50,000 per violation with annual maximums of $1.5 million per category. Criminal violations can result in fines up to $250,000 and imprisonment.",{"title":257,"searchDepth":258,"depth":258,"links":3563},[3564,3565,3570,3574,3575,3576,3577],{"id":3278,"depth":258,"text":3279},{"id":3300,"depth":258,"text":3301,"children":3566},[3567,3568,3569],{"id":3304,"depth":264,"text":3305},{"id":3361,"depth":264,"text":3362},{"id":3397,"depth":264,"text":3398},{"id":3438,"depth":258,"text":3439,"children":3571},[3572,3573],{"id":3452,"depth":264,"text":3453},{"id":3459,"depth":264,"text":3460},{"id":3489,"depth":258,"text":3490},{"id":3499,"depth":258,"text":3500},{"id":3510,"depth":258,"text":3511},{"id":3557,"depth":258,"text":3558},"The HIPAA Security Rule establishes national standards for protecting electronic protected health information (ePHI) through administrative, physical, and technical safeguards.",{},[293],[301,550,302,303],{"title":3583,"description":3584},"HIPAA Security Rule - Safeguards, Specifications & Compliance Guide","Learn how the HIPAA Security Rule protects ePHI with administrative, physical, and technical safeguards. Understand required vs addressable specifications.","5.frameworks\u002Fhipaa\u002Fsecurity-rule","1ApyZTSCEbGuhEpHJFdKF5uezLHHjsf-XEOonfqi-oU",{"id":3588,"title":3589,"body":3590,"description":3833,"extension":278,"faq":3834,"frameworkSlug":293,"lastUpdated":294,"meta":3848,"navigation":296,"path":1349,"relatedTerms":3849,"relatedTopics":3850,"seo":3852,"stem":3855,"__hash__":3856},"frameworkTopics\u002F5.frameworks\u002Fhipaa\u002Fworkforce-training.md","HIPAA Workforce Training Requirements",{"type":8,"value":3591,"toc":3818},[3592,3596,3599,3602,3609,3611,3614,3618,3621,3624,3628,3631,3634,3638,3641,3644,3648,3651,3655,3658,3678,3681,3685,3688,3707,3710,3714,3717,3749,3752,3754,3766,3769,3771,3808,3810,3813],[11,3593,3595],{"id":3594},"why-hipaa-workforce-training-matters","Why HIPAA workforce training matters",[16,3597,3598],{},"HIPAA §164.308(a)(5) — the Security Awareness and Training standard — requires every covered entity and business associate to implement a security awareness and training program for all members of its workforce, including management. It is one of four implementation specifications that sit inside a single administrative safeguard, but in practice it is the standard OCR cites most often when it finds that a workforce member \"should have known better.\"",[16,3600,3601],{},"Training is the control that turns written policy into enforceable behavior. A well-designed program reduces the probability of accidental disclosures, phishing-driven breaches, and misuse of protected health information. A poorly designed program — or, worse, an undocumented one — is one of the fastest ways to escalate a small incident into a resolution agreement and corrective action plan.",[16,3603,1176,3604,3606,3607,42],{},[23,3605,26],{"href":25}," overview and the ",[23,3608,1182],{"href":35},[11,3610,1486],{"id":1485},[16,3612,3613],{},"§164.308(a)(5)(ii) lists four addressable implementation specifications that a compliant program must address. \"Addressable\" does not mean optional — if an organization chooses not to implement one of these specifications, it must document why and implement an equivalent alternative.",[51,3615,3617],{"id":3616},"security-reminders-164308a5iia","Security reminders — §164.308(a)(5)(ii)(A)",[16,3619,3620],{},"Security reminders are periodic communications that keep HIPAA obligations visible between formal training sessions. These can take the form of email newsletters, Slack posts, intranet banners, phishing test feedback, or short videos. The goal is to keep attention high between annual refreshers, when attention inevitably drifts.",[16,3622,3623],{},"Operationalize security reminders with a calendar. Many programs deliver a monthly theme — password hygiene in January, phishing awareness in February, PHI handling in March, and so on — with supporting content aligned to current threats. Document the cadence, the topics covered, and the distribution list.",[51,3625,3627],{"id":3626},"protection-from-malicious-software-164308a5iib","Protection from malicious software — §164.308(a)(5)(ii)(B)",[16,3629,3630],{},"Training on malicious software covers how workforce members recognize and report suspicious files, attachments, and links. Modern training extends this beyond classic antivirus warnings to cover ransomware, business email compromise, credential theft, and the social engineering patterns that precede a PHI exfiltration event.",[16,3632,3633],{},"This specification pairs with your technical safeguards. Workforce members should understand that endpoint detection tools are not a replacement for vigilance — they are a backstop. The training should teach the specific reporting path: who to contact, how quickly, and what to preserve.",[51,3635,3637],{"id":3636},"log-in-monitoring-164308a5iic","Log-in monitoring — §164.308(a)(5)(ii)(C)",[16,3639,3640],{},"Log-in monitoring training teaches workforce members to recognize and report abnormal authentication events, including unexpected multi-factor prompts, unfamiliar devices on their account, unrecognized sign-in locations, and account lockouts that they did not cause. It also covers the workforce member's role in promptly reporting lost or stolen credentials.",[16,3642,3643],{},"Back this training with technical evidence: surface sign-in anomalies in a dashboard the security team reviews weekly, and include the workforce expectation in your acceptable use policy.",[51,3645,3647],{"id":3646},"password-management-164308a5iid","Password management — §164.308(a)(5)(ii)(D)",[16,3649,3650],{},"Password management training sets the expectation for how credentials are created, stored, rotated, and retired. The NIST SP 800-63B shift away from forced periodic rotation has been adopted by most HIPAA programs, but every program still needs a policy on length, complexity, reuse, password manager usage, and multi-factor enrollment. Training should reinforce that expectation with examples, not abstractions.",[11,3652,3654],{"id":3653},"what-belongs-in-the-training-curriculum","What belongs in the training curriculum",[16,3656,3657],{},"A defensible curriculum goes beyond the four specifications. At minimum, every workforce member should leave training able to answer six questions.",[137,3659,3660,3663,3666,3669,3672,3675],{},[74,3661,3662],{},"What counts as PHI, and which systems at this organization contain it?",[74,3664,3665],{},"What can I do with PHI in my role, and what is forbidden?",[74,3667,3668],{},"How do I report a suspected breach, and what is the timeline?",[74,3670,3671],{},"What are my obligations around devices, workstations, and removable media?",[74,3673,3674],{},"What happens if I violate HIPAA policy?",[74,3676,3677],{},"Where do I go when I am unsure?",[16,3679,3680],{},"Role-specific modules layer on top. Engineers need deeper training on access control, logging, and secure development. Customer support teams need training on verifying identity before disclosing PHI. Sales and success teams need training on what they can and cannot say during customer calls and demos. Executives need training on their incident response obligations and the tone they set for the broader organization.",[11,3682,3684],{"id":3683},"cadence-and-triggers","Cadence and triggers",[16,3686,3687],{},"HIPAA does not prescribe a training cadence, but OCR audit protocol expectations and industry practice converge on three triggers.",[71,3689,3690,3696,3701],{},[74,3691,3692,3695],{},[59,3693,3694],{},"Onboarding."," Every new workforce member must complete training before accessing PHI. Gate access on completion — do not rely on managers to verify.",[74,3697,3698,3700],{},[59,3699,2839],{}," Refresh training at least once per year. Many mature programs split this into shorter quarterly modules to combat attention fatigue.",[74,3702,3703,3706],{},[59,3704,3705],{},"Material change."," Re-train when a policy, system, or regulation changes meaningfully. The 2013 Omnibus Rule is the canonical example — every HIPAA program had to re-train after it took effect. Smaller material changes (a new EHR vendor, a new customer with bespoke data handling requirements) warrant targeted refreshers.",[16,3708,3709],{},"Layer on top a just-in-time triggers: after a workforce member fails a phishing simulation, after a near-miss incident, after a policy violation that did not rise to the level of sanctions, or after a high-profile industry breach that exposes a new attack pattern.",[11,3711,3713],{"id":3712},"documentation-that-holds-up-under-ocr-review","Documentation that holds up under OCR review",[16,3715,3716],{},"Every OCR HIPAA audit protocol includes a specific item on training documentation. Your records should answer five questions without ambiguity.",[137,3718,3719,3725,3731,3737,3743],{},[74,3720,3721,3724],{},[59,3722,3723],{},"Who trained?"," Roster keyed to unique workforce member identifiers, not just names.",[74,3726,3727,3730],{},[59,3728,3729],{},"What did they train on?"," The specific module, version, and learning objectives.",[74,3732,3733,3736],{},[59,3734,3735],{},"When did they train?"," Completion date, not assignment date.",[74,3738,3739,3742],{},[59,3740,3741],{},"How do you know they understood?"," Knowledge check scores, attestation language, or role-play results.",[74,3744,3745,3748],{},[59,3746,3747],{},"How long will you keep it?"," At least six years from creation or last effective date of the material.",[16,3750,3751],{},"Learning management systems simplify this, but they are not required. A structured folder, a training register, and signed acknowledgments can satisfy OCR if they are consistent and retrievable. What fails is ad-hoc records: an email here, a slide deck there, no way to prove who completed what.",[11,3753,1335],{"id":1334},[16,3755,3756,3757,3759,3760,3762,3763,3765],{},"Workforce training is one of several interlocking administrative safeguards. It pairs tightly with the ",[23,3758,2277],{"href":2276}," — you cannot fairly sanction a workforce member for a policy they were never taught. It pairs with the ",[23,3761,3178],{"href":2369},", because role-based access only works when workforce members understand the limits of their access. It pairs with ",[23,3764,2852],{"href":1448},", because the people who execute an emergency mode operation plan have to have rehearsed it.",[16,3767,3768],{},"Training also feeds your risk analysis. Gaps surfaced in knowledge checks, incident post-mortems, or phishing simulation results are vulnerabilities in the meaning of §164.308(a)(1)(ii)(A) and should feed the next iteration of the program.",[11,3770,1358],{"id":1357},[137,3772,3773,3779,3785,3791,3796,3802],{},[74,3774,3775,3778],{},[59,3776,3777],{},"Training exists, but no one can prove it."," The training happened, but completion records are scattered across email, LMS exports, and personal notes. During an audit, the gap in the paper trail is treated as a gap in the control.",[74,3780,3781,3784],{},[59,3782,3783],{},"One-size-fits-all curriculum."," A single generic module for every role means engineers are bored and customer support is under-prepared. Risk accumulates at both ends.",[74,3786,3787,3790],{},[59,3788,3789],{},"Annual refresher only."," A single yearly session cannot compete with an entire year of phishing attempts and policy changes. Reminders and just-in-time triggers matter.",[74,3792,3793,3795],{},[59,3794,3215],{}," Long-tenured contractors with persistent PHI access never get refreshed. Treat contractors as workforce members from day one.",[74,3797,3798,3801],{},[59,3799,3800],{},"No knowledge check."," Watching a video is not training. Without an assessment, there is no evidence of comprehension — and OCR treats comprehension as the point.",[74,3803,3804,3807],{},[59,3805,3806],{},"Training runs forever after offboarding."," When a workforce member leaves, their LMS account stays active and skews completion metrics. Include training deactivation in your offboarding checklist.",[11,3809,1406],{"id":1405},[16,3811,3812],{},"episki ships a workforce training library mapped directly to §164.308(a)(5) and the rest of the Security Rule administrative safeguards. Onboarding, annual, and just-in-time modules come pre-built; role-specific modules layer on top; and completion, quiz scores, and attestation records flow into the evidence locker that auditors and customers review. Training records tie back to the workforce member, their role, and the systems they access — so gaps show up automatically instead of surfacing during a customer audit.",[16,3814,1412,3815,3817],{},[23,3816,1415],{"href":35}," or start a free trial from the top of this page.",{"title":257,"searchDepth":258,"depth":258,"links":3819},[3820,3821,3827,3828,3829,3830,3831,3832],{"id":3594,"depth":258,"text":3595},{"id":1485,"depth":258,"text":1486,"children":3822},[3823,3824,3825,3826],{"id":3616,"depth":264,"text":3617},{"id":3626,"depth":264,"text":3627},{"id":3636,"depth":264,"text":3637},{"id":3646,"depth":264,"text":3647},{"id":3653,"depth":258,"text":3654},{"id":3683,"depth":258,"text":3684},{"id":3712,"depth":258,"text":3713},{"id":1334,"depth":258,"text":1335},{"id":1357,"depth":258,"text":1358},{"id":1405,"depth":258,"text":1406},"HIPAA §164.308(a)(5) requires a security awareness and training program for every workforce member. Here is how to design, deliver, and document it.",{"items":3835},[3836,3839,3842,3845],{"label":3837,"content":3838},"How often is HIPAA workforce training required?","HIPAA does not prescribe a specific cadence, but OCR guidance and industry practice converge on training at hire, at least annually thereafter, and whenever there is a material change to policies, systems, or the threat landscape. Most mature programs also deliver short monthly or quarterly security reminders.",{"label":3840,"content":3841},"Who counts as a workforce member under HIPAA?","Workforce members include employees, volunteers, trainees, interns, and contractors whose work for the covered entity or business associate is under its direct control, whether or not they are paid. Every workforce member with access to PHI must receive training appropriate to their role.",{"label":3843,"content":3844},"Do business associates have to train their workforce?","Yes. The 2013 Omnibus Rule made business associates directly liable for compliance with the Security Rule, including §164.308(a)(5). Business associates must implement a security awareness and training program and document its delivery.",{"label":3846,"content":3847},"What should HIPAA training documentation include?","Retain rosters of who completed each module, the date of completion, the version of the material used, the learning objectives, and evidence of knowledge checks or attestations. Retain documentation for at least six years from creation or last effective date.",{},[293,1450,1451,1452],[3851,300,301,303],"sanctions-policy",{"title":3853,"description":3854},"HIPAA Workforce Training - §164.308(a)(5) Requirements & Documentation","Build a HIPAA workforce training program that satisfies §164.308(a)(5). Cadence, content, delivery methods, and documentation expectations from OCR.","5.frameworks\u002Fhipaa\u002Fworkforce-training","QHKGk1SWCPvDGG5zG1NDi-6CBEmIXt5ARmnCmJImKeI",{"id":3858,"title":3859,"body":3860,"description":4117,"extension":278,"faq":4118,"frameworkSlug":293,"lastUpdated":294,"meta":4132,"navigation":296,"path":1643,"relatedTerms":4133,"relatedTopics":4134,"seo":4135,"stem":4138,"__hash__":4139},"frameworkTopics\u002F5.frameworks\u002Fhipaa\u002Fworkstation-and-device-controls.md","HIPAA Workstation and Device Controls",{"type":8,"value":3861,"toc":4102},[3862,3866,3869,3872,3881,3885,3888,3891,3911,3914,3918,3921,3924,3927,3931,3934,3938,3941,3961,3964,3968,3971,3975,3978,3982,3985,3989,3992,4030,4033,4035,4047,4049,4093,4095,4098],[11,3863,3865],{"id":3864},"why-hipaa-workstation-and-device-controls-matter","Why HIPAA workstation and device controls matter",[16,3867,3868],{},"The HIPAA Security Rule dedicates three separate standards to the endpoints where workforce members interact with ePHI. §164.310(b) covers workstation use, §164.310(c) covers workstation security, and §164.310(d) covers device and media controls. Together they establish the expectations for every laptop, phone, kiosk, thumb drive, and backup tape that ever touches protected health information.",[16,3870,3871],{},"These standards have aged well because the regulators wrote them in technology-neutral language. Workstations in 1998 were beige towers bolted to desks. Workstations in 2026 are MacBooks in a coffee shop, iPads in a clinical bag, and shared kiosks at a reception desk. The requirements still apply — and the threats they address (lost devices, shared screens, improperly disposed media) have survived every hardware generation.",[16,3873,1478,3874,1179,3876,3878,3879,42],{},[23,3875,26],{"href":25},[23,3877,1182],{"href":35},". For the facility-level perimeter, see ",[23,3880,1345],{"href":1344},[11,3882,3884],{"id":3883},"workstation-use-164310b","Workstation use — §164.310(b)",[16,3886,3887],{},"The workstation use standard requires covered entities and business associates to \"implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.\"",[16,3889,3890],{},"In practice, the workstation use policy answers three questions.",[71,3892,3893,3899,3905],{},[74,3894,3895,3898],{},[59,3896,3897],{},"What functions are allowed on each workstation class?"," A developer laptop can write code and access test data. A clinical terminal can enter orders and view records. A personal phone enrolled in MDM can receive email notifications. Mixing functions expands risk — draw the lines intentionally.",[74,3900,3901,3904],{},[59,3902,3903],{},"How must those functions be performed?"," Specific expectations for screen positioning, privacy screens, locked rooms, approved Wi-Fi networks, and acceptable software. This is where the policy translates into daily workforce habits.",[74,3906,3907,3910],{},[59,3908,3909],{},"What surroundings are acceptable?"," Public spaces, shared living spaces, airports, and client sites each carry different risks. The policy should call out the surroundings where PHI work is prohibited outright.",[16,3912,3913],{},"Different workstation classes warrant different expectations. Publish a short matrix so workforce members can find their class without reading the full policy.",[11,3915,3917],{"id":3916},"workstation-security-164310c","Workstation security — §164.310(c)",[16,3919,3920],{},"The workstation security standard requires \"physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.