HIPAA Compliance for Small Healthcare Organizations: A Practical Series

Certification, Attestation, and Ongoing Compliance: What You Can Credibly Tell Your Partners

Across the preceding four posts, we have walked through the threshold analysis, the Business Associate Agreement, the Security Risk Analysis, and the implementation of administrative, physical, and technical safeguards. An organization that has done this work has built a HIPAA compliance program. The last question — and the one that prospective business partners ask most often — is how to demonstrate that program to others.

This final post in the series addresses that question. It also covers the equally important question of how to maintain the program once it is built, because HIPAA compliance is not a one-time achievement. It is an ongoing operational discipline.

The Most Important Thing to Understand About "HIPAA Certification"

There is no official HIPAA certification. HHS does not certify any organization as HIPAA-compliant. No federal agency does. There is no government-issued credential, badge, registry, or accreditation that means "the holder is HIPAA compliant."

OCR has addressed this directly. See OCR, HIPAA FAQ — Does HHS certify electronic health records as HIPAA compliant?, available through the HHS HIPAA FAQ portal (clarifying that HHS does not endorse or certify particular products, services, or organizations for HIPAA compliance). The 21st Century Cures Act amended the HITECH Act through the addition of section 13412 (42 U.S.C. § 17941), directing HHS to consider an organization's adoption of "recognized security practices" when determining penalties and audit outcomes — but adoption of such practices is a mitigating factor, not a certification.

This matters because vendors and consultants routinely market themselves as "HIPAA Certified," and the term has no regulatory meaning. An organization that displays a HIPAA Certified badge in its marketing materials is, at best, telling you that some private third party has assessed its program — which may or may not be meaningful depending on the third party. At worst, it is telling you that the organization paid for a logo.

This does not mean compliance is unprovable. It means the proof comes from a combination of documents and assessments rather than a single credential. Sophisticated business partners — particularly hospitals, health systems, and large health plans — understand this and ask for the right things.

What You Can Credibly Provide

A business associate seeking to demonstrate its compliance posture to a covered entity partner typically offers some combination of:

A signed BAA. This is the most basic and most important element. The BAA itself is the legal mechanism by which the parties acknowledge their respective HIPAA obligations under 45 C.F.R. § 164.504(e) and § 164.314(a) and allocate risk. A signed BAA is necessary; what follows is what makes it credible.

A compliance attestation. A written statement, signed by an authorized officer of the business associate, describing the organization's compliance program. A defensible attestation includes: the date and methodology of the most recent Security Risk Analysis under § 164.308(a)(1)(ii)(A), the existence and version date of the policies and procedures library maintained per § 164.316, the workforce training program under § 164.308(a)(5), the designated Privacy and Security Officers, the incident response capability, and the executed downstream BAAs with subcontractors. Some organizations format this as a "HIPAA Compliance Statement" or "HIPAA Compliance Profile." The document should be updated at least annually.

Summary of safeguards. A description, often at a higher level than internal policy documents, of the administrative, physical, and technical safeguards in place. This is sometimes called a "Security Summary" or "Trust Document." It is appropriate to redact sensitive details (specific vendor names for certain functions, exact configurations) while providing enough information for the partner to assess the program.

Third-party assessment documentation. Independent assessments meaningfully strengthen attestations. The options:

•      HIPAA Risk Assessment by a qualified third party. The Security Risk Analysis discussed in Part 3, when conducted by an independent assessor, is a defensible piece of documentation to share (or at least describe) with a partner. Most organizations do not share the full SRA — it contains sensitive information — but share an executive summary or the assessor's attestation letter.

•      SOC 2 Type II report. AICPA's framework for assessing service organization controls (AICPA Trust Services Criteria, with the most current revision available at aicpa-cima.com). SOC 2 reports cover security and (optionally) availability, processing integrity, confidentiality, and privacy. SOC 2 is widely understood by procurement teams and overlaps substantially with HIPAA's Security Rule requirements. Many cloud-era business associates pursue SOC 2 as their primary compliance demonstration, sometimes with a HIPAA "mapping" appendix showing how the SOC 2 controls satisfy HIPAA requirements. Cost: typically $30,000 to $100,000 for a Type II report depending on scope and complexity, plus annual renewal costs.

•      HITRUST CSF certification. HITRUST is the most rigorous and the most expensive option, and it is the closest thing to a recognized "HIPAA certification" in the market. The HITRUST Common Security Framework integrates HIPAA, NIST, ISO 27001, PCI, and other frameworks into a unified set of controls. HITRUST offers tiered certifications: e1 (essentials, lower cost), i1 (intermediate), and r2 (rigorous, the original framework). For organizations that need to demonstrate compliance to large hospital systems, HITRUST is increasingly the de facto requirement. Cost: $50,000 to $150,000+ for an r2 certification, less for e1 and i1, plus internal staff time and remediation costs. Annual maintenance is required. Detailed framework documentation is available at hitrustalliance.net.

