HIPAA
HIPAA isn't a project you finish. It's a program OCR keeps checking.
Healthcare providers and the health-tech platforms that touch patient data face HIPAA requirements that are specific, enforced, and expensive to get wrong. The trap is treating it as a one-time checklist. It isn't.
What OCR actually catches
The thing that gets people isn't a hacker. It's the risk analysis they never did.
Most organizations think a stack of policies means they're compliant. OCR's most common finding says otherwise: a missing or stale risk analysis, the foundational step the Security Rule requires and almost nobody keeps current. HIPAA is something you maintain, not something you finish.
What HIPAA actually is
0
HIPAA (HHS / OCR)
rules, and OCR enforces every one: Privacy, Security, and Breach Notification.
HIPAA isn't one box to check. It's three standing obligations with real penalties behind them, and they don't pause because you're busy building product or treating patients.
Not a one-time project. A program you keep running.
What the program requires
Four things HIPAA expects you to do, and prove.
Beyond the three rules, this is the work that actually has to exist and be documented.
A real risk analysis
The foundational, recurring requirement. The Security Rule mandates it, and it's the gap OCR cites most. We run it and keep it current.
Administrative, physical, technical safeguards
The Security Rule's three safeguard types for protecting electronic PHI. Specific controls, not optional ones.
Signed BAAs with every vendor
Every vendor that touches ePHI needs a Business Associate Agreement. Most orgs can't produce a complete inventory. We build and track it.
A breach notification plan
Strict timelines to notify individuals, HHS, and sometimes the media. Missing them turns a bad day into a worse one.
Who it's for
If your work touches patient data, HIPAA reaches you.
HIPAA applies to you if:
- You're a healthcare provider, health plan, or clearinghouse (a covered entity).
- Your platform creates, receives, stores, or transmits ePHI for one of them (a business associate).
- You're an EHR, health-tech SaaS, billing, or telehealth product that touches patient data.
- A covered-entity customer needs a signed Business Associate Agreement from you.
How it gets done
Gap analysis to audit-ready, then kept that way.
We run it through Managed GRC: discovery of your ePHI flows, the risk analysis, every policy, the BAA inventory, and evidence, organized and auditor-ready before OCR asks. Because HIPAA is ongoing, most teams pair it with Managed Overwatch for the continuous monitoring the Security Rule expects. We prepare and maintain; we don't conduct the OCR audit.
Questions we hear
Common questions
What does HIPAA actually require?
HIPAA is enforced through three rules. The Privacy Rule governs how Protected Health Information (PHI) is used and disclosed and gives patients rights over their information. The Security Rule requires administrative, physical, and technical safeguards to protect electronic PHI. The Breach Notification Rule requires notifying affected individuals, HHS, and sometimes the media after a breach of unsecured PHI, on strict timelines.
Does HIPAA apply to my health-tech platform if I'm not a provider?
Yes. HIPAA covers covered entities (providers, health plans, clearinghouses) and business associates, any organization that creates, receives, maintains, or transmits ePHI on behalf of a covered entity. That includes EHR vendors, health-tech SaaS, billing services, and telehealth. If your platform touches ePHI, HIPAA applies to you as a business associate, and a signed BAA is required with every covered entity you serve.
What are the most common HIPAA gaps OCR finds?
A missing or stale risk analysis (required by the Security Rule, and OCR's most-cited failure), missing or incomplete Business Associate Agreements, audit logs that aren't enabled or reviewed, and workforce training that isn't documented. We close these before they become findings: we run the risk analysis, build and track the BAA inventory, and document training completion.
How does Simple Plan IT deliver HIPAA compliance?
From gap analysis to audit-ready, with your team doing none of the heavy lifting. We start with a discovery interview of your ePHI flows, safeguards, BAA inventory, and training records, run a gap analysis against the Security Rule's safeguards, draft all required policies, build the BAA inventory, then centralize everything so you're auditor-ready. Because HIPAA is ongoing, we manage the program rather than hand you a binder.
Does Simple Plan IT conduct the OCR audit?
No. We prepare you for it and support you through it. We organize and centralize your evidence so you're auditor-ready before OCR asks, and we stay with you through the process. HIPAA isn't a one-time project, so we build the program and maintain it on an ongoing basis.
HIPAA never really ends. Neither does our watch.
We build the program and keep it current, so your team stays focused on care or product instead of decoding a federal rule.