\" This is a single specification, and it is required — not addressable.",[16,3922,3923],{},"Workstation security covers the physical controls that prevent an unauthorized person from interacting with an ePHI-capable workstation. In shared environments, that might mean cable locks, locked rooms, or privacy screens. For mobile devices, it means device-level authentication, automatic screen lock, and remote wipe capability. For fixed clinical terminals, it means positioning screens out of patient and visitor view.",[16,3925,3926],{},"A useful test: could a visitor, a janitorial contractor, or another workforce member without authorized access reach the workstation, unlock it, and view ePHI during a normal day? If the answer is yes, the control needs work.",[11,3928,3930],{"id":3929},"device-and-media-controls-164310d","Device and media controls — §164.310(d)",[16,3932,3933],{},"The device and media controls standard governs \"the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility.\" Four implementation specifications sit underneath it — two required, two addressable.",[51,3935,3937],{"id":3936},"disposal-required-164310d2i","Disposal — required — §164.310(d)(2)(i)",[16,3939,3940],{},"Disposal requires policies and procedures to address the final disposition of ePHI and the hardware or media on which it is stored. NIST Special Publication 800-88 Rev. 1 is the industry standard. It distinguishes three levels of sanitization.",[137,3942,3943,3949,3955],{},[74,3944,3945,3948],{},[59,3946,3947],{},"Clear"," — logical techniques that overwrite data, suitable for media being reused in the same protection environment.",[74,3950,3951,3954],{},[59,3952,3953],{},"Purge"," — physical or logical techniques that render data recovery infeasible with state-of-the-art laboratory techniques, suitable for media leaving the organization's control.",[74,3956,3957,3960],{},[59,3958,3959],{},"Destroy"," — physical destruction (shredding, incineration, melting) so that media cannot be reused at all.",[16,3962,3963],{},"Select the level based on media type and confidentiality risk. Retain certificates of destruction from third-party disposal vendors. The most common OCR finding in this area is a missing certificate — not a failed sanitization technique.",[51,3965,3967],{"id":3966},"media-re-use-required-164310d2ii","Media re-use — required — §164.310(d)(2)(ii)",[16,3969,3970],{},"Media re-use requires removal of ePHI from electronic media before the media are made available for re-use. This is the sanitization step for devices that stay inside the organization — a laptop reassigned from one workforce member to another, a tablet moved between clinical roles, a backup drive repurposed for a test environment. Document the sanitization method, date, and responsible owner.",[51,3972,3974],{"id":3973},"accountability-addressable-164310d2iii","Accountability — addressable — §164.310(d)(2)(iii)",[16,3976,3977],{},"Accountability requires records of the movements of hardware and electronic media and the person responsible. Modern MDM and endpoint inventory tools handle most of this automatically for corporate devices. Gaps typically appear at the edges: portable backup drives, shipped development hardware, and devices loaned to contractors.",[51,3979,3981],{"id":3980},"data-backup-and-storage-addressable-164310d2iv","Data backup and storage — addressable — §164.310(d)(2)(iv)",[16,3983,3984],{},"Data backup and storage requires creating a retrievable, exact copy of ePHI before the equipment is moved, when needed. This overlaps with the contingency plan's backup specification — most programs satisfy both with the same backup infrastructure.",[11,3986,3988],{"id":3987},"building-a-modern-endpoint-program","Building a modern endpoint program",[16,3990,3991],{},"A defensible workstation and device program for a 2026 workforce includes six layers.",[71,3993,3994,4000,4006,4012,4018,4024],{},[74,3995,3996,3999],{},[59,3997,3998],{},"Inventory."," Every device that could handle ePHI is enrolled and tracked. Unmanaged devices are either blocked or registered under a clear exception process.",[74,4001,4002,4005],{},[59,4003,4004],{},"Configuration baseline."," Full-disk encryption, screen lock, MFA, automatic patching, approved software, and logging. Enforce through MDM.",[74,4007,4008,4011],{},[59,4009,4010],{},"Access controls."," Unique user identification, conditional access based on device posture, and role-based application access tied back to the Security Rule's access control standard.",[74,4013,4014,4017],{},[59,4015,4016],{},"Monitoring."," Endpoint detection, audit log collection, and alerting for anomalous behavior. Monitoring is also how you satisfy the audit controls standard in the Security Rule.",[74,4019,4020,4023],{},[59,4021,4022],{},"Lifecycle management."," Structured onboarding issues devices in a known-good state; structured offboarding recovers, sanitizes, and retires them with a documented trail.",[74,4025,4026,4029],{},[59,4027,4028],{},"Incident response integration."," Lost, stolen, or compromised devices trigger a defined runbook that ties back to your Breach Notification Rule procedures.",[16,4031,4032],{},"For healthcare environments with a wide range of device types — infusion pumps, imaging workstations, clinical tablets, workstation-on-wheels — add a medical device security program that addresses the specific risks of devices the IT organization may not fully control.",[11,4034,1335],{"id":1334},[16,4036,4037,4038,4040,4041,4043,4044,4046],{},"Workstation and device controls live at the intersection of physical and technical safeguards. They pair with ",[23,4039,1345],{"href":1344}," to define the outer perimeter. They pair with the Security Rule's access control, audit controls, and encryption standards on the technical side. They pair with ",[23,4042,1350],{"href":1349}," because workstation expectations only operate if the people at the keyboard know them. And they pair with the ",[23,4045,2277],{"href":2276},", because a workforce member who ignores workstation policy must face consistent consequences.",[11,4048,1358],{"id":1357},[137,4050,4051,4057,4063,4069,4075,4081,4087],{},[74,4052,4053,4056],{},[59,4054,4055],{},"Personal devices in the gray zone."," Workforce members use personal phones to read ePHI-laden email \"sometimes,\" but no MDM enrollment and no formal policy ever gets written. Every lost phone becomes a potential breach.",[74,4058,4059,4062],{},[59,4060,4061],{},"Disposal without certificates."," Devices leave the organization through informal channels — an IT manager's car trunk on the way to a recycler — without signed certificates of destruction.",[74,4064,4065,4068],{},[59,4066,4067],{},"Shared clinical terminals with generic logins."," Audit logs cannot attribute actions to individual workforce members, collapsing the Security Rule's unique user identification requirement.",[74,4070,4071,4074],{},[59,4072,4073],{},"Unencrypted backup media."," Production systems are encrypted, but offline backups on portable drives are not. A lost drive becomes a reportable breach.",[74,4076,4077,4080],{},[59,4078,4079],{},"Old hardware in closets."," Retired devices accumulate in storage, some still containing ePHI, none on the inventory, none scheduled for disposal.",[74,4082,4083,4086],{},[59,4084,4085],{},"Home office blind spot."," Workforce members print ePHI at home \"occasionally,\" and there is no guidance on storage or disposal. Printed PHI falls under the Privacy Rule regardless of whether anyone thinks about the print job.",[74,4088,4089,4092],{},[59,4090,4091],{},"No deprovisioning tie-in."," Device recovery at offboarding is a manual checklist that managers sometimes complete, so retired workforce members occasionally retain a company laptop with ePHI access for weeks.",[11,4094,1406],{"id":1405},[16,4096,4097],{},"episki connects device inventory, MDM posture, and disposal records into the HIPAA evidence locker that auditors and customers review. Workstation use policies, encryption attestations, certificates of destruction, and lost-device runbooks live alongside the §164.310(b), (c), and (d) controls they satisfy. Offboarding checklists tie into the HR event so device recovery and access revocation run on the same timeline. Workforce members see the policy that applies to their device class, and you see the gaps before an auditor does.",[16,4099,1412,4100,1416],{},[23,4101,1415],{"href":35},{"title":257,"searchDepth":258,"depth":258,"links":4103},[4104,4105,4106,4107,4113,4114,4115,4116],{"id":3864,"depth":258,"text":3865},{"id":3883,"depth":258,"text":3884},{"id":3916,"depth":258,"text":3917},{"id":3929,"depth":258,"text":3930,"children":4108},[4109,4110,4111,4112],{"id":3936,"depth":264,"text":3937},{"id":3966,"depth":264,"text":3967},{"id":3973,"depth":264,"text":3974},{"id":3980,"depth":264,"text":3981},{"id":3987,"depth":258,"text":3988},{"id":1334,"depth":258,"text":1335},{"id":1357,"depth":258,"text":1358},{"id":1405,"depth":258,"text":1406},"HIPAA §164.310(b), (c), and (d) govern workstation use, workstation security, and device and media controls. Here is how to implement them for a modern workforce.",{"items":4119},[4120,4123,4126,4129],{"label":4121,"content":4122},"What counts as a workstation under HIPAA?","A workstation is any electronic computing device — laptop, desktop, tablet, kiosk, or fixed clinical terminal — used to perform functions involving ePHI, along with the electronic media stored in its immediate environment. HHS guidance is deliberately broad so policies age well as form factors change.",{"label":4124,"content":4125},"Do personal devices have to meet HIPAA workstation controls?","If a personal device is used to access, store, or transmit ePHI, it is a workstation under HIPAA and must meet the same controls as a corporate-issued device. Most mature programs either prohibit personal devices or enroll them in mobile device management with enforced encryption, screen lock, and remote wipe.",{"label":4127,"content":4128},"How should we dispose of devices that contained ePHI?","Media disposal under §164.310(d)(2)(i) requires policies and procedures to address the final disposition of ePHI and the media on which it is stored. NIST SP 800-88 is the industry standard for sanitization — choose clear, purge, or destroy based on media type and confidentiality needs, and retain disposal records for at least six years.",{"label":4130,"content":4131},"Are encrypted laptops a HIPAA requirement?","Encryption is an addressable specification under the Security Rule, but in practice it is the only defensible control for portable devices. An unencrypted lost laptop containing ePHI is the canonical OCR breach scenario — and unencrypted devices fail every customer security review.",{},[293,1450,1451,1452],[300,1455,2372,303],{"title":4136,"description":4137},"HIPAA Workstation & Device Controls - §164.310(b)(c)(d) Guide","Implement HIPAA workstation use, workstation security, and device and media controls under §164.310(b)(c)(d). Endpoint policy, media disposal, and MDM.","5.frameworks\u002Fhipaa\u002Fworkstation-and-device-controls","nNal5DPDcHTJrEbqmtVnVFrjH-NV14DMC8pOZCf4tRw",{"id":4141,"title":4142,"advantages":4143,"body":4165,"checklist":4626,"cta":4635,"description":257,"extension":278,"faq":4638,"hero":4656,"meta":4672,"name":4510,"navigation":296,"path":35,"resources":4673,"seo":4686,"slug":293,"stats":4689,"stem":4699,"__hash__":4700},"frameworks\u002F5.frameworks\u002Fhipaa.md","Hipaa",[4144,4151,4158],{"title":4145,"description":4146,"bullets":4147},"Safeguards mapped to your stack","Every HIPAA standard comes with plain-language owners, SLAs, and tests.",[4148,4149,4150],"Assign compliance, engineering, and ops leads to each safeguard","Playbooks explain what “good” looks like for each requirement","Timeline view keeps renewals and reviews on schedule",{"title":4152,"description":4153,"bullets":4154},"PHI-aware evidence locker","Secure uploads, access controls, and audit trails keep regulators satisfied.",[4155,4156,4157],"Granular permissions for internal and external reviewers","Automated retention and deletion policies","Download tracking and access audit trails",{"title":4159,"description":4160,"bullets":4161},"Vendor & incident workflows","Track BAAs, vendor attestations, and incidents from discovery to closure.",[4162,4163,4164],"BAA repository tied to vendor risk levels","Incident response runbooks with reminders","Post-incident reports aligned to HIPAA timelines",{"type":8,"value":4166,"toc":4599},[4167,4171,4174,4185,4188,4192,4195,4237,4241,4244,4249,4253,4256,4260,4268,4288,4291,4295,4302,4310,4314,4317,4321,4324,4327,4336,4340,4343,4346,4348,4360,4362,4371,4373,4376,4382,4386,4389,4392,4397,4400,4406,4409,4412,4418,4421,4444,4447,4450,4453,4458,4462,4465,4491,4494,4497,4501,4504,4523,4526,4530,4538,4542,4545,4574,4581,4585,4588,4596],[11,4168,4170],{"id":4169},"what-is-hipaa","What is HIPAA?",[16,4172,4173],{},"HIPAA, the Health Insurance Portability and Accountability Act of 1996, is the cornerstone US federal law governing the privacy and security of patient health information. Signed into law by President Bill Clinton, the act was originally designed to improve the portability of health insurance coverage when workers changed jobs, combat fraud and waste in healthcare, and simplify the administration of health insurance through standardized electronic transactions. Over the decades since, HIPAA has evolved into the defining US regulation for how healthcare organizations and their partners handle sensitive patient data.",[16,4175,4176,4177,4181,4182,4184],{},"At its core, the law establishes national standards that protect sensitive patient information — known as ",[23,4178,4180],{"href":4179},"\u002Fglossary\u002Fphi","protected health information",", or PHI — from unauthorized use and disclosure. Any organization that creates, receives, maintains, or transmits PHI must comply, whether that organization is a hospital, a health plan, a billing clearinghouse, or a SaaS vendor providing services to healthcare customers. The ",[23,4183,41],{"href":40}," provides a concise definition, while this page walks through the full regulatory landscape so you understand how each HIPAA rule fits together.",[16,4186,4187],{},"Enforcement falls to the US Department of Health and Human Services (HHS) through its Office for Civil Rights (OCR). State attorneys general also have authority to bring enforcement actions under powers granted by the HITECH Act. The law applies across all 50 states and preempts weaker state privacy laws, though state laws that provide greater protection remain in force.",[11,4189,4191],{"id":4190},"a-brief-history-of-hipaa","A brief history of HIPAA",[16,4193,4194],{},"HIPAA was enacted in 1996, but its privacy and security requirements were not finalized overnight. The act directed HHS to develop implementing regulations, and the major rules were rolled out over more than a decade.",[137,4196,4197,4203,4209,4215,4225,4231],{},[74,4198,4199,4202],{},[59,4200,4201],{},"1996"," — Congress passes HIPAA, directing HHS to issue regulations on privacy, security, and electronic transactions.",[74,4204,4205,4208],{},[59,4206,4207],{},"2000"," — The HIPAA Privacy Rule is published; it takes full effect in 2003.",[74,4210,4211,4214],{},[59,4212,4213],{},"2003"," — The HIPAA Security Rule is finalized, with compliance required by 2005 for most entities.",[74,4216,4217,4220,4221,4224],{},[59,4218,4219],{},"2009"," — The Health Information Technology for Economic and Clinical Health Act (",[23,4222,4223],{"href":2104},"HITECH",") is signed into law as part of the American Recovery and Reinvestment Act, extending HIPAA obligations to business associates and introducing breach notification requirements.",[74,4226,4227,4230],{},[59,4228,4229],{},"2013"," — The HIPAA Omnibus Rule implements HITECH and further strengthens HIPAA enforcement, fines, and patient rights.",[74,4232,4233,4236],{},[59,4234,4235],{},"2024 and beyond"," — HHS continues to update HIPAA guidance, most recently around cybersecurity expectations, reproductive health privacy, and the proposed modernization of the HIPAA Security Rule to reflect modern threats.",[51,4238,4240],{"id":4239},"hitech-and-the-omnibus-rule","HITECH and the Omnibus Rule",[16,4242,4243],{},"The HITECH Act of 2009 was a watershed moment. Before HITECH, HIPAA obligations technically applied only to covered entities, and business associates were bound solely by contract. HITECH changed that by making business associates directly liable. It also introduced the federal Breach Notification Rule, increased civil monetary penalties, and funded the nationwide adoption of electronic health records — which dramatically expanded the volume of electronic PHI requiring protection.",[16,4245,4246,4247,42],{},"The 2013 Omnibus Rule then translated HITECH into binding regulation. It extended the Privacy and Security Rules to business associates and their subcontractors, tightened the definition of a breach, strengthened individual rights to access electronic health records, and aligned the law with the Genetic Information Nondiscrimination Act (GINA). For a deeper breakdown of what changed, read ",[23,4248,4240],{"href":2104},[11,4250,4252],{"id":4251},"who-hipaa-applies-to","Who HIPAA applies to",[16,4254,4255],{},"HIPAA applies to two broad categories of organizations: covered entities and business associates. Understanding which category your organization falls into is the first and most important step in any HIPAA compliance program.",[51,4257,4259],{"id":4258},"covered-entities","Covered entities",[16,4261,4262,4263,4267],{},"A ",[23,4264,4266],{"href":4265},"\u002Fglossary\u002Fcovered-entity","covered entity"," is any of the following:",[137,4269,4270,4276,4282],{},[74,4271,4272,4275],{},[59,4273,4274],{},"Health plans"," — health insurance companies, HMOs, employer-sponsored group health plans, government programs like Medicare and Medicaid, and long-term care insurers.",[74,4277,4278,4281],{},[59,4279,4280],{},"Healthcare providers"," — hospitals, clinics, physician practices, dentists, pharmacies, psychologists, and any other provider that transmits health information electronically for billing or eligibility purposes.",[74,4283,4284,4287],{},[59,4285,4286],{},"Healthcare clearinghouses"," — entities that process nonstandard health information into standard formats (or vice versa), such as billing services and repricing companies.",[16,4289,4290],{},"If your organization directly delivers healthcare or finances it, you are almost certainly a covered entity.",[51,4292,4294],{"id":4293},"business-associates","Business associates",[16,4296,4262,4297,4301],{},[23,4298,4300],{"href":4299},"\u002Fglossary\u002Fbusiness-associate","business associate"," is any person or organization that performs a function or activity on behalf of a covered entity that involves the use or disclosure of PHI. Typical business associates include cloud hosting providers, billing vendors, EHR vendors, IT service providers, analytics firms, legal counsel, accounting firms, transcription services, and SaaS platforms that process PHI on behalf of covered entities.",[16,4303,4304,4305,4309],{},"Most modern SaaS companies serving healthcare customers are business associates. If your product ingests, stores, processes, or transmits PHI for a covered entity, HIPAA applies to you directly — regardless of whether you consider yourself a \"healthcare company.