•      ISO 27001 certification. The international standard for information security management (ISO/IEC 27001:2022). Less commonly required in U.S. healthcare than SOC 2 or HITRUST, but useful for organizations operating internationally or in adjacent regulated sectors.

Recognized Security Practices documentation. Since the 2021 amendments to the HITECH Act (Pub. L. 116-321, codified at 42 U.S.C. § 17941), regulated entities can submit evidence that they have implemented "recognized security practices" for at least 12 months prior to any audit or breach investigation. OCR is required to consider this evidence as a mitigating factor in enforcement decisions. See OCR, Considerations for Implementing Recognized Security Practices, hhs.gov/hipaa/for-professionals/security/guidance/recognized-security-practices. Recognized practices include the NIST Cybersecurity Framework, the HHS 405(d) program's Health Industry Cybersecurity Practices (HICP) publication, and other approved standards. Documenting recognized security practices adoption is a low-cost step with real enforcement-mitigation value.

For most small business associates, the realistic progression is: launch with a strong attestation backed by a quality SRA and documented program, pursue SOC 2 Type II within the first 12 to 24 months if institutional partnerships require it, and consider HITRUST only if specific large partners require it as a condition of doing business.

What Your Partners Will Likely Ask For

Procurement and information security teams at hospitals and health plans have largely standardized their vendor assessment processes. Expect to be asked for some or all of the following before a partnership begins:

•      An executed BAA on terms acceptable to both parties (45 C.F.R. § 164.504(e))

•      Completion of a security questionnaire (often based on the Shared Assessments SIG questionnaire or HITRUST Third-Party Assessment Program standards)

•      Evidence of a current Security Risk Analysis (45 C.F.R. § 164.308(a)(1)(ii)(A))

•      Cyber liability insurance certificate

•      SOC 2 Type II report, HITRUST certification, or equivalent third-party assessment

•      Documentation of breach response capability (45 C.F.R. §§ 164.404, 164.410)

•      Subcontractor management documentation (downstream BAAs per § 164.308(b)(2) and § 164.504(e)(5))

•      Workforce training records (45 C.F.R. § 164.308(a)(5))

•      Incident history for a defined lookback period

Organizations that have prepared a "vendor due diligence package" with these items ready to share dramatically reduce the friction of partnership conversations. The package can be updated annually and shared under NDA when partnership discussions begin.

Ongoing Compliance: What "Maintaining" the Program Looks Like

A compliance program is not a project with a completion date. It is an operational function that requires recurring activity. The core ongoing obligations:

Annual SRA update. At minimum once per year, and after any material change to the operating environment. See 45 C.F.R. § 164.308(a)(8); OCR Risk Analysis Guidance. Document the review even if findings are unchanged. The proposed Security Rule update at 90 Fed. Reg. 898 would codify the 12-month minimum as an explicit requirement.

Annual workforce training. Initial training at hire, refresher training at least annually, with dated records for every workforce member. Specialized training for workforce members with elevated access or specialized roles (privacy officers, system administrators). Training records must be retained for six years per § 164.530(j)(2).

Quarterly access reviews. Periodic review of who has access to ePHI under § 164.308(a)(4), with documentation of the review and any access modifications resulting from it.

Quarterly log reviews. The Security Officer reviews audit logs from systems containing ePHI for unusual activity, satisfying the information system activity review requirement at § 164.308(a)(1)(ii)(D), with documentation of the review.

Annual policy review. Policies are reviewed at least annually and updated for regulatory changes, operational changes, and lessons learned from incidents. The review must be documented. Policies and supporting documentation must be retained for six years from the later of creation or last effective date under § 164.316(b)(2)(i).

Annual contingency plan testing. The disaster recovery and emergency mode operations plans required by § 164.308(a)(7) must be tested periodically. Tabletop exercises satisfy the requirement for most small organizations; documentation of the exercise and any plan updates resulting from it is essential.

Continuous vendor management. New vendors are vetted before onboarding and BAAs executed before any ePHI is shared. Existing vendor BAAs are tracked for renewal and reviewed when services change.

Incident logging and review. Every security incident — not just confirmed breaches — is logged per § 164.308(a)(6). Periodic review of the incident log identifies patterns and drives program improvements.

Breach response readiness. Breach notification timelines under the Breach Notification Rule (45 C.F.R. §§ 164.400–414) are strict and unforgiving:

•      Notification to affected individuals: without unreasonable delay and in no case later than 60 days from discovery (§ 164.404(b))

•      Notification to