\" Subcontractors of business associates are themselves business associates and are bound by the same obligations. Signing a ",[23,4306,4308],{"href":4307},"\u002Fglossary\u002Fbaa","business associate agreement"," with every upstream and downstream partner that touches PHI is non-negotiable.",[51,4311,4313],{"id":4312},"who-is-not-covered-by-hipaa","Who is not covered by HIPAA?",[16,4315,4316],{},"Not every organization that handles health information is subject to the law. Consumer wellness apps, fitness trackers, direct-to-consumer genetic testing services, employers (in their role as employers), life insurers, and schools generally fall outside its reach unless they act on behalf of a covered entity. That said, many of these organizations still face FTC oversight, state privacy laws, and customer expectations that mirror HIPAA protections.",[11,4318,4320],{"id":4319},"the-hipaa-privacy-rule","The HIPAA Privacy Rule",[16,4322,4323],{},"The HIPAA Privacy Rule sets national standards for the protection of PHI in all forms — electronic, paper, and oral. It establishes when PHI may be used and disclosed, defines patient rights over their own health data, and imposes the minimum necessary standard on most disclosures. The Privacy Rule applies to covered entities directly and to business associates through their BAAs.",[16,4325,4326],{},"Key Privacy Rule concepts include the Notice of Privacy Practices, patient access rights (including the right to an electronic copy of an electronic health record within 30 days), the right to request amendments and accounting of disclosures, the minimum necessary standard, permitted uses for treatment, payment, and operations, and the authorization requirements for marketing and sale of PHI.",[16,4328,4329,4330,4332,4333,4335],{},"For a comprehensive walkthrough of the HIPAA Privacy Rule, permitted disclosures, and patient rights, read the dedicated ",[23,4331,31],{"href":30}," guide. For more on the narrowly tailored access principle that governs day-to-day PHI handling, see the ",[23,4334,3178],{"href":2369}," page.",[11,4337,4339],{"id":4338},"the-hipaa-security-rule","The HIPAA Security Rule",[16,4341,4342],{},"The HIPAA Security Rule establishes the national floor for protecting electronic PHI (ePHI). While the Privacy Rule covers every form of PHI, the Security Rule is scoped to electronic data — which, in 2026, is effectively every record of clinical or financial relevance inside a modern healthcare organization.",[16,4344,4345],{},"The Security Rule organizes its requirements into three categories of safeguards. Every covered entity and business associate must implement each category based on a documented HIPAA risk analysis.",[51,4347,3305],{"id":3304},[16,4349,4350,4351,4353,4354,4356,4357,4359],{},"Administrative safeguards are the policies, procedures, and organizational measures that govern your HIPAA program. They include security management processes, a designated security official, ",[23,4352,1350],{"href":1349},", a ",[23,4355,2277],{"href":2276}," for workforce violations, access management, ",[23,4358,2852],{"href":1448},", periodic evaluations, and BAAs with every downstream partner. These typically consume the most effort because they touch every corner of the business.",[51,4361,3362],{"id":3361},[16,4363,4364,4365,573,4367,4370],{},"Physical safeguards protect the facilities, workstations, devices, and media that house ePHI. This category covers ",[23,4366,1345],{"href":1344},[23,4368,4369],{"href":1643},"workstation and device controls",", and media disposal. For cloud-first SaaS companies, physical safeguards increasingly translate into inherited controls from hyperscale cloud providers, but every regulated organization still needs defensible answers for the laptops, offices, and portable media its workforce uses.",[51,4372,3398],{"id":3397},[16,4374,4375],{},"Technical safeguards are the technology controls that protect ePHI and govern access to it. They include unique user identification, automatic logoff, encryption and decryption of ePHI at rest and in transit, audit controls that log system activity, integrity controls that prevent improper alteration, and person or entity authentication.",[16,4377,4378,4379,4381],{},"For a deep dive into the complete Security Rule standards, required versus addressable implementation specifications, and how to pass an OCR audit of your ePHI safeguards, read the ",[23,4380,26],{"href":25}," guide.",[11,4383,4385],{"id":4384},"the-hipaa-breach-notification-rule","The HIPAA Breach Notification Rule",[16,4387,4388],{},"The Breach Notification Rule, added by HITECH and finalized in the Omnibus Rule, requires covered entities and business associates to notify affected individuals, HHS, and in some cases the media when unsecured PHI is breached. A breach is presumed whenever PHI is used or disclosed in a way that is not permitted under the Privacy Rule, unless the organization can demonstrate through a four-factor risk assessment that there is a low probability the PHI has been compromised.",[16,4390,4391],{},"Notifications must be made without unreasonable delay and in no case later than 60 calendar days after discovery. Business associates must notify their covered entity clients, who in turn notify affected individuals. Breaches involving 500 or more individuals must be reported to HHS within 60 days and listed on the public OCR \"Wall of Shame,\" while smaller breaches may be reported in an annual log.",[16,4393,4394,4395,4381],{},"For full details on timelines, content requirements, and documentation expectations, see the ",[23,4396,6],{"href":297},[11,4398,4399],{"id":302},"Business associate agreements",[16,4401,4402,4403,4405],{},"No PHI should ever leave a covered entity — or a business associate — without a properly executed BAA in place. A ",[23,4404,4308],{"href":178}," is a legally binding contract that defines permitted uses and disclosures of PHI, requires implementation of appropriate safeguards, obligates breach notification, mandates BAA flow-down to subcontractors, and establishes termination rights when a business associate violates the agreement.",[16,4407,4408],{},"In practice, BAA management is one of the most common HIPAA failure modes for growing SaaS companies. Deals close, engineering ships, and PHI starts flowing before legal has countersigned the BAA — creating exposure for both sides. A disciplined BAA intake process, a BAA repository with renewal reminders, and clear ownership of vendor risk are table stakes for any serious compliance program.",[11,4410,247],{"id":4411},"hipaa-compliance-checklist",[16,4413,4414,4415,4417],{},"Translating the regulatory language into day-to-day operations is where most programs struggle. The ",[23,4416,247],{"href":246}," walks through every major obligation — from assigning a security official through finalizing your Notice of Privacy Practices — as a sequenced program of work.",[16,4419,4420],{},"At a high level, a complete HIPAA program includes:",[137,4422,4423,4426,4429,4432,4435,4438,4441],{},[74,4424,4425],{},"A current risk analysis and documented risk management plan.",[74,4427,4428],{},"Written policies and procedures covering Privacy, Security, and Breach Notification obligations.",[74,4430,4431],{},"A signed BAA with every vendor, subcontractor, and customer that exchanges PHI.",[74,4433,4434],{},"Workforce training at hire and at least annually thereafter, with documented completion.",[74,4436,4437],{},"Access control, audit logging, encryption, and contingency planning for every system that touches ePHI.",[74,4439,4440],{},"An incident response runbook aligned to the Breach Notification Rule.",[74,4442,4443],{},"Documentation retained for at least six years from creation or last effective date, whichever is later.",[11,4445,1187],{"id":4446},"hipaa-risk-analysis",[16,4448,4449],{},"Every HIPAA Security Rule program begins with a risk analysis. Under 45 CFR §164.308(a)(1)(ii)(A), covered entities and business associates must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. HHS has repeatedly stated that a missing or superficial risk analysis is among the most common findings in OCR enforcement actions.",[16,4451,4452],{},"A defensible risk analysis inventories every system that creates, receives, maintains, or transmits ePHI, identifies threats and vulnerabilities affecting each system, measures the likelihood and impact of each risk, and feeds directly into the Security Management Process that prioritizes mitigation. Most mature programs align their methodology to NIST Special Publication 800-30, which OCR cites favorably.",[16,4454,4455,4456,4381],{},"For a full breakdown of methodology, documentation requirements, and common pitfalls, read the ",[23,4457,1187],{"href":1186},[11,4459,4461],{"id":4460},"penalties-and-enforcement","Penalties and enforcement",[16,4463,4464],{},"Enforcement is administered by OCR, with parallel criminal enforcement authority held by the Department of Justice and civil enforcement authority held by state attorneys general. HIPAA penalties are tiered by culpability.",[137,4466,4467,4473,4479,4485],{},[74,4468,4469,4472],{},[59,4470,4471],{},"Tier 1 — Unknowing violation"," — $100 to $50,000 per violation; annual cap $25,000 for identical violations.",[74,4474,4475,4478],{},[59,4476,4477],{},"Tier 2 — Reasonable cause"," — $1,000 to $50,000 per violation; annual cap $100,000.",[74,4480,4481,4484],{},[59,4482,4483],{},"Tier 3 — Willful neglect, corrected"," — $10,000 to $50,000 per violation; annual cap $250,000.",[74,4486,4487,4490],{},[59,4488,4489],{},"Tier 4 — Willful neglect, uncorrected"," — $50,000 per violation; annual cap $1.5 million per violation category.",[16,4492,4493],{},"Penalty amounts are adjusted annually for inflation. Criminal penalties can reach $250,000 and 10 years of imprisonment for offenses involving intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm.",[16,4495,4496],{},"OCR enforcement tends to cluster around predictable themes: missing or inadequate risk analyses, lost unencrypted devices, failure to terminate workforce access, insufficient BAAs, delayed breach notifications, and refusal to provide patient access to records. Organizations that can demonstrate a mature, well-documented program — with evidence of ongoing risk analysis, training, and monitoring — consistently receive more favorable resolutions.",[11,4498,4500],{"id":4499},"hipaa-vs-hitech-vs-hitrust","HIPAA vs HITECH vs HITRUST",[16,4502,4503],{},"These three acronyms sit close together in healthcare conversations and are often conflated. They are related but distinct.",[137,4505,4506,4512,4517],{},[74,4507,4508,4511],{},[59,4509,4510],{},"HIPAA"," is the underlying federal law and its implementing regulations (Privacy, Security, Breach Notification, and Enforcement Rules). HIPAA defines the legal obligations.",[74,4513,4514,4516],{},[59,4515,4223],{}," is a 2009 federal law that strengthened HIPAA — extending it to business associates, introducing breach notification, increasing penalties, and funding EHR adoption. HITECH is part of HIPAA's regulatory stack, not a separate framework.",[74,4518,4519,4522],{},[59,4520,4521],{},"HITRUST"," is a private-sector certification maintained by the HITRUST Alliance. The HITRUST CSF is a control framework that maps HIPAA, NIST, ISO 27001, PCI DSS, and other standards into a single certifiable set of controls. HITRUST is a common way to demonstrate HIPAA compliance to sophisticated healthcare customers, but HITRUST certification is not itself required by HIPAA.",[16,4524,4525],{},"A healthcare SaaS company might pursue HITRUST CSF certification as a commercial asset while its underlying legal obligation remains HIPAA compliance under HITECH-amended rules.",[51,4527,4529],{"id":4528},"hipaa-and-soc-2","HIPAA and SOC 2",[16,4531,4532,4533,4537],{},"Many SaaS companies pursue ",[23,4534,4536],{"href":4535},"\u002Fframeworks\u002Fsoc2","SOC 2"," alongside HIPAA. The two frameworks complement each other: SOC 2 evaluates security, availability, confidentiality, processing integrity, and privacy trust services criteria, while HIPAA is a statutory requirement for handling PHI. A well-designed control environment can satisfy both with substantial overlap.",[11,4539,4541],{"id":4540},"getting-hipaa-compliant","Getting HIPAA compliant",[16,4543,4544],{},"The most successful HIPAA programs treat compliance as a continuous operating rhythm rather than a once-a-year scramble. A typical rollout for a SaaS company serving healthcare customers looks like this.",[71,4546,4547,4550,4553,4556,4559,4562,4565,4568,4571],{},[74,4548,4549],{},"Confirm your status as a covered entity, business associate, or both, and inventory the PHI you handle today.",[74,4551,4552],{},"Appoint a security official and a privacy official (the same person may hold both roles at small companies).",[74,4554,4555],{},"Conduct a risk analysis scoped to every system that creates, receives, maintains, or transmits ePHI.",[74,4557,4558],{},"Implement the administrative, physical, and technical safeguards required by the Security Rule, informed by your risk analysis.",[74,4560,4561],{},"Draft and publish policies and procedures covering Privacy, Security, and Breach Notification obligations.",[74,4563,4564],{},"Execute BAAs with every vendor that touches PHI, and require a signed BAA before onboarding any new customer that qualifies as a covered entity.",[74,4566,4567],{},"Deliver workforce training at hire and annually thereafter, and document completion.",[74,4569,4570],{},"Stand up an incident response runbook aligned to the Breach Notification Rule.",[74,4572,4573],{},"Operate the program: review access quarterly, test contingency plans at least annually, refresh your risk analysis whenever material change occurs, and retain documentation for at least six years.",[16,4575,4576,4577,4580],{},"For companies operating in the broader ",[23,4578,4579],{"href":238},"healthcare industry",", HIPAA is rarely the only regulation in scope. State privacy laws, the 21st Century Cures Act, FDA software-as-a-medical-device requirements, and payor-specific security reviews often run in parallel — which is why most compliance programs are built into a broader GRC operating model.",[11,4582,4584],{"id":4583},"how-episki-helps-with-hipaa-compliance","How episki helps with HIPAA compliance",[16,4586,4587],{},"episki is the HIPAA compliance platform for healthtech teams that need to ship fast without losing control of PHI. We map Privacy, Security, and Breach Notification obligations directly to your systems, automate evidence collection for every safeguard, manage BAAs across your vendor ecosystem, and keep risk analyses current as your stack evolves.",[16,4589,4590,4591,4595],{},"Our platform was designed by practitioners who have led HIPAA programs at healthcare organizations and audited them as consultants. The result is a workspace that makes it obvious what is done, what is due, and what is drifting — so you can spend less time reconstructing evidence the week before a customer audit and more time building product. Read the ",[23,4592,4594],{"href":4593},"\u002Fnow\u002Fhipaa-compliance-healthtech","HIPAA for healthtech"," playbook for a closer look at how modern SaaS companies operate HIPAA at startup speed.",[16,4597,4598],{},"Ready to tighten your HIPAA program? Start a free trial or book a demo from the top of this page.",{"title":257,"searchDepth":258,"depth":258,"links":4600},[4601,4602,4605,4610,4611,4616,4617,4618,4619,4620,4621,4624,4625],{"id":4169,"depth":258,"text":4170},{"id":4190,"depth":258,"text":4191,"children":4603},[4604],{"id":4239,"depth":264,"text":4240},{"id":4251,"depth":258,"text":4252,"children":4606},[4607,4608,4609],{"id":4258,"depth":264,"text":4259},{"id":4293,"depth":264,"text":4294},{"id":4312,"depth":264,"text":4313},{"id":4319,"depth":258,"text":4320},{"id":4338,"depth":258,"text":4339,"children":4612},[4613,4614,4615],{"id":3304,"depth":264,"text":3305},{"id":3361,"depth":264,"text":3362},{"id":3397,"depth":264,"text":3398},{"id":4384,"depth":258,"text":4385},{"id":302,"depth":258,"text":4399},{"id":4411,"depth":258,"text":247},{"id":4446,"depth":258,"text":1187},{"id":4460,"depth":258,"text":4461},{"id":4499,"depth":258,"text":4500,"children":4622},[4623],{"id":4528,"depth":264,"text":4529},{"id":4540,"depth":258,"text":4541},{"id":4583,"depth":258,"text":4584},{"title":4627,"description":4628,"items":4629},"HIPAA launch kit","Guided steps keep privacy, security, and ops in sync from day one.",[4630,4631,4632,4633,4634],"Safeguard library with ownership matrix","Evidence tracking for access logs and configs","BAA tracker with renewal reminders","Incident and breach response templates","Stakeholder portal with PHI redaction controls",{"title":4636,"description":4637},"Launch HIPAA monitoring in minutes","Kick off the free trial and invite stakeholders before your next diligence call.",{"title":4639,"items":4640},"HIPAA compliance frequently asked questions",[4641,4644,4647,4650,4653],{"label":4642,"content":4643},"Who needs to comply with HIPAA?","HIPAA applies to covered entities (health plans, healthcare providers, clearinghouses) and business associates — any vendor or subcontractor that creates, receives, maintains, or transmits protected health information (PHI). SaaS companies serving healthcare customers almost always qualify as business associates.",{"label":4645,"content":4646},"What is a Business Associate Agreement (BAA)?","A BAA is a legally required contract between a covered entity and a business associate that establishes permitted uses and disclosures of PHI, requires appropriate safeguards, and outlines breach notification responsibilities. No PHI should be shared with a vendor before a BAA is signed.",{"label":4648,"content":4649},"What are the penalties for HIPAA violations?","HIPAA penalties range from $100 to $50,000 per violation depending on the level of negligence, with annual maximums up to $1.5 million per violation category. Criminal penalties can include fines up to $250,000 and imprisonment. The HHS Office for Civil Rights enforces compliance.",{"label":4651,"content":4652},"Does HIPAA apply to SaaS companies?","Yes. Any SaaS company that handles, stores, or transmits PHI on behalf of a healthcare organization is considered a business associate under HIPAA and must comply with the Security Rule, Privacy Rule, and Breach Notification Rule.",{"label":4654,"content":4655},"What are the three HIPAA safeguard categories?","HIPAA requires administrative safeguards (policies, training, risk assessments), physical safeguards (facility access, workstation security), and technical safeguards (access controls, encryption, audit logging) to protect electronic PHI.",{"headline":4657,"title":4658,"description":4659,"links":4660},"HIPAA-ready cloud teams","Stay HIPAA compliant while shipping product weekly","episki maps administrative, physical, and technical safeguards to your systems and keeps PHI protections verifiable.",[4661,4665],{"label":4662,"icon":4663,"to":4664},"Start HIPAA trial","i-lucide-rocket","https:\u002F\u002Fepiski.app\u002Fauth\u002Fregister",{"label":4666,"icon":4667,"color":4668,"variant":4669,"to":4670,"target":4671},"Book a demo","i-lucide-message-circle","neutral","subtle","https:\u002F\u002Fcalendly.com\u002Fjustinleapline\u002Fepiski-demo","_blank",{},{"headline":4674,"title":4674,"description":4675,"items":4676},"HIPAA enablement","Keep leadership, customers, and partners aligned.",[4677,4680,4683],{"title":4678,"description":4679},"Board-ready posture report","Shows maturity score, risk trends, and upcoming audits.",{"title":4681,"description":4682},"Customer FAQ pack","Answers the most common HIPAA diligence questions.",{"title":4684,"description":4685},"Ops automation guide","Explains how to plug security tasks into existing tools.",{"title":4687,"description":4688},"HIPAA Compliance Management Software","Map HIPAA safeguards, track PHI evidence, and manage BAAs in one secure workspace. Get audit-ready in 30 days with episki's free trial.",[4690,4693,4696],{"value":4691,"description":4692},"30-day rollout","Average time to production monitoring across safeguards.",{"value":4694,"description":4695},"PHI-safe sharing","Role-based portals keep sensitive documents organized and protected.",{"value":4697,"description":4698},"24\u002F7 alerts","Continuous monitoring for access, logging, and vendor risks.","5.frameworks\u002Fhipaa","kCp_xKHobI3ImW1d3oQnreKycgEB8pRTkldsfQQSaso",[4702,4894,5071,5185],{"id":4703,"title":4704,"body":4705,"description":257,"extension":278,"lastUpdated":294,"meta":4885,"navigation":296,"path":4299,"relatedFrameworks":4886,"relatedTerms":4887,"seo":4889,"slug":1452,"stem":4892,"term":4710,"__hash__":4893},"glossary\u002F8.glossary\u002Fbusiness-associate.md","Business Associate",{"type":8,"value":4706,"toc":4875},[4707,4711,4714,4718,4721,4765,4767,4770,4801,4805,4808,4819,4822,4826,4829,4843,4846,4850,4853,4864,4867,4869],[11,4708,4710],{"id":4709},"what-is-a-business-associate","What is a Business Associate?",[16,4712,4713],{},"A business associate (BA) under HIPAA is any person or organization that creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a covered entity, or provides services to a covered entity that involve access to PHI. Business associates are directly subject to certain HIPAA requirements and must sign a Business Associate Agreement (BAA) with each covered entity they serve.",[51,4715,4717],{"id":4716},"common-examples-of-business-associates","Common examples of business associates",[16,4719,4720],{},"Many types of organizations qualify as business associates:",[137,4722,4723,4729,4735,4741,4747,4753,4759],{},[74,4724,4725,4728],{},[59,4726,4727],{},"Cloud service providers"," — hosting companies that store ePHI (such as AWS, Azure, or Google Cloud when used for health data)",[74,4730,4731,4734],{},[59,4732,4733],{},"IT service providers"," — managed service providers, consultants, or contractors with access to systems containing PHI",[74,4736,4737,4740],{},[59,4738,4739],{},"SaaS vendors"," — software platforms that process, store, or transmit PHI (EHR systems, telehealth platforms, billing software)",[74,4742,4743,4746],{},[59,4744,4745],{},"Billing and coding companies"," — organizations that process claims or handle billing data containing PHI",[74,4748,4749,4752],{},[59,4750,4751],{},"Legal and accounting firms"," — when their work involves reviewing or handling PHI",[74,4754,4755,4758],{},[59,4756,4757],{},"Data analytics firms"," — companies that analyze health data on behalf of covered entities",[74,4760,4761,4764],{},[59,4762,4763],{},"Shredding and destruction companies"," — vendors that dispose of physical or electronic media containing PHI",[51,4766,168],{"id":167},[16,4768,4769],{},"The HITECH Act extended direct liability to business associates for certain HIPAA requirements. Business associates must:",[137,4771,4772,4777,4783,4789,4795],{},[74,4773,4774,4776],{},[59,4775,769],{}," — maintain administrative, physical, and technical safeguards appropriate to the sensitivity of the PHI they handle",[74,4778,4779,4782],{},[59,4780,4781],{},"Report breaches"," — notify the covered entity of any breach of unsecured PHI without unreasonable delay, and no later than 60 days after discovery",[74,4784,4785,4788],{},[59,4786,4787],{},"Comply with the Security Rule"," — business associates are directly subject to HIPAA Security Rule requirements",[74,4790,4791,4794],{},[59,4792,4793],{},"Limit PHI use"," — use and disclose PHI only as permitted by the BAA or as required by law",[74,4796,4797,4800],{},[59,4798,4799],{},"Manage subcontractors"," — ensure that any subcontractors with access to PHI also sign BAAs and comply with HIPAA requirements",[51,4802,4804],{"id":4803},"subcontractor-business-associates","Subcontractor business associates",[16,4806,4807],{},"A business associate that engages its own subcontractors who will handle PHI must enter into BAAs with those subcontractors. This creates a chain of accountability:",[137,4809,4810,4813,4816],{},[74,4811,4812],{},"The covered entity signs a BAA with the business associate",[74,4814,4815],{},"The business associate signs a BAA with its subcontractor",[74,4817,4818],{},"The subcontractor has the same obligations as the business associate regarding PHI protection",[16,4820,4821],{},"This chain ensures that PHI is protected at every level, regardless of how many vendors are involved.",[51,4823,4825],{"id":4824},"penalties-for-noncompliance","Penalties for noncompliance",[16,4827,4828],{},"Business associates face the same penalties as covered entities for HIPAA violations:",[137,4830,4831,4834,4837,4840],{},[74,4832,4833],{},"Civil penalties ranging from $100 to $50,000 per violation",[74,4835,4836],{},"Annual caps of $1.5 million per violation category",[74,4838,4839],{},"Criminal penalties for knowing violations, including fines up to $250,000 and imprisonment",[74,4841,4842],{},"OCR enforcement actions, corrective action plans, and resolution agreements",[16,4844,4845],{},"Several high-profile enforcement actions have targeted business associates directly, demonstrating that HHS holds business associates accountable independent of the covered entities they serve.",[51,4847,4849],{"id":4848},"how-to-determine-if-you-are-a-business-associate","How to determine if you are a business associate",[16,4851,4852],{},"Ask these questions:",[71,4854,4855,4858,4861],{},[74,4856,4857],{},"Does your organization handle PHI on behalf of a covered entity or another business associate?",[74,4859,4860],{},"Do your services involve creating, receiving, maintaining, or transmitting PHI?",[74,4862,4863],{},"Do you have access to systems or data that contain PHI?",[16,4865,4866],{},"If any answer is yes, your organization is likely a business associate and must comply with HIPAA requirements and maintain appropriate BAAs.",[51,4868,1406],{"id":1405},[16,4870,4871,4872,42],{},"episki helps business associates build and maintain their HIPAA compliance programs by providing pre-built control frameworks, evidence collection workflows, and BAA management. The platform demonstrates compliance to covered entity customers and streamlines security questionnaire responses. Learn more on our ",[23,4873,4874],{"href":35},"HIPAA compliance page",{"title":257,"searchDepth":258,"depth":258,"links":4876},[4877],{"id":4709,"depth":258,"text":4710,"children":4878},[4879,4880,4881,4882,4883,4884],{"id":4716,"depth":264,"text":4717},{"id":167,"depth":264,"text":168},{"id":4803,"depth":264,"text":4804},{"id":4824,"depth":264,"text":4825},{"id":4848,"depth":264,"text":4849},{"id":1405,"depth":264,"text":1406},{},[293],[293,1450,2106,1451,4888,550],"hitech",{"title":4890,"description":4891},"What is a Business Associate? Definition & Compliance Guide","A HIPAA business associate is any vendor or partner that creates, receives, or transmits PHI on behalf of a covered entity. Learn your obligations.","8.glossary\u002Fbusiness-associate","IWuJBW0VhMeqPR5ZMxvBjAKzKspxRXjcuKKtI5AkFMU",{"id":4895,"title":4896,"body":4897,"description":257,"extension":278,"lastUpdated":294,"meta":5063,"navigation":296,"path":4265,"relatedFrameworks":5064,"relatedTerms":5065,"seo":5066,"slug":1451,"stem":5069,"term":4902,"__hash__":5070},"glossary\u002F8.glossary\u002Fcovered-entity.md","Covered Entity",{"type":8,"value":4898,"toc":5054},[4899,4903,4906,4910,4915,4938,4941,4946,4966,4971,4975,4978,5007,5011,5014,5026,5029,5033,5036,5044,5047,5049],[11,4900,4902],{"id":4901},"what-is-a-covered-entity","What is a Covered Entity?",[16,4904,4905],{},"A covered entity is an organization that is directly subject to HIPAA regulations. HIPAA defines three categories of covered entities: healthcare providers who transmit health information electronically, health plans, and healthcare clearinghouses. Understanding whether your organization qualifies as a covered entity is the first step in determining your HIPAA compliance obligations.",[51,4907,4909],{"id":4908},"the-three-types-of-covered-entities","The three types of covered entities",[16,4911,4912,4914],{},[59,4913,4280],{}," — any provider of medical or health services who transmits health information in electronic form in connection with a HIPAA-covered transaction. This includes:",[137,4916,4917,4920,4923,4926,4929,4932,4935],{},[74,4918,4919],{},"Hospitals and health systems",[74,4921,4922],{},"Physicians and medical practices",[74,4924,4925],{},"Dentists, chiropractors, and other licensed practitioners",[74,4927,4928],{},"Pharmacies",[74,4930,4931],{},"Clinics and urgent care centers",[74,4933,4934],{},"Nursing facilities",[74,4936,4937],{},"Home health agencies",[16,4939,4940],{},"The key qualifier is electronic transmission. A healthcare provider that conducts all transactions on paper and never transmits health information electronically may not be a covered entity. However, in practice, nearly all providers today transmit information electronically.",[16,4942,4943,4945],{},[59,4944,4274],{}," — organizations that provide or pay for the cost of healthcare. This includes:",[137,4947,4948,4951,4954,4957,4960,4963],{},[74,4949,4950],{},"Health insurance companies",[74,4952,4953],{},"HMOs (Health Maintenance Organizations)",[74,4955,4956],{},"Employer-sponsored group health plans",[74,4958,4959],{},"Government programs such as Medicare, Medicaid, and TRICARE",[74,4961,4962],{},"Long-term care insurance providers",[74,4964,4965],{},"Employee assistance programs that provide health benefits",[16,4967,4968,4970],{},[59,4969,4286],{}," — entities that process health information received from another entity into a standard format (or vice versa). Clearinghouses typically sit between providers and health plans, translating data into standardized transaction formats.",[51,4972,4974],{"id":4973},"covered-entity-responsibilities","Covered entity responsibilities",[16,4976,4977],{},"As a covered entity, an organization must comply with all HIPAA rules:",[137,4979,4980,4985,4990,4995,5001],{},[74,4981,4982,4984],{},[59,4983,344],{}," — governs the use and disclosure of PHI, grants individuals rights over their health information, and requires privacy notices",[74,4986,4987,4989],{},[59,4988,228],{}," — requires administrative, physical, and technical safeguards to protect ePHI",[74,4991,4992,4994],{},[59,4993,411],{}," — mandates notification of affected individuals, HHS, and potentially media following a breach of unsecured PHI",[74,4996,4997,5000],{},[59,4998,4999],{},"Enforcement Rule"," — establishes penalties for noncompliance",[74,5002,5003,5006],{},[59,5004,5005],{},"Omnibus Rule"," — extends certain requirements to business associates and strengthens breach notification provisions",[51,5008,5010],{"id":5009},"covered-entity-vs-business-associate","Covered entity vs business associate",[16,5012,5013],{},"The distinction between covered entities and business associates is critical:",[137,5015,5016,5021],{},[74,5017,4262,5018,5020],{},[59,5019,4266],{}," is directly regulated under HIPAA and bears primary responsibility for PHI protection",[74,5022,4262,5023,5025],{},[59,5024,4300],{}," is a vendor or partner that handles PHI on behalf of a covered entity and is regulated through BAAs and certain direct HIPAA obligations",[16,5027,5028],{},"A technology company that builds software for a hospital is typically a business associate, not a covered entity. The hospital is the covered entity. However, both have compliance obligations — the covered entity through direct regulation and the business associate through its BAA and HITECH Act provisions.",[51,5030,5032],{"id":5031},"determining-if-you-are-a-covered-entity","Determining if you are a covered entity",[16,5034,5035],{},"To determine whether your organization is a covered entity:",[71,5037,5038,5041],{},[74,5039,5040],{},"Does your organization provide healthcare services, operate a health plan, or function as a clearinghouse?",[74,5042,5043],{},"Does your organization transmit health information electronically in connection with covered transactions (such as claims, eligibility inquiries, or referral authorizations)?",[16,5045,5046],{},"If both answers are yes, your organization is likely a covered entity. If you are unsure, the HHS website provides a covered entity decision tool.",[51,5048,1406],{"id":1405},[16,5050,5051,5052,42],{},"episki helps covered entities manage their HIPAA compliance obligations by tracking required safeguards, documenting policies and procedures, managing business associate agreements, and maintaining breach notification workflows. Learn more on our ",[23,5053,4874],{"href":35},{"title":257,"searchDepth":258,"depth":258,"links":5055},[5056],{"id":4901,"depth":258,"text":4902,"children":5057},[5058,5059,5060,5061,5062],{"id":4908,"depth":264,"text":4909},{"id":4973,"depth":264,"text":4974},{"id":5009,"depth":264,"text":5010},{"id":5031,"depth":264,"text":5032},{"id":1405,"depth":264,"text":1406},{},[293],[293,1450,2106,1452,550],{"title":5067,"description":5068},"What is a Covered Entity? Definition & Compliance Guide","A covered entity under HIPAA is a health plan, healthcare provider, or healthcare clearinghouse that transmits health information electronically.","8.glossary\u002Fcovered-entity","DstqLFTpX2iajDvyhNOZLJrMbJilh6wgg763i_tdXhQ",{"id":5072,"title":4142,"body":5073,"description":257,"extension":278,"lastUpdated":294,"meta":5177,"navigation":296,"path":40,"relatedFrameworks":5178,"relatedTerms":5179,"seo":5180,"slug":293,"stem":5183,"term":4170,"__hash__":5184},"glossary\u002F8.glossary\u002Fhipaa.md",{"type":8,"value":5074,"toc":5167},[5075,5077,5080,5084,5106,5110,5113,5124,5127,5130,5144,5148,5151,5155,5158,5162],[11,5076,4170],{"id":4169},[16,5078,5079],{},"HIPAA (Health Insurance Portability and Accountability Act) is a US federal law enacted in 1996 that establishes standards for protecting sensitive patient health information. It applies to covered entities (healthcare providers, health plans, clearinghouses) and their business associates.",[51,5081,5083],{"id":5082},"key-rules","Key rules",[137,5085,5086,5091,5096,5101],{},[74,5087,5088,5090],{},[59,5089,344],{}," — governs the use and disclosure of protected health information (PHI)",[74,5092,5093,5095],{},[59,5094,228],{}," — requires administrative, physical, and technical safeguards for electronic PHI (ePHI)",[74,5097,5098,5100],{},[59,5099,411],{}," — mandates notification of affected individuals and HHS after a data breach",[74,5102,5103,5105],{},[59,5104,4999],{}," — establishes investigation and penalty procedures",[51,5107,5109],{"id":5108},"protected-health-information-phi","Protected Health Information (PHI)",[16,5111,5112],{},"PHI includes any individually identifiable health information, such as:",[137,5114,5115,5118,5121],{},[74,5116,5117],{},"Medical records and diagnoses",[74,5119,5120],{},"Treatment and payment information",[74,5122,5123],{},"Names, addresses, dates of birth, and Social Security numbers when linked to health data",[51,5125,2551],{"id":5126},"business-associate-agreements-baas",[16,5128,5129],{},"Any vendor that handles PHI on behalf of a covered entity must sign a BAA. This contract:",[137,5131,5132,5135,5138,5141],{},[74,5133,5134],{},"Defines how the vendor can use and disclose PHI",[74,5136,5137],{},"Requires the vendor to implement appropriate safeguards",[74,5139,5140],{},"Establishes breach notification obligations",[74,5142,5143],{},"Makes the vendor directly liable for HIPAA violations",[51,5145,5147],{"id":5146},"hipaa-penalties","HIPAA penalties",[16,5149,5150],{},"Penalties range from $141 to $2,134,831 per violation depending on the level of negligence, with an annual cap of $2,134,831 per identical violation category. Criminal penalties can include fines up to $250,000 and imprisonment.",[51,5152,5154],{"id":5153},"hipaa-for-saas-companies","HIPAA for SaaS companies",[16,5156,5157],{},"SaaS companies that store, process, or transmit PHI are considered business associates and must comply with HIPAA. Common requirements include encryption at rest and in transit, access controls, audit logging, and incident response procedures.",[51,5159,5161],{"id":5160},"how-episki-helps-with-hipaa","How episki helps with HIPAA",[16,5163,5164,5165,42],{},"episki maps safeguards to your systems, tracks BAA renewals, and provides auditor portals for sharing evidence. Learn more on our ",[23,5166,4874],{"href":35},{"title":257,"searchDepth":258,"depth":258,"links":5168},[5169],{"id":4169,"depth":258,"text":4170,"children":5170},[5171,5172,5173,5174,5175,5176],{"id":5082,"depth":264,"text":5083},{"id":5108,"depth":264,"text":5109},{"id":5126,"depth":264,"text":2551},{"id":5146,"depth":264,"text":5147},{"id":5153,"depth":264,"text":5154},{"id":5160,"depth":264,"text":5161},{},[293],[1450,2106,1451,550],{"title":5181,"description":5182},"What is HIPAA? Healthcare Compliance Requirements Explained","HIPAA is the US federal law protecting health information. Learn about the Privacy Rule, Security Rule, BAAs, PHI safeguards, and penalties for non-compliance.","8.glossary\u002Fhipaa","ss95ye7uWJGVzf2zkCfpQl0GdS3eRaX7mvNnNdzpX5Q",{"id":5186,"title":5187,"body":5188,"description":257,"extension":278,"lastUpdated":294,"meta":5381,"navigation":296,"path":4179,"relatedFrameworks":5382,"relatedTerms":5383,"seo":5386,"slug":1450,"stem":5389,"term":5193,"__hash__":5390},"glossary\u002F8.glossary\u002Fphi.md","Phi",{"type":8,"value":5189,"toc":5370},[5190,5194,5197,5201,5204,5218,5222,5225,5281,5284,5288,5291,5294,5298,5301,5315,5318,5322,5325,5342,5345,5349,5352,5363,5365],[11,5191,5193],{"id":5192},"what-is-protected-health-information-phi","What is Protected Health Information (PHI)?",[16,5195,5196],{},"Protected Health Information (PHI) is any individually identifiable health information that is created, received, maintained, or transmitted by a HIPAA covered entity or its business associates. PHI is the central concept in HIPAA regulations — the entire framework exists to protect this category of information.",[51,5198,5200],{"id":5199},"what-qualifies-as-phi","What qualifies as PHI",[16,5202,5203],{},"For information to be classified as PHI, it must meet two criteria:",[71,5205,5206,5212],{},[74,5207,5208,5211],{},[59,5209,5210],{},"It relates to health"," — the information concerns an individual's past, present, or future physical or mental health condition, the provision of healthcare, or payment for healthcare",[74,5213,5214,5217],{},[59,5215,5216],{},"It is individually identifiable"," — the information can be linked to a specific individual through one or more of 18 identifiers defined by HIPAA",[51,5219,5221],{"id":5220},"the-18-hipaa-identifiers","The 18 HIPAA identifiers",[16,5223,5224],{},"HIPAA defines 18 types of identifiers that, when combined with health information, create PHI:",[137,5226,5227,5230,5233,5236,5239,5242,5245,5248,5251,5254,5257,5260,5263,5266,5269,5272,5275,5278],{},[74,5228,5229],{},"Names",[74,5231,5232],{},"Geographic data smaller than a state",[74,5234,5235],{},"Dates (except year) related to an individual",[74,5237,5238],{},"Phone numbers",[74,5240,5241],{},"Fax numbers",[74,5243,5244],{},"Email addresses",[74,5246,5247],{},"Social Security numbers",[74,5249,5250],{},"Medical record numbers",[74,5252,5253],{},"Health plan beneficiary numbers",[74,5255,5256],{},"Account numbers",[74,5258,5259],{},"Certificate\u002Flicense numbers",[74,5261,5262],{},"Vehicle identifiers and serial numbers",[74,5264,5265],{},"Device identifiers and serial numbers",[74,5267,5268],{},"Web URLs",[74,5270,5271],{},"IP addresses",[74,5273,5274],{},"Biometric identifiers",[74,5276,5277],{},"Full-face photographs",[74,5279,5280],{},"Any other unique identifying number or code",[16,5282,5283],{},"If health information is stripped of all 18 identifiers following the HIPAA Safe Harbor method, it becomes de-identified data and is no longer subject to HIPAA protections.",[51,5285,5287],{"id":5286},"electronic-phi-ephi","Electronic PHI (ePHI)",[16,5289,5290],{},"Electronic Protected Health Information (ePHI) is PHI that is created, stored, transmitted, or received in electronic form. The HIPAA Security Rule specifically addresses safeguards for ePHI, requiring administrative, physical, and technical controls to protect its confidentiality, integrity, and availability.",[16,5292,5293],{},"ePHI includes data in electronic health records, emails containing patient information, digital images, and any other electronic format.",[51,5295,5297],{"id":5296},"phi-vs-pii","PHI vs PII",[16,5299,5300],{},"PHI and personally identifiable information (PII) overlap but are not identical:",[137,5302,5303,5309],{},[74,5304,5305,5308],{},[59,5306,5307],{},"PII"," is any information that can identify an individual, regulated by various federal and state laws",[74,5310,5311,5314],{},[59,5312,5313],{},"PHI"," is specifically health-related PII regulated under HIPAA",[16,5316,5317],{},"A person's name alone is PII but not PHI. A person's name combined with a diagnosis or treatment record is PHI.",[51,5319,5321],{"id":5320},"protecting-phi","Protecting PHI",[16,5323,5324],{},"HIPAA requires covered entities and business associates to implement safeguards to protect PHI:",[137,5326,5327,5332,5337],{},[74,5328,5329,5331],{},[59,5330,3305],{}," — risk assessments, workforce training, access management policies, incident response procedures",[74,5333,5334,5336],{},[59,5335,3362],{}," — facility access controls, workstation security, device and media controls",[74,5338,5339,5341],{},[59,5340,3398],{}," — access controls, audit controls, integrity controls, transmission security (encryption)",[16,5343,5344],{},"The Minimum Necessary Rule further requires that access to PHI be limited to the minimum amount needed for a specific purpose.",[51,5346,5348],{"id":5347},"penalties-for-phi-violations","Penalties for PHI violations",[16,5350,5351],{},"HIPAA violations involving PHI can result in significant penalties:",[137,5353,5354,5357,5360],{},[74,5355,5356],{},"Fines ranging from $100 to $50,000 per violation, up to $1.5 million per year per violation category",[74,5358,5359],{},"Criminal penalties including imprisonment for knowing violations",[74,5361,5362],{},"Mandatory breach notification to affected individuals, HHS, and potentially media outlets",[51,5364,1406],{"id":1405},[16,5366,5367,5368,42],{},"episki helps organizations identify where PHI exists in their systems, implement required safeguards, and maintain documentation demonstrating HIPAA compliance. The platform tracks access controls, risk assessments, and business associate agreements to ensure comprehensive PHI protection. Learn more on our ",[23,5369,4874],{"href":35},{"title":257,"searchDepth":258,"depth":258,"links":5371},[5372],{"id":5192,"depth":258,"text":5193,"children":5373},[5374,5375,5376,5377,5378,5379,5380],{"id":5199,"depth":264,"text":5200},{"id":5220,"depth":264,"text":5221},{"id":5286,"depth":264,"text":5287},{"id":5296,"depth":264,"text":5297},{"id":5320,"depth":264,"text":5321},{"id":5347,"depth":264,"text":5348},{"id":1405,"depth":264,"text":1406},{},[293],[293,2106,1451,1452,550,5384,5385],"minimum-necessary-rule","encryption",{"title":5387,"description":5388},"What is Protected Health Information (PHI)? Definition & Compliance Guide","Protected Health Information (PHI) is any individually identifiable health data covered by HIPAA. Learn what qualifies as PHI and how to protect it.","8.glossary\u002Fphi","CHxPUxPqy1kZgHT7iBPRFdXQUMn_aZAgXrXwcxCxajU",[5392,5950],{"id":5393,"title":5394,"body":5395,"description":257,"extension":278,"lastUpdated":294,"meta":5933,"navigation":296,"path":5934,"relatedFrameworks":5935,"relatedTerms":5941,"seo":5944,"slug":5947,"stem":5948,"term":5400,"__hash__":5949},"glossary\u002F8.glossary\u002Faccess-control.md","Access Control",{"type":8,"value":5396,"toc":5919},[5397,5401,5404,5408,5411,5437,5441,5447,5453,5459,5465,5469,5472,5478,5495,5501,5515,5521,5532,5536,5539,5590,5594,5597,5611,5615,5618,5641,5645,5648,5697,5701,5704,5817,5820,5823,5852,5856,5862,5865,5901,5904,5907,5910,5912],[11,5398,5400],{"id":5399},"what-is-access-control","What is Access Control?",[16,5402,5403],{},"Access control is the set of policies, procedures, and technical mechanisms that regulate who can access systems, data, and resources within an organization. It ensures that only authorized individuals can view, modify, or interact with sensitive information and critical systems. Access control is one of the most fundamental and universally required security controls across every major compliance framework.",[51,5405,5407],{"id":5406},"core-principles","Core principles",[16,5409,5410],{},"Access control is built on several foundational principles:",[137,5412,5413,5419,5425,5431],{},[74,5414,5415,5418],{},[59,5416,5417],{},"Least privilege"," — users are granted only the minimum access necessary to perform their job functions",[74,5420,5421,5424],{},[59,5422,5423],{},"Separation of duties"," — critical tasks are divided among multiple individuals to prevent any single person from having unchecked authority",[74,5426,5427,5430],{},[59,5428,5429],{},"Need to know"," — access to information is restricted to those who require it for a specific purpose",[74,5432,5433,5436],{},[59,5434,5435],{},"Default deny"," — access is denied by default unless explicitly granted",[51,5438,5440],{"id":5439},"types-of-access-control","Types of access control",[16,5442,5443,5446],{},[59,5444,5445],{},"Role-Based Access Control (RBAC)"," — access is determined by the user's role within the organization. Roles are defined with specific permissions, and users are assigned to roles. This is the most common model in enterprise environments.",[16,5448,5449,5452],{},[59,5450,5451],{},"Attribute-Based Access Control (ABAC)"," — access decisions are based on attributes of the user, the resource, and the environment (e.g., department, location, time of day, device type).",[16,5454,5455,5458],{},[59,5456,5457],{},"Discretionary Access Control (DAC)"," — resource owners decide who can access their resources. Common in file systems where owners set permissions.",[16,5460,5461,5464],{},[59,5462,5463],{},"Mandatory Access Control (MAC)"," — access is controlled by the system based on security labels and clearance levels. Common in government and military environments.",[51,5466,5468],{"id":5467},"access-control-components","Access control components",[16,5470,5471],{},"A complete access control program addresses:",[16,5473,5474,5477],{},[59,5475,5476],{},"Authentication"," — verifying the identity of users:",[137,5479,5480,5483,5486,5489,5492],{},[74,5481,5482],{},"Passwords and passphrases",[74,5484,5485],{},"Multi-factor authentication (MFA)",[74,5487,5488],{},"Single sign-on (SSO)",[74,5490,5491],{},"Biometric authentication",[74,5493,5494],{},"Certificate-based authentication",[16,5496,5497,5500],{},[59,5498,5499],{},"Authorization"," — determining what authenticated users can do:",[137,5502,5503,5506,5509,5512],{},[74,5504,5505],{},"Permission assignments",[74,5507,5508],{},"Role definitions",[74,5510,5511],{},"Access control lists",[74,5513,5514],{},"Policy enforcement points",[16,5516,5517,5520],{},[59,5518,5519],{},"Access lifecycle management"," — managing access throughout the user lifecycle:",[137,5522,5523,5526,5529],{},[74,5524,5525],{},"Provisioning (granting access when hired or role changes)",[74,5527,5528],{},"Review (periodic access certification)",[74,5530,5531],{},"Deprovisioning (revoking access upon termination or role change)",[51,5533,5535],{"id":5534},"access-control-in-compliance-frameworks","Access control in compliance frameworks",[16,5537,5538],{},"Every major framework requires access control:",[137,5540,5541,5548,5562,5572,5581],{},[74,5542,5543,5547],{},[59,5544,5545],{},[23,5546,4536],{"href":4535}," — CC6.1 through CC6.8 cover logical and physical access controls",[74,5549,5550,5556,5557,5561],{},[59,5551,5552],{},[23,5553,5555],{"href":5554},"\u002Fframeworks\u002Fiso27001","ISO 27001"," — ",[23,5558,5560],{"href":5559},"\u002Fglossary\u002Fannex-a","Annex A"," controls A.5.15 through A.5.18 and A.8.2 through A.8.5 address access management",[74,5563,5564,5568,5569,5571],{},[59,5565,5566],{},[23,5567,4510],{"href":35}," — the ",[23,5570,228],{"href":25}," requires access controls for ePHI (45 CFR 164.312(a))",[74,5573,5574,5580],{},[59,5575,5576],{},[23,5577,5579],{"href":5578},"\u002Fframeworks\u002Fpci","PCI DSS"," — Requirements 7 and 8 address access restriction and user identification",[74,5582,5583,5589],{},[59,5584,5585],{},[23,5586,5588],{"href":5587},"\u002Fframeworks\u002Fnistcsf","NIST CSF"," — PR.AC covers identity management, authentication, and access control",[51,5591,5593],{"id":5592},"access-reviews","Access reviews",[16,5595,5596],{},"Regular access reviews (also called access certifications) are a critical control:",[137,5598,5599,5602,5605,5608],{},[74,5600,5601],{},"Review user access rights periodically (quarterly is common for sensitive systems)",[74,5603,5604],{},"Verify that access aligns with current job responsibilities",[74,5606,5607],{},"Identify and remove excessive or unnecessary access",[74,5609,5610],{},"Document review results and remediation actions",[51,5612,5614],{"id":5613},"common-access-control-weaknesses","Common access control weaknesses",[16,5616,5617],{},"Even well-designed access control programs can degrade over time without ongoing attention. Watch for these common issues:",[137,5619,5620,5623,5626,5629,5632,5635,5638],{},[74,5621,5622],{},"Excessive permissions that accumulate over time (privilege creep)",[74,5624,5625],{},"Shared or generic accounts that prevent individual accountability",[74,5627,5628],{},"Delayed deprovisioning when employees leave or change roles",[74,5630,5631],{},"Lack of MFA on critical systems and remote access paths",[74,5633,5634],{},"Inconsistent access review processes with no documented remediation",[74,5636,5637],{},"Service accounts with standing privileged access and no rotation schedule",[74,5639,5640],{},"Lack of visibility into SaaS application access outside the corporate IdP",[51,5642,5644],{"id":5643},"implementing-access-control-in-practice","Implementing access control in practice",[16,5646,5647],{},"Effective access control programs start with planning and build toward automation. The following steps provide a practical roadmap for organizations at any maturity level:",[71,5649,5650,5656,5662,5668,5674,5680,5691],{},[74,5651,5652,5655],{},[59,5653,5654],{},"Map your environment"," — inventory all systems, applications, and data repositories that require access controls. You cannot protect what you have not identified. Include SaaS applications, cloud infrastructure, on-premises servers, databases, file shares, and third-party integrations.",[74,5657,5658,5661],{},[59,5659,5660],{},"Define roles based on job functions"," — create roles that reflect organizational responsibilities, not individual users. Align roles to the principle of least privilege so each role includes only the permissions required for that function. Review role definitions annually and whenever organizational structure changes.",[74,5663,5664,5667],{},[59,5665,5666],{},"Centralize authentication with SSO"," — implement single sign-on using SAML 2.0 or OpenID Connect (OIDC) to unify identity across cloud and on-premises systems. Centralized authentication reduces password sprawl and gives security teams a single point of enforcement. Ensure all business-critical applications are integrated with your SSO provider before considering the rollout complete.",[74,5669,5670,5673],{},[59,5671,5672],{},"Layer MFA on all critical systems"," — require multi-factor authentication for remote access, privileged accounts, email, cloud consoles, and any system that touches sensitive data. Phishing-resistant methods such as FIDO2 hardware keys are preferred over SMS-based codes. At a minimum, enforce MFA on identity providers, admin consoles, and VPN access.",[74,5675,5676,5679],{},[59,5677,5678],{},"Automate provisioning and deprovisioning"," — connect your HR system to your identity provider (IdP) and use SCIM or directory sync to automate account creation, role assignment, and account removal. When an employee is terminated in the HR system, access should be revoked within minutes, not days. Automation eliminates the human error that leads to orphaned accounts and privilege creep.",[74,5681,5682,5685,5686,5690],{},[59,5683,5684],{},"Build an access request and approval workflow"," — establish a formal process where users request access with documented business justification, managers approve, and the request is logged for audit. This creates an ",[23,5687,5689],{"href":5688},"\u002Fglossary\u002Faudit-trail","audit trail"," that satisfies compliance requirements.",[74,5692,5693,5696],{},[59,5694,5695],{},"Monitor and log access events"," — collect authentication and authorization logs centrally. Monitor for anomalies such as failed login attempts, access from unusual locations, and privilege escalation. Logs are essential for incident response and audit evidence.",[51,5698,5700],{"id":5699},"access-control-requirements-by-framework","Access control requirements by framework",[16,5702,5703],{},"Different frameworks address the same access control concepts with different control references. The table below maps common requirements to their framework-specific identifiers:",[1893,5705,5706,5723],{},[1896,5707,5708],{},[1899,5709,5710,5713,5715,5717,5719,5721],{},[1902,5711,5712],{},"Requirement",[1902,5714,4536],{},[1902,5716,5555],{},[1902,5718,4510],{},[1902,5720,5579],{},[1902,5722,5588],{},[1912,5724,5725,5745,5764,5783,5800],{},[1899,5726,5727,5730,5733,5736,5739,5742],{},[1917,5728,5729],{},"Unique user IDs",[1917,5731,5732],{},"CC6.1",[1917,5734,5735],{},"A.5.16",[1917,5737,5738],{},"§164.312(a)(2)(i)",[1917,5740,5741],{},"Req 8.2.1",[1917,5743,5744],{},"PR.AC-1",[1899,5746,5747,5750,5752,5755,5758,5761],{},[1917,5748,5749],{},"MFA",[1917,5751,5732],{},[1917,5753,5754],{},"A.8.5",[1917,5756,5757],{},"Addressable",[1917,5759,5760],{},"Req 8.4",[1917,5762,5763],{},"PR.AC-7",[1899,5765,5766,5768,5771,5774,5777,5780],{},[1917,5767,5593],{},[1917,5769,5770],{},"CC6.2",[1917,5772,5773],{},"A.5.18",[1917,5775,5776],{},"§164.312(a)(1)",[1917,5778,5779],{},"Req 7.2",[1917,5781,5782],{},"PR.AC-4",[1899,5784,5785,5787,5790,5793,5795,5798],{},[1917,5786,5417],{},[1917,5788,5789],{},"CC6.3",[1917,5791,5792],{},"A.5.15",[1917,5794,5776],{},[1917,5796,5797],{},"Req 7.1",[1917,5799,5782],{},[1899,5801,5802,5805,5807,5809,5812,5815],{},[1917,5803,5804],{},"Deprovisioning",[1917,5806,5770],{},[1917,5808,5773],{},[1917,5810,5811],{},"§164.312(a)(2)(ii)",[1917,5813,5814],{},"Req 8.2.6",[1917,5816,5744],{},[16,5818,5819],{},"Organizations subject to multiple frameworks can use this mapping to build a unified access control program that satisfies overlapping requirements without duplicating effort.",[16,5821,5822],{},"A few notes on framework-specific nuances:",[137,5824,5825,5830,5838,5845],{},[74,5826,5827,5829],{},[59,5828,4510],{}," treats MFA as an \"addressable\" implementation specification, meaning covered entities must implement it or document why an equivalent alternative is reasonable. In practice, most organizations implement MFA because the risk of not doing so is difficult to justify.",[74,5831,5832,5837],{},[59,5833,5834,5836],{},[23,5835,5579],{"href":5578}," v4.0"," expanded MFA requirements (Req 8.4) to include all access into the cardholder data environment, not just remote access. Organizations processing card data should verify their MFA coverage meets the updated scope.",[74,5839,5840,5844],{},[59,5841,5842],{},[23,5843,4536],{"href":4535}," does not prescribe specific technologies but evaluates whether the controls in place are suitably designed and operating effectively. Auditors will look for evidence that access control policies are enforced consistently.",[74,5846,5847,5851],{},[59,5848,5849],{},[23,5850,5588],{"href":5587}," provides a flexible, risk-based approach. The PR.AC subcategory identifiers map to more detailed controls in NIST SP 800-53, which organizations can reference for implementation guidance.",[51,5853,5855],{"id":5854},"zero-trust-and-access-control","Zero trust and access control",[16,5857,5858,5859,42],{},"Traditional access control models assume that users inside the network perimeter can be trusted. Zero trust architecture rejects that assumption entirely: ",[59,5860,5861],{},"never trust, always verify",[16,5863,5864],{},"In a zero trust model, every access request is authenticated, authorized, and encrypted regardless of where it originates. Key principles include:",[137,5866,5867,5873,5879,5889,5895],{},[74,5868,5869,5872],{},[59,5870,5871],{},"Continuous verification"," — access decisions are re-evaluated throughout a session, not just at login. Changes in user behavior, location, or risk score can trigger step-up authentication or session termination.",[74,5874,5875,5878],{},[59,5876,5877],{},"Micro-segmentation"," — network resources are divided into small, isolated zones so that compromising one segment does not grant lateral access to others.",[74,5880,5881,5884,5885,5888],{},[59,5882,5883],{},"Device posture checks"," — the security state of the connecting device (patch level, endpoint protection status, disk ",[23,5886,5385],{"href":5887},"\u002Fglossary\u002Fencryption",") is evaluated before access is granted.",[74,5890,5891,5894],{},[59,5892,5893],{},"Identity-centric perimeter"," — the network perimeter is replaced by identity as the primary security boundary. Every user, device, and workload must prove its identity before accessing any resource.",[74,5896,5897,5900],{},[59,5898,5899],{},"Least privilege enforcement at the session level"," — access grants are scoped to the specific resource and action needed, and they expire when the session ends or conditions change.",[16,5902,5903],{},"NIST SP 800-207 defines the zero trust architecture and provides guidance on implementation. Many compliance frameworks are increasingly aligning their access control requirements with zero trust principles, making it a forward-looking strategy for organizations building or modernizing their access control programs.",[16,5905,5906],{},"Zero trust is not a single product but an architectural approach that spans identity, network, endpoints, and data.",[16,5908,5909],{},"Adopting zero trust does not require replacing your existing access control infrastructure overnight. Most organizations begin by enforcing MFA universally, segmenting their most sensitive assets, and adding device posture checks to their conditional access policies. Over time, these incremental improvements compound into a mature zero trust posture.",[51,5911,1406],{"id":1405},[16,5913,5914,5915,42],{},"episki tracks access control policies, monitors review schedules, and documents access provisioning and deprovisioning activities. The platform sends reminders for periodic access reviews and maintains evidence for auditors. Learn more on our ",[23,5916,5918],{"href":5917},"\u002Fframeworks","compliance platform",{"title":257,"searchDepth":258,"depth":258,"links":5920},[5921],{"id":5399,"depth":258,"text":5400,"children":5922},[5923,5924,5925,5926,5927,5928,5929,5930,5931,5932],{"id":5406,"depth":264,"text":5407},{"id":5439,"depth":264,"text":5440},{"id":5467,"depth":264,"text":5468},{"id":5534,"depth":264,"text":5535},{"id":5592,"depth":264,"text":5593},{"id":5613,"depth":264,"text":5614},{"id":5643,"depth":264,"text":5644},{"id":5699,"depth":264,"text":5700},{"id":5854,"depth":264,"text":5855},{"id":1405,"depth":264,"text":1406},{},"\u002Fglossary\u002Faccess-control",[5936,5937,5938,293,5939,5940],"cmmc","soc2","iso27001","pci","nistcsf",[5384,5942,5385,5943],"audit-trail","user-entity-controls",{"title":5945,"description":5946},"Access Control in Compliance: RBAC, MFA & Least Privilege","Access control restricts system and data access to authorized users. Learn RBAC, MFA, least privilege, and requirements across SOC 2, ISO 27001, HIPAA, and PCI DSS.","access-control","8.glossary\u002Faccess-control","aw9J1nXzlNuRVpTr3vx46B0ijrBB9hLxb3SnjmXE6cE",{"id":5951,"title":5952,"body":5953,"description":257,"extension":278,"lastUpdated":294,"meta":6167,"navigation":296,"path":5688,"relatedFrameworks":6168,"relatedTerms":6169,"seo":6173,"slug":5942,"stem":6176,"term":5958,"__hash__":6177},"glossary\u002F8.glossary\u002Faudit-trail.md","Audit Trail",{"type":8,"value":5954,"toc":6157},[5955,5959,5962,5966,5969,6007,6010,6030,6034,6037,6059,6063,6066,6110,6114,6117,6131,6133,6150,6152],[11,5956,5958],{"id":5957},"what-is-an-audit-trail","What is an Audit Trail?",[16,5960,5961],{},"An audit trail is a chronological record of activities, events, and changes within a system or process that provides documentary evidence of the sequence of actions performed. Audit trails answer the fundamental questions: who did what, when did they do it, where did it happen, and what was the result. They are essential for security monitoring, incident investigation, compliance demonstration, and accountability.",[51,5963,5965],{"id":5964},"what-audit-trails-capture","What audit trails capture",[16,5967,5968],{},"Effective audit trails typically record:",[137,5970,5971,5977,5983,5989,5995,6001],{},[74,5972,5973,5976],{},[59,5974,5975],{},"User actions"," — logins, logouts, data access, data modifications, privilege changes",[74,5978,5979,5982],{},[59,5980,5981],{},"System events"," — configuration changes, service starts and stops, errors, failures",[74,5984,5985,5988],{},[59,5986,5987],{},"Administrative actions"," — user account creation and deletion, permission changes, policy updates",[74,5990,5991,5994],{},[59,5992,5993],{},"Data changes"," — creation, modification, and deletion of records, including before and after values where applicable",[74,5996,5997,6000],{},[59,5998,5999],{},"Access attempts"," — both successful and failed authentication and authorization attempts",[74,6002,6003,6006],{},[59,6004,6005],{},"Security events"," — firewall rule changes, intrusion detection alerts, malware detections",[16,6008,6009],{},"Each audit trail entry should include:",[137,6011,6012,6015,6018,6021,6024,6027],{},[74,6013,6014],{},"Timestamp (synchronized across systems)",[74,6016,6017],{},"User or system identity",[74,6019,6020],{},"Action performed",[74,6022,6023],{},"Target resource or data",[74,6025,6026],{},"Outcome (success or failure)",[74,6028,6029],{},"Source (IP address, device, or location)",[51,6031,6033],{"id":6032},"audit-trail-requirements-across-frameworks","Audit trail requirements across frameworks",[16,6035,6036],{},"Multiple compliance frameworks require audit trails:",[137,6038,6039,6044,6049,6054],{},[74,6040,6041,6043],{},[59,6042,4536],{}," — CC7.2 requires monitoring of system components for anomalies, and CC6.1 requires logical access controls with logging",[74,6045,6046,6048],{},[59,6047,5555],{}," — control A.8.15 addresses logging, and A.8.17 addresses clock synchronization for accurate audit trails",[74,6050,6051,6053],{},[59,6052,4510],{}," — the Security Rule requires audit controls that record and examine activity in systems containing ePHI (45 CFR 164.312(b))",[74,6055,6056,6058],{},[59,6057,5579],{}," — Requirement 10 mandates logging and monitoring all access to network resources and cardholder data",[51,6060,6062],{"id":6061},"implementing-audit-trails","Implementing audit trails",[16,6064,6065],{},"To implement effective audit trails:",[71,6067,6068,6074,6080,6086,6092,6098,6104],{},[74,6069,6070,6073],{},[59,6071,6072],{},"Enable logging"," — activate audit logging on all in-scope systems including applications, databases, operating systems, and network devices",[74,6075,6076,6079],{},[59,6077,6078],{},"Centralize logs"," — aggregate logs into a central platform (SIEM) for correlation and analysis",[74,6081,6082,6085],{},[59,6083,6084],{},"Protect integrity"," — ensure logs cannot be modified or deleted by users, including administrators",[74,6087,6088,6091],{},[59,6089,6090],{},"Synchronize time"," — use NTP to ensure timestamps are consistent across all systems",[74,6093,6094,6097],{},[59,6095,6096],{},"Define retention"," — establish retention periods aligned with compliance and business requirements",[74,6099,6100,6103],{},[59,6101,6102],{},"Monitor actively"," — review audit trails for suspicious activity, not just for compliance evidence",[74,6105,6106,6109],{},[59,6107,6108],{},"Automate alerts"," — configure alerts for critical events such as failed login attempts, privilege escalation, and unauthorized access",[51,6111,6113],{"id":6112},"audit-trail-retention","Audit trail retention",[16,6115,6116],{},"Retention requirements vary by framework and jurisdiction:",[137,6118,6119,6122,6125,6128],{},[74,6120,6121],{},"PCI DSS requires at least 12 months of audit trail history, with the most recent 3 months immediately available",[74,6123,6124],{},"HIPAA requires documentation retention for 6 years",[74,6126,6127],{},"ISO 27001 does not specify a fixed period but requires organizations to define and follow their own retention policy",[74,6129,6130],{},"SOC 2 audit periods typically require evidence covering the observation period",[51,6132,1358],{"id":1357},[137,6134,6135,6138,6141,6144,6147],{},[74,6136,6137],{},"Insufficient logging — missing critical events or systems",[74,6139,6140],{},"Log overload — logging too much without meaningful analysis",[74,6142,6143],{},"No log protection — allowing administrators to modify or delete logs",[74,6145,6146],{},"Inconsistent timestamps — making it impossible to correlate events across systems",[74,6148,6149],{},"No review process — collecting logs but never analyzing them",[51,6151,1406],{"id":1405},[16,6153,6154,6155,42],{},"episki integrates with your logging infrastructure to track compliance-relevant events, maintain audit trail records, and demonstrate continuous monitoring to auditors. The platform maps audit trail capabilities to framework requirements and flags gaps in coverage. Learn more on our ",[23,6156,5918],{"href":5917},{"title":257,"searchDepth":258,"depth":258,"links":6158},[6159],{"id":5957,"depth":258,"text":5958,"children":6160},[6161,6162,6163,6164,6165,6166],{"id":5964,"depth":264,"text":5965},{"id":6032,"depth":264,"text":6033},{"id":6061,"depth":264,"text":6062},{"id":6112,"depth":264,"text":6113},{"id":1357,"depth":264,"text":1358},{"id":1405,"depth":264,"text":1406},{},[5937,5938,293,5939],[6170,5947,6171,6172],"evidence-collection","continuous-monitoring","incident-response",{"title":6174,"description":6175},"What is an Audit Trail? Definition & Compliance Guide","An audit trail is a chronological record of system activities that provides evidence of who did what, when, and where for security and compliance purposes.","8.glossary\u002Faudit-trail","TS31vs1S2ZQUFvm3zNALCcZaNNrpPCRC6ZQBgh0zKdE",[6179,6348],{"id":5,"title":6,"body":6180,"description":277,"extension":278,"faq":6338,"frameworkSlug":293,"lastUpdated":294,"meta":6344,"navigation":296,"path":297,"relatedTerms":6345,"relatedTopics":6346,"seo":6347,"stem":307,"__hash__":308},{"type":8,"value":6181,"toc":6320},[6182,6184,6186,6196,6198,6200,6202,6206,6208,6210,6228,6230,6232,6234,6236,6238,6240,6244,6246,6248,6250,6260,6262,6264,6268,6270,6276,6278,6280,6284,6286,6290,6292,6302,6306,6308,6312,6316,6318],[11,6183,14],{"id":13},[16,6185,18],{},[16,6187,21,6188,27,6190,32,6192,37,6194,42],{},[23,6189,26],{"href":25},[23,6191,31],{"href":30},[23,6193,36],{"href":35},[23,6195,41],{"href":40},[11,6197,46],{"id":45},[16,6199,49],{},[51,6201,54],{"id":53},[16,6203,57,6204,62],{},[59,6205,61],{},[51,6207,66],{"id":65},[16,6209,69],{},[71,6211,6212,6216,6220,6224],{},[74,6213,6214,79],{},[59,6215,78],{},[74,6217,6218,85],{},[59,6219,84],{},[74,6221,6222,91],{},[59,6223,90],{},[74,6225,6226,97],{},[59,6227,96],{},[16,6229,100],{},[51,6231,104],{"id":103},[16,6233,107],{},[11,6235,111],{"id":110},[16,6237,114],{},[51,6239,118],{"id":117},[16,6241,121,6242,125],{},[59,6243,124],{},[16,6245,128],{},[51,6247,132],{"id":131},[16,6249,135],{},[137,6251,6252,6256],{},[74,6253,6254,144],{},[59,6255,143],{},[74,6257,6258,150],{},[59,6259,149],{},[16,6261,153],{},[51,6263,157],{"id":156},[16,6265,160,6266,164],{},[59,6267,163],{},[51,6269,168],{"id":167},[16,6271,171,6272,175,6274,180],{},[59,6273,174],{},[23,6275,179],{"href":178},[16,6277,183],{},[11,6279,187],{"id":186},[16,6281,190,6282,194],{},[59,6283,193],{},[11,6285,198],{"id":197},[16,6287,201,6288,205],{},[59,6289,204],{},[16,6291,208],{},[137,6293,6294,6298],{},[74,6295,6296,216],{},[59,6297,215],{},[74,6299,6300,222],{},[59,6301,221],{},[16,6303,225,6304,229],{},[23,6305,228],{"href":25},[11,6307,233],{"id":232},[16,6309,6310,240],{},[23,6311,239],{"href":238},[16,6313,243,6314,248],{},[23,6315,247],{"href":246},[11,6317,252],{"id":251},[16,6319,255],{},{"title":257,"searchDepth":258,"depth":258,"links":6321},[6322,6323,6328,6334,6335,6336,6337],{"id":13,"depth":258,"text":14},{"id":45,"depth":258,"text":46,"children":6324},[6325,6326,6327],{"id":53,"depth":264,"text":54},{"id":65,"depth":264,"text":66},{"id":103,"depth":264,"text":104},{"id":110,"depth":258,"text":111,"children":6329},[6330,6331,6332,6333],{"id":117,"depth":264,"text":118},{"id":131,"depth":264,"text":132},{"id":156,"depth":264,"text":157},{"id":167,"depth":264,"text":168},{"id":186,"depth":258,"text":187},{"id":197,"depth":258,"text":198},{"id":232,"depth":258,"text":233},{"id":251,"depth":258,"text":252},{"items":6339},[6340,6341,6342,6343],{"label":282,"content":283},{"label":285,"content":286},{"label":288,"content":289},{"label":291,"content":292},{},[293],[300,301,302,303],{"title":305,"description":306},{"id":310,"title":311,"body":6349,"description":545,"extension":278,"faq":546,"frameworkSlug":293,"lastUpdated":294,"meta":6504,"navigation":296,"path":178,"relatedTerms":6505,"relatedTopics":6506,"seo":6507,"stem":554,"__hash__":555},{"type":8,"value":6350,"toc":6487},[6351,6353,6355,6357,6363,6365,6371,6373,6375,6377,6379,6383,6385,6387,6389,6391,6393,6433,6435,6439,6441,6443,6445,6447,6449,6451,6453,6457,6459,6461,6483],[11,6352,317],{"id":316},[16,6354,320],{},[16,6356,323],{},[16,6358,326,6359,329,6361,42],{},[23,6360,36],{"href":35},[23,6362,41],{"href":40},[11,6364,335],{"id":334},[16,6366,338,6367,341,6369,42],{},[23,6368,228],{"href":25},[23,6370,344],{"href":30},[16,6372,347],{},[51,6374,351],{"id":350},[16,6376,354],{},[11,6378,358],{"id":357},[16,6380,361,6381,365],{},[59,6382,364],{},[51,6384,369],{"id":368},[16,6386,372],{},[11,6388,376],{"id":375},[16,6390,379],{},[16,6392,382],{},[137,6394,6395,6401,6407,6413,6417,6421,6425,6429],{},[74,6396,6397,390,6399,393],{},[59,6398,389],{},[23,6400,344],{"href":30},[74,6402,6403,399,6405,402],{},[59,6404,398],{},[23,6406,228],{"href":25},[74,6408,6409,408,6411,412],{},[59,6410,407],{},[23,6412,411],{"href":297},[74,6414,6415,418],{},[59,6416,417],{},[74,6418,6419,424],{},[59,6420,423],{},[74,6422,6423,430],{},[59,6424,429],{},[74,6426,6427,436],{},[59,6428,435],{},[74,6430,6431,442],{},[59,6432,441],{},[11,6434,446],{"id":445},[16,6436,449,6437,453],{},[59,6438,452],{},[51,6440,457],{"id":456},[16,6442,460],{},[51,6444,464],{"id":463},[16,6446,467],{},[51,6448,471],{"id":470},[16,6450,474],{},[11,6452,478],{"id":477},[16,6454,6455,483],{},[23,6456,239],{"href":238},[11,6458,487],{"id":486},[16,6460,490],{},[137,6462,6463,6467,6471,6475,6479],{},[74,6464,6465,498],{},[59,6466,497],{},[74,6468,6469,504],{},[59,6470,503],{},[74,6472,6473,510],{},[59,6474,509],{},[74,6476,6477,516],{},[59,6478,515],{},[74,6480,6481,522],{},[59,6482,521],{},[16,6484,243,6485,527],{},[23,6486,247],{"href":246},{"title":257,"searchDepth":258,"depth":258,"links":6488},[6489,6490,6493,6496,6497,6502,6503],{"id":316,"depth":258,"text":317},{"id":334,"depth":258,"text":335,"children":6491},[6492],{"id":350,"depth":264,"text":351},{"id":357,"depth":258,"text":358,"children":6494},[6495],{"id":368,"depth":264,"text":369},{"id":375,"depth":258,"text":376},{"id":445,"depth":258,"text":446,"children":6498},[6499,6500,6501],{"id":456,"depth":264,"text":457},{"id":463,"depth":264,"text":464},{"id":470,"depth":264,"text":471},{"id":477,"depth":258,"text":478},{"id":486,"depth":258,"text":487},{},[293],[300,301,550,303],{"title":552,"description":553},{"id":4141,"title":4142,"advantages":6509,"body":6516,"checklist":6823,"cta":6825,"description":257,"extension":278,"faq":6826,"hero":6833,"meta":6837,"name":4510,"navigation":296,"path":35,"resources":6838,"seo":6843,"slug":293,"stats":6844,"stem":4699,"__hash__":4700},[6510,6512,6514],{"title":4145,"description":4146,"bullets":6511},[4148,4149,4150],{"title":4152,"description":4153,"bullets":6513},[4155,4156,4157],{"title":4159,"description":4160,"bullets":6515},[4162,4163,4164],{"type":8,"value":6517,"toc":6796},[6518,6520,6522,6528,6530,6532,6534,6562,6564,6566,6570,6572,6574,6576,6580,6594,6596,6598,6602,6606,6608,6610,6612,6614,6616,6622,6624,6626,6628,6630,6638,6640,6646,6648,6650,6654,6656,6658,6660,6664,6666,6670,6672,6674,6678,6680,6696,6698,6700,6702,6706,6708,6710,6728,6730,6732,6734,6736,6750,6752,6754,6758,6760,6762,6782,6786,6788,6790,6794],[11,6519,4170],{"id":4169},[16,6521,4173],{},[16,6523,4176,6524,4181,6526,4184],{},[23,6525,4180],{"href":4179},[23,6527,41],{"href":40},[16,6529,4187],{},[11,6531,4191],{"id":4190},[16,6533,4194],{},[137,6535,6536,6540,6544,6548,6554,6558],{},[74,6537,6538,4202],{},[59,6539,4201],{},[74,6541,6542,4208],{},[59,6543,4207],{},[74,6545,6546,4214],{},[59,6547,4213],{},[74,6549,6550,4220,6552,4224],{},[59,6551,4219],{},[23,6553,4223],{"href":2104},[74,6555,6556,4230],{},[59,6557,4229],{},[74,6559,6560,4236],{},[59,6561,4235],{},[51,6563,4240],{"id":4239},[16,6565,4243],{},[16,6567,4246,6568,42],{},[23,6569,4240],{"href":2104},[11,6571,4252],{"id":4251},[16,6573,4255],{},[51,6575,4259],{"id":4258},[16,6577,4262,6578,4267],{},[23,6579,4266],{"href":4265},[137,6581,6582,6586,6590],{},[74,6583,6584,4275],{},[59,6585,4274],{},[74,6587,6588,4281],{},[59,6589,4280],{},[74,6591,6592,4287],{},[59,6593,4286],{},[16,6595,4290],{},[51,6597,4294],{"id":4293},[16,6599,4262,6600,4301],{},[23,6601,4300],{"href":4299},[16,6603,4304,6604,4309],{},[23,6605,4308],{"href":4307},[51,6607,4313],{"id":4312},[16,6609,4316],{},[11,6611,4320],{"id":4319},[16,6613,4323],{},[16,6615,4326],{},[16,6617,4329,6618,4332,6620,4335],{},[23,6619,31],{"href":30},[23,6621,3178],{"href":2369},[11,6623,4339],{"id":4338},[16,6625,4342],{},[16,6627,4345],{},[51,6629,3305],{"id":3304},[16,6631,4350,6632,4353,6634,4356,6636,4359],{},[23,6633,1350],{"href":1349},[23,6635,2277],{"href":2276},[23,6637,2852],{"href":1448},[51,6639,3362],{"id":3361},[16,6641,4364,6642,573,6644,4370],{},[23,6643,1345],{"href":1344},[23,6645,4369],{"href":1643},[51,6647,3398],{"id":3397},[16,6649,4375],{},[16,6651,4378,6652,4381],{},[23,6653,26],{"href":25},[11,6655,4385],{"id":4384},[16,6657,4388],{},[16,6659,4391],{},[16,6661,4394,6662,4381],{},[23,6663,6],{"href":297},[11,6665,4399],{"id":302},[16,6667,4402,6668,4405],{},[23,6669,4308],{"href":178},[16,6671,4408],{},[11,6673,247],{"id":4411},[16,6675,4414,6676,4417],{},[23,6677,247],{"href":246},[16,6679,4420],{},[137,6681,6682,6684,6686,6688,6690,6692,6694],{},[74,6683,4425],{},[74,6685,4428],{},[74,6687,4431],{},[74,6689,4434],{},[74,6691,4437],{},[74,6693,4440],{},[74,6695,4443],{},[11,6697,1187],{"id":4446},[16,6699,4449],{},[16,6701,4452],{},[16,6703,4455,6704,4381],{},[23,6705,1187],{"href":1186},[11,6707,4461],{"id":4460},[16,6709,4464],{},[137,6711,6712,6716,6720,6724],{},[74,6713,6714,4472],{},[59,6715,4471],{},[74,6717,6718,4478],{},[59,6719,4477],{},[74,6721,6722,4484],{},[59,6723,4483],{},[74,6725,6726,4490],{},[59,6727,4489],{},[16,6729,4493],{},[16,6731,4496],{},[11,6733,4500],{"id":4499},[16,6735,4503],{},[137,6737,6738,6742,6746],{},[74,6739,6740,4511],{},[59,6741,4510],{},[74,6743,6744,4516],{},[59,6745,4223],{},[74,6747,6748,4522],{},[59,6749,4521],{},[16,6751,4525],{},[51,6753,4529],{"id":4528},[16,6755,4532,6756,4537],{},[23,6757,4536],{"href":4535},[11,6759,4541],{"id":4540},[16,6761,4544],{},[71,6763,6764,6766,6768,6770,6772,6774,6776,6778,6780],{},[74,6765,4549],{},[74,6767,4552],{},[74,6769,4555],{},[74,6771,4558],{},[74,6773,4561],{},[74,6775,4564],{},[74,6777,4567],{},[74,6779,4570],{},[74,6781,4573],{},[16,6783,4576,6784,4580],{},[23,6785,4579],{"href":238},[11,6787,4584],{"id":4583},[16,6789,4587],{},[16,6791,4590,6792,4595],{},[23,6793,4594],{"href":4593},[16,6795,4598],{},{"title":257,"searchDepth":258,"depth":258,"links":6797},[6798,6799,6802,6807,6808,6813,6814,6815,6816,6817,6818,6821,6822],{"id":4169,"depth":258,"text":4170},{"id":4190,"depth":258,"text":4191,"children":6800},[6801],{"id":4239,"depth":264,"text":4240},{"id":4251,"depth":258,"text":4252,"children":6803},[6804,6805,6806],{"id":4258,"depth":264,"text":4259},{"id":4293,"depth":264,"text":4294},{"id":4312,"depth":264,"text":4313},{"id":4319,"depth":258,"text":4320},{"id":4338,"depth":258,"text":4339,"children":6809},[6810,6811,6812],{"id":3304,"depth":264,"text":3305},{"id":3361,"depth":264,"text":3362},{"id":3397,"depth":264,"text":3398},{"id":4384,"depth":258,"text":4385},{"id":302,"depth":258,"text":4399},{"id":4411,"depth":258,"text":247},{"id":4446,"depth":258,"text":1187},{"id":4460,"depth":258,"text":4461},{"id":4499,"depth":258,"text":4500,"children":6819},[6820],{"id":4528,"depth":264,"text":4529},{"id":4540,"depth":258,"text":4541},{"id":4583,"depth":258,"text":4584},{"title":4627,"description":4628,"items":6824},[4630,4631,4632,4633,4634],{"title":4636,"description":4637},{"title":4639,"items":6827},[6828,6829,6830,6831,6832],{"label":4642,"content":4643},{"label":4645,"content":4646},{"label":4648,"content":4649},{"label":4651,"content":4652},{"label":4654,"content":4655},{"headline":4657,"title":4658,"description":4659,"links":6834},[6835,6836],{"label":4662,"icon":4663,"to":4664},{"label":4666,"icon":4667,"color":4668,"variant":4669,"to":4670,"target":4671},{},{"headline":4674,"title":4674,"description":4675,"items":6839},[6840,6841,6842],{"title":4678,"description":4679},{"title":4681,"description":4682},{"title":4684,"description":4685},{"title":4687,"description":4688},[6845,6846,6847],{"value":4691,"description":4692},{"value":4694,"description":4695},{"value":4697,"description":4698},{"id":6849,"title":6850,"body":6851,"comparison":6942,"competitorA":6987,"competitorB":6988,"cta":6989,"description":257,"extension":278,"faq":546,"hero":6992,"meta":7000,"navigation":296,"path":7001,"seo":7002,"slug":7005,"slugA":7006,"slugB":7007,"stem":7008,"verdict":7009,"__hash__":7013},"compareVs\u002F7.compare\u002Fvs\u002Fdrata-vs-secureframe.md","Drata Vs Secureframe",{"type":8,"value":6852,"toc":6932},[6853,6857,6860,6864,6867,6873,6876,6880,6883,6886,6889,6893,6896,6899,6903,6906,6909,6913,6916,6919,6923,6926,6929],[11,6854,6856],{"id":6855},"drata-vs-secureframe-the-closest-comparison-in-compliance","Drata vs Secureframe: the closest comparison in compliance",[16,6858,6859],{},"If Vanta is the 800-pound gorilla, Drata and Secureframe are the two challengers most often compared against each other. They target similar buyers, cover similar frameworks, and offer similar automation. The differences are real but subtle — and they matter most in how your team experiences the platform day to day.",[51,6861,6863],{"id":6862},"feature-parity-with-different-emphasis","Feature parity with different emphasis",[16,6865,6866],{},"On paper, Drata and Secureframe look nearly identical. Both automate evidence collection, monitor your compliance posture continuously, support 15+ frameworks, and provide auditor-facing portals. The overlap is so significant that choosing between them often comes down to three factors: onboarding style, dashboard experience, and pricing.",[16,6868,6869,6872],{},[59,6870,6871],{},"Onboarding style"," is the clearest differentiator. Drata leans toward self-serve. The platform guides you through integration setup, control mapping, and evidence configuration with in-app workflows. For teams with compliance experience, this speed is an advantage — you can be operational in 1–2 weeks without waiting for a human to walk you through every step.",[16,6874,6875],{},"Secureframe takes the opposite approach. Every customer gets access to dedicated compliance managers who help interpret requirements, map controls to your environment, and prepare for audit. This white-glove model adds a week or two to implementation but dramatically reduces the learning curve for first-time audit teams.",[51,6877,6879],{"id":6878},"the-dashboard-question","The dashboard question",[16,6881,6882],{},"Drata's compliance dashboard is one of its signature features. The real-time posture view shows passing and failing controls across every framework, with compliance percentages and trend data. For compliance leads who report to a CISO or board, this visual layer simplifies status updates and makes it easy to demonstrate progress.",[16,6884,6885],{},"Secureframe also provides dashboards, but they feel more functional than visual. The platform surfaces actionable items — controls that need attention, evidence that's expiring, gaps to remediate — in a task-oriented format. It's effective, but it doesn't deliver the same at-a-glance executive view that Drata provides.",[16,6887,6888],{},"For teams that need board-ready compliance reporting, Drata has the edge. For teams that care more about daily workflow and task management, Secureframe's approach may feel more productive.",[51,6890,6892],{"id":6891},"integration-depth","Integration depth",[16,6894,6895],{},"Secureframe holds a slight advantage in integration count, with 150+ connections compared to Drata's 100+. The extra integrations primarily cover developer tools, identity providers, and security platforms. For teams running complex stacks with multiple CI\u002FCD pipelines, vulnerability scanners, and endpoint management tools, Secureframe's broader integration library means less manual evidence collection.",[16,6897,6898],{},"Drata's integrations, while fewer in number, tend to offer deeper configuration options for the platforms they do support. If your stack is standard — AWS or GCP, Okta or Google Workspace, GitHub, and a common HR tool — both platforms will serve you equally well.",[51,6900,6902],{"id":6901},"pricing-opacity","Pricing opacity",[16,6904,6905],{},"Neither Drata nor Secureframe publishes pricing. Both require a sales conversation to get a quote, and both scale based on team size, framework count, and contract terms. Based on market data, Drata typically starts around $10,000–$15,000\u002Fyr while Secureframe starts slightly lower at $8,000–$12,000\u002Fyr. At scale, both reach $30,000–$50,000\u002Fyr for larger organizations.",[16,6907,6908],{},"This pricing opacity creates a frustrating buying experience. You can't model costs internally before engaging sales. You can't easily compare options. And renewal conversations often involve price increases that are hard to predict at the time of initial purchase.",[51,6910,6912],{"id":6911},"where-both-platforms-struggle","Where both platforms struggle",[16,6914,6915],{},"The irony of comparing Drata and Secureframe is that their most significant limitations are shared. Both use pricing models that punish team growth. Both rely on templated control libraries that resist customization. Both treat policy documentation as a secondary concern — something generated through forms rather than crafted through a proper writing experience.",[16,6917,6918],{},"And both lock you into their workflow assumptions. If your compliance program doesn't map cleanly to their templates — if you run hybrid frameworks, need custom controls, or want to structure programs differently than the default — you'll spend time working around the platform instead of working within it.",[51,6920,6922],{"id":6921},"the-case-for-a-different-approach","The case for a different approach",[16,6924,6925],{},"When two products are this similar, the deciding factor often isn't which one is better — it's whether either one is the right category of tool for your needs. If you want maximum automation and are comfortable with enterprise pricing, Drata and Secureframe both deliver.",[16,6927,6928],{},"But if you want flat pricing at $500\u002Fmo, a Notion-like editor for compliance documentation, and the freedom to build programs that reflect how your team actually operates — episki offers something neither Drata nor Secureframe provides. No per-seat scaling. No opaque quotes. No templated policies that read like every other company's.",[16,6930,6931],{},"Just a workspace your compliance team will use daily, at a price that doesn't make your CFO wince.",{"title":257,"searchDepth":258,"depth":258,"links":6933},[6934],{"id":6855,"depth":258,"text":6856,"children":6935},[6936,6937,6938,6939,6940,6941],{"id":6862,"depth":264,"text":6863},{"id":6878,"depth":264,"text":6879},{"id":6891,"depth":264,"text":6892},{"id":6901,"depth":264,"text":6902},{"id":6911,"depth":264,"text":6912},{"id":6921,"depth":264,"text":6922},[6943,6948,6952,6957,6962,6967,6972,6977,6982],{"feature":6944,"competitorA":6945,"competitorB":6946,"episki":6947},"Pricing model","Custom pricing, typically starting around $10,000–$15,000\u002Fyr","Custom pricing, typically starting around $8,000–$12,000\u002Fyr","Flat $500\u002Fmo or $5,000\u002Fyr with unlimited seats",{"feature":6949,"competitorA":6950,"competitorB":6950,"episki":6951},"Framework coverage","SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, and 15+ frameworks","SOC 2, ISO 27001, HIPAA, PCI DSS, NIST CSF, and custom frameworks",{"feature":6953,"competitorA":6954,"competitorB":6955,"episki":6956},"Automation depth","Automated evidence collection with real-time compliance dashboards","Automated monitoring with continuous evidence collection and alerts","AI-assisted drafting and structured workflows with manual evidence uploads",{"feature":6958,"competitorA":6959,"competitorB":6960,"episki":6961},"Integration count","100+ integrations covering major cloud and SaaS platforms","150+ integrations covering cloud, identity, HR, and developer tools","Growing integration library with focus on structured evidence reuse",{"feature":6963,"competitorA":6964,"competitorB":6965,"episki":6966},"Auditor collaboration","Auditor-facing portal with read-only access and evidence downloads","Auditor-ready evidence rooms with structured access controls","Built-in auditor portal with scoped access and Q&A threads",{"feature":6968,"competitorA":6969,"competitorB":6970,"episki":6971},"AI features","AI-assisted control mapping and compliance recommendations","AI-driven compliance recommendations and automated risk scoring","AI drafts policies, narratives, remediation steps, and questionnaire answers",{"feature":6973,"competitorA":6974,"competitorB":6975,"episki":6976},"Implementation time","1–3 weeks with self-serve setup and optional guided onboarding","2–3 weeks with guided onboarding and compliance expertise","Same-day setup with self-serve onboarding and optional demo",{"feature":6978,"competitorA":6979,"competitorB":6980,"episki":6981},"Support model","In-app chat, email support, and dedicated CSM for larger accounts","Dedicated compliance managers, email, and in-app support","Direct founder access, in-app chat, and shared Slack channels",{"feature":6983,"competitorA":6984,"competitorB":6985,"episki":6986},"Free trial","Demo-based sales process, limited free trial availability","Demo-based sales process, no public free trial","14-day free trial with full access, no credit card required","Drata","Secureframe",{"title":6990,"description":6991},"Skip the comparison. Try episki free.","14-day trial with full access. No credit card required.",{"headline":6993,"title":6994,"description":6995,"links":6996},"Drata vs Secureframe","Similar features, different approaches to compliance automation","Compare Drata and Secureframe across pricing, onboarding, and compliance workflows. Two closely matched platforms with subtle but important differences for your team.",[6997,6999],{"label":6998,"icon":4663,"to":4664},"Try episki free",{"label":4666,"icon":4667,"color":4668,"variant":4669,"to":4670,"target":4671},{},"\u002Fcompare\u002Fvs\u002Fdrata-vs-secureframe",{"title":7003,"description":7004},"Drata vs Secureframe (2026): Pricing, Features & Honest Comparison","Drata vs Secureframe compared on pricing, onboarding, framework coverage, and compliance automation. See which platform fits your team — or why neither might be the best choice.","drata-vs-secureframe","drata","secureframe","7.compare\u002Fvs\u002Fdrata-vs-secureframe",{"chooseA":7010,"chooseB":7011,"chooseEpiski":7012},"Choose Drata if you value self-serve speed and visual compliance dashboards. Drata gets you operational faster and provides the clearest real-time view of your compliance posture — ideal for teams with in-house compliance knowledge.","Choose Secureframe if you want more hands-on guidance from dedicated compliance managers. Secureframe's human-led onboarding is better for teams running their first audit without experienced GRC staff.","Choose episki if you want transparent pricing, a writing-first editor, and the flexibility to structure programs your way. episki is for teams that want to own their compliance narrative without paying enterprise prices.","HuA5a0qhJVkEPHNLT6GY_VEempd7yA1ONnXItxDt-ZQ",{"id":7015,"title":6987,"advantages":7016,"body":7038,"comparison":7089,"competitor":6987,"cta":7116,"description":257,"extension":278,"hero":7119,"meta":7128,"navigation":296,"path":7129,"seo":7130,"slug":7006,"stem":7133,"__hash__":7134},"compare\u002F7.compare\u002Fdrata.md",[7017,7024,7031],{"title":7018,"description":7019,"bullets":7020},"One flat price for everything","episki includes unlimited frameworks, teammates, and portals for a single monthly or annual fee. No tiers, no negotiations.",[7021,7022,7023],"Add frameworks without upgrading to a higher tier","Invite auditors, customers, and stakeholders at no extra cost","Predictable billing that does not scale with headcount",{"title":7025,"description":7026,"bullets":7027},"Connected programs and assessments","episki treats compliance as connected work. Programs, assessments, controls, tasks, and issues link together so nothing falls through the cracks.",[7028,7029,7030],"Run recurring programs and one-time assessments side by side","Tasks inherit context from parent controls and programs","Evidence attaches once and stays available across every framework",{"title":7032,"description":7033,"bullets":7034},"Fast, keyboard-driven workspace","episki is built for people who spend hours in the tool. Keyboard shortcuts, global search, and a rich editor make daily compliance work feel fast.",[7035,7036,7037],"Navigate between programs, controls, and evidence without lifting your hands","Inline editing for policies, narratives, and response drafts","Dark mode and responsive layout for any screen",{"type":8,"value":7039,"toc":7084},[7040,7044,7047,7050,7070,7074,7077,7081],[11,7041,7043],{"id":7042},"why-teams-evaluate-drata-alternatives","Why teams evaluate Drata alternatives",[16,7045,7046],{},"Drata has built a comprehensive compliance automation platform with strong automated evidence collection and a wide library of supported frameworks. It works well for organizations that want continuous monitoring with minimal manual intervention.",[16,7048,7049],{},"Some teams look for alternatives when they need:",[137,7051,7052,7058,7064],{},[74,7053,7054,7057],{},[59,7055,7056],{},"Simpler pricing"," — Drata's tiered pricing based on framework count and company size can make budgeting unpredictable, especially for organizations running multiple frameworks or growing quickly.",[74,7059,7060,7063],{},[59,7061,7062],{},"Unified program management"," — teams managing overlapping compliance programs want controls, evidence, and tasks connected across frameworks in a single workspace rather than managed as separate compliance tracks.",[74,7065,7066,7069],{},[59,7067,7068],{},"A daily-use workspace"," — compliance teams that spend significant time writing, reviewing, and collaborating want an editor and navigation experience that feels productive rather than transactional.",[11,7071,7073],{"id":7072},"when-drata-might-be-the-better-fit","When Drata might be the better fit",[16,7075,7076],{},"Drata is a strong choice for teams that prioritize automated continuous monitoring and need a platform with deep integration coverage across cloud, identity, HR, and development tools. If your primary concern is automating evidence collection and you operate in a well-defined framework like SOC 2 or ISO 27001, Drata's automation depth is compelling.",[11,7078,7080],{"id":7079},"when-episki-shines","When episki shines",[16,7082,7083],{},"episki is designed for teams that view compliance as ongoing, cross-functional work rather than a monitoring dashboard. If you run multiple programs, collaborate with auditors directly in the tool, and want a workspace that feels as fast as your engineering tools, episki delivers a different kind of compliance experience.",{"title":257,"searchDepth":258,"depth":258,"links":7085},[7086,7087,7088],{"id":7042,"depth":258,"text":7043},{"id":7072,"depth":258,"text":7073},{"id":7079,"depth":258,"text":7080},[7090,7092,7093,7097,7101,7104,7108,7112],{"feature":6944,"episki":6947,"competitor":7091},"Tiered pricing based on framework count and company size",{"feature":6949,"episki":6951,"competitor":6950},{"feature":7094,"episki":7095,"competitor":7096},"Control management","Linked control graph with cross-framework reuse and ownership","Control library with automated testing and monitoring",{"feature":7098,"episki":7099,"competitor":7100},"Evidence collection","Manual uploads with structured ownership and reuse across frameworks","Automated evidence collection with 100+ integrations",{"feature":7102,"episki":6971,"competitor":7103},"AI assistance","AI-powered compliance automation",{"feature":7105,"episki":7106,"competitor":7107},"Risk management","Risk registers with remediation tracking tied to controls","Built-in risk management with scoring and treatment plans",{"feature":7109,"episki":7110,"competitor":7111},"Editor experience","Notion-like rich text editor with inline editing","Structured forms and workflow-based interface",{"feature":7113,"episki":7114,"competitor":7115},"Collaboration","Built-in auditor portal, customer portals, and team workspaces","Auditor-facing dashboards and team collaboration features",{"title":7117,"description":7118},"Try episki side by side with Drata","Start a free trial with all features enabled. Import your controls and see the difference.",{"headline":7120,"title":7121,"description":7122,"links":7123},"episki vs Drata","How episki compares to Drata for compliance teams","A head-to-head on pricing, workflow design, and framework flexibility. See why teams that want a faster, more collaborative compliance workspace switch from Drata to episki.",[7124,7126],{"label":7125,"icon":4663,"to":4664},"Start free trial",{"label":7127,"icon":4667,"color":4668,"variant":4669,"to":4670,"target":4671},"See a live demo",{},"\u002Fcompare\u002Fdrata",{"title":7131,"description":7132},"episki vs Drata (2026): Pricing, Flexibility & Why Teams Switch","Compare episki and Drata on pricing, workflow design, and framework flexibility. See why compliance teams switch from Drata to episki.","7.compare\u002Fdrata","rehdI9NC6n1m3mFaD-M9xGliPjg5awlPauCt-LCW_es",{"id":7136,"title":7137,"api":546,"authors":7138,"body":7144,"category":7323,"date":7324,"description":7325,"extension":278,"features":546,"fixes":546,"highlight":546,"image":7326,"improvements":546,"meta":7328,"navigation":296,"path":7330,"seo":7331,"stem":7332,"__hash__":7333},"posts\u002F3.now\u002Fdefined-roles-pci-compliance-mistakes.md","Defined Roles in PCI: The Compliance Mistakes That Fly Under the Radar",[7139],{"name":7140,"to":7141,"avatar":7142},"Justin Leapline","https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fjustinleapline\u002F",{"src":7143},"\u002Fimages\u002Fjustinleapline.png",{"type":8,"value":7145,"toc":7315},[7146,7152,7155,7158,7161,7164,7167,7169,7173,7183,7186,7189,7192,7194,7198,7201,7204,7207,7210,7212,7216,7224,7227,7230,7233,7235,7239,7242,7245,7248,7250,7254,7257,7260,7263,7266,7268,7272,7275,7278,7281,7283,7288,7300,7307,7309],[7147,7148,7149],"blockquote",{},[16,7150,7151],{},"When it comes to PCI DSS, most organizations focus on the technical controls — encryption, access management, logging. But one of the most persistent failure points isn't technical at all. It's the question of who owns what. Undefined or poorly assigned roles quietly undermine even the most well-resourced compliance programs. This post breaks down the most common role-related mistakes security leaders make in PCI — and what to do differently.",[7153,7154],"hr",{},[16,7156,7157],{},"Most PCI compliance failures don't happen because teams don't know the standard.",[16,7159,7160],{},"They happen because nobody agreed on who was responsible for following it.",[16,7162,7163],{},"It sounds simple. In practice, it's one of the hardest problems in compliance programs — and one of the least discussed. When a QSA walks in for an assessment and finds gaps, the root cause is often not a missing control. It's a missing owner.",[16,7165,7166],{},"For CISOs leading PCI programs, role clarity isn't a nice-to-have. It's the foundation everything else sits on.",[7153,7168],{},[11,7170,7172],{"id":7171},"mistake-1-treating-pci-ownership-as-an-it-problem","Mistake #1: Treating PCI Ownership as an IT Problem",[16,7174,7175,7177,7178,7182],{},[23,7176,5579],{"href":5578}," governs the entire ",[23,7179,7181],{"href":7180},"\u002Fglossary\u002Fcardholder-data-environment","cardholder data environment"," — and the cardholder data environment touches far more than IT.",[16,7184,7185],{},"It includes how sales teams handle card data over the phone. How finance processes refunds. How third-party vendors connect to your systems. How HR onboards employees who access payment infrastructure. And yet, in most organizations, PCI ownership sits almost exclusively with the security or IT team — while the business units that handle cardholder data daily operate with little awareness of their own obligations.",[16,7187,7188],{},"This creates a structural gap. Controls get implemented technically but not operationally. Policies exist on paper but aren't followed in practice because the people they govern don't know they apply to them.",[16,7190,7191],{},"The fix isn't adding more controls. It's expanding the ownership model. Every team that touches cardholder data needs a defined role in the compliance program — with accountability, not just awareness.",[7153,7193],{},[11,7195,7197],{"id":7196},"mistake-2-confusing-responsible-with-accountable","Mistake #2: Confusing \"Responsible\" with \"Accountable\"",[16,7199,7200],{},"One of the most reliable ways to spot a broken compliance program is to ask two people on the same team who owns a specific PCI requirement. If you get two different answers — or two blank stares — you have an accountability problem.",[16,7202,7203],{},"The distinction between responsibility and accountability matters here. Responsibility is operational: this person performs the task. Accountability is governance: this person owns the outcome. In PCI, these roles are often blurred or duplicated, which means that when something goes wrong, nobody is clearly on the hook — and when audits come around, multiple people claim ownership of the same control without any of them actually running it.",[16,7205,7206],{},"The RACI model (Responsible, Accountable, Consulted, Informed) is a well-worn solution to this problem — but only when applied with rigor. A RACI matrix that was built two years ago and hasn't been updated since an acquisition, a reorg, or a new product launch is often worse than no RACI at all. It creates false confidence.",[16,7208,7209],{},"PCI role assignments need to be reviewed every time the business changes — not just every time the standard does.",[7153,7211],{},[11,7213,7215],{"id":7214},"mistake-3-letting-vendor-relationships-create-ownership-gaps","Mistake #3: Letting Vendor Relationships Create Ownership Gaps",[16,7217,7218,7219,7223],{},"PCI DSS Requirement 12.8 is clear: organizations are responsible for managing the compliance of all ",[23,7220,7222],{"href":7221},"\u002Fglossary\u002Fthird-party-risk","third-party service providers"," who have access to cardholder data. In practice, many organizations interpret this requirement as \"get a copy of their AOC and file it.\"",[16,7225,7226],{},"That's not management. That's documentation.",[16,7228,7229],{},"The gap shows up when a vendor has a breach, when a third-party integration introduces a vulnerability, or when an assessor asks how the organization monitors the compliance posture of its vendors — and the answer is \"we check their certificate once a year.\"",[16,7231,7232],{},"Vendor ownership in PCI requires a named internal owner for each critical third-party relationship. Someone who understands what that vendor does, what data they access, what their contractual security obligations are, and what the escalation path looks like if something goes wrong. Without that, vendor risk exists on paper but is managed by nobody.",[7153,7234],{},[11,7236,7238],{"id":7237},"mistake-4-role-assignments-that-dont-survive-personnel-changes","Mistake #4: Role Assignments That Don't Survive Personnel Changes",[16,7240,7241],{},"PCI roles are often documented at the person level — \"Sarah owns firewall management,\" \"Marco is responsible for log review\" — rather than at the function level. When Sarah leaves or Marco moves to a different team, the role doesn't transfer cleanly. Institutional knowledge walks out the door, and the new person inherits a responsibility they weren't briefed on.",[16,7243,7244],{},"This is especially dangerous in small security teams, where one person often carries multiple PCI functions. When that person leaves without a proper transition, entire sections of the compliance program can become effectively unowned — sometimes for months before anyone notices.",[16,7246,7247],{},"Sustainable role assignment means documenting at the position level, not the individual level. It means keeping role documentation alive and connected to onboarding processes, so that new team members understand their compliance obligations from day one. And it means building succession into the program architecture, not treating it as an afterthought.",[7153,7249],{},[11,7251,7253],{"id":7252},"mistake-5-assuming-the-ciso-owns-everything-that-isnt-assigned-elsewhere","Mistake #5: Assuming the CISO Owns Everything That Isn't Assigned Elsewhere",[16,7255,7256],{},"In many organizations, the CISO is the implicit owner of last resort. If a PCI requirement doesn't have a clear owner, it defaults upward — and eventually lands on the security leader's desk.",[16,7258,7259],{},"This is a governance problem masquerading as an efficiency problem. When the CISO is the catch-all for unassigned compliance obligations, two things happen: the CISO is spending time on operational tasks that should be delegated, and the organization's compliance program lacks the distributed ownership structure it needs to function at scale.",[16,7261,7262],{},"The CISO's role in PCI should be strategic: defining the program, setting the accountability structure, owning the relationship with assessors, and reporting to the board on risk posture. The moment the CISO is personally responsible for reviewing firewall rule changes or validating log configurations, something in the ownership model has broken down.",[16,7264,7265],{},"A well-structured PCI program distributes operational ownership to the teams closest to the work — and gives the CISO visibility into all of it without requiring their direct involvement in any of it.",[7153,7267],{},[11,7269,7271],{"id":7270},"what-getting-it-right-actually-looks-like","What Getting It Right Actually Looks Like",[16,7273,7274],{},"The organizations that manage PCI compliance most effectively share a few traits. Their role assignments are documented at the function level and reviewed on a regular cadence. Their business unit owners understand their obligations — not just their technical ones. Their vendor relationships have named internal owners with active oversight responsibilities. And their CISO has clear visibility into the program without being buried in its day-to-day operations.",[16,7276,7277],{},"None of this requires a larger team. It requires a more deliberate structure.",[16,7279,7280],{},"PCI compliance isn't won or lost in the technical controls. It's won or lost in the clarity of who owns them, who monitors them, and who is accountable when they fail.",[7153,7282],{},[16,7284,7285],{},[59,7286,7287],{},"Is your PCI ownership model as clear as you think it is?",[16,7289,7290,7291,7295,7296,7299],{},"At ",[23,7292,7294],{"href":7293},"\u002F","episki",", we help security leaders build compliance programs where accountability is real — not just documented. From role mapping to third-party oversight to board-level reporting, we work alongside your team to make sure your ",[23,7297,7298],{"href":5578},"PCI"," program holds up when it matters most.",[16,7301,7302],{},[23,7303,7306],{"href":4670,"rel":7304},[7305],"nofollow","Let's talk →",[7153,7308],{},[16,7310,7311],{},[7312,7313,7314],"em",{},"Compliance on paper isn't compliance. It's paperwork.",{"title":257,"searchDepth":258,"depth":258,"links":7316},[7317,7318,7319,7320,7321,7322],{"id":7171,"depth":258,"text":7172},{"id":7196,"depth":258,"text":7197},{"id":7214,"depth":258,"text":7215},{"id":7237,"depth":258,"text":7238},{"id":7252,"depth":258,"text":7253},{"id":7270,"depth":258,"text":7271},"craft","2026-04-15","Unclear ownership is one of the most common — and costly — failures in PCI compliance. Here's what security leaders get wrong about defining roles, and how to fix it.",{"src":7327},"\u002Fimages\u002Fblog\u002FPCI.jpg",{"slug":7329},"defined-roles-pci-compliance-mistakes","\u002Fnow\u002Fdefined-roles-pci-compliance-mistakes",{"title":7137,"description":7325},"3.now\u002Fdefined-roles-pci-compliance-mistakes","0u0CncSJsrHMYJZWMH_BzWgau-vuQTBQ7NdBBVQMz7Q",{"id":7335,"title":7336,"advantages":7337,"body":7359,"checklist":7366,"cta":7375,"description":7363,"extension":278,"faq":546,"hero":7378,"meta":7386,"name":7387,"navigation":296,"path":238,"resources":7388,"seo":7401,"slug":7404,"stats":7405,"stem":7413,"__hash__":7414},"industries\u002F6. industry\u002F1.healthcare.md","Healthcare",[7338,7345,7352],{"title":7339,"description":7340,"bullets":7341},"PHI-aware control mapping","Map administrative, technical, and physical safeguards to your stack without rebuilding every audit.",[7342,7343,7344],"Track EHR, identity, and cloud evidence with structured ownership","Track segmentation, backups, and log retention against HIPAA safeguards","Map once for HIPAA and reuse for HITRUST or regional requirements",{"title":7346,"description":7347,"bullets":7348},"Clinician-friendly workflows","Keep nurses, clinicians, and ops aligned without burying them in tickets.",[7349,7350,7351],"Role-aware tasks routed to the right owner with due dates","Playbooks show “what good looks like” for PHI handling","Attestations and approvals captured inline for auditors",{"title":7353,"description":7354,"bullets":7355},"Auditor and partner collaboration","Give regulators, payers, and partners scoped access instead of email threads.",[7356,7357,7358],"Auditor portal with threaded Q&A per safeguard","Secure uploads with expirations and access controls","Exports for SOC 2, PCI, or privacy questionnaires",{"type":8,"value":7360,"toc":7364},[7361],[16,7362,7363],{},"Healthcare buyers move fast when they trust your safeguards. episki keeps PHI protections documented, monitored, and shareable without slowing product or patient care.",{"title":257,"searchDepth":258,"depth":258,"links":7365},[],{"title":7367,"description":7368,"items":7369},"Healthtech compliance checklist","Use this inside your trial to assign owners, attach evidence, and track renewals.",[7370,7371,7372,7373,7374],"HIPAA safeguard library mapped to your systems","BAA tracker with renewal reminders and risk scoring","Incident response runbooks with timelines and owners","Access, logging, and backup verification tasks","Third-party risk reviews tied to PHI data flows",{"title":7376,"description":7377},"Launch a healthtech-ready workspace","Connect your stack, invite stakeholders, and show PHI protections the same day.",{"headline":7379,"title":7380,"description":7381,"links":7382},"HIPAA-grade governance without slowing clinicians","Keep PHI protections provable across cloud apps, clinics, and vendors","episki maps safeguards, automates evidence, and gives auditors scoped access so healthtech teams can keep shipping.",[7383,7385],{"label":7384,"icon":4663,"to":4664},"Start healthtech trial",{"label":4666,"icon":4667,"color":4668,"variant":4669,"to":4670,"target":4671},{},"healthcare and healthtech",{"headline":7389,"title":7389,"description":7390,"items":7391},"Healthcare enablement kit","Keep leadership, clinicians, and auditors aligned on the same story.",[7392,7395,7398],{"title":7393,"description":7394},"PHI data flow deck","Share sanitized diagrams plus segmentation notes for customers and partners.",{"title":7396,"description":7397},"Board + payer brief","Summarize control health, incidents, and remediation in plain language.",{"title":7399,"description":7400},"Auditor-ready workspace","Prebuilt template for requests, evidence, and walkthrough scheduling.",{"title":7402,"description":7403},"Healthcare Compliance Software","HIPAA-ready GRC for healthtech teams. Map safeguards, track PHI evidence, and collaborate with auditors in one secure workspace. Start your free trial.","healthcare",[7406,7408,7410],{"value":4691,"description":7407},"Move from baseline controls to monitored safeguards in under a month.",{"value":4694,"description":7409},"Role-based portals keep BAAs, policies, and diagrams organized and protected.",{"value":7411,"description":7412},"Continuous watch","Drift detection across access, logging, vendors, and incidents.","6. industry\u002F1.healthcare","831E5Bdk5x1SUBhE8YrTZtQjqMJj9Q3vjQivX_AG0IQ",1776395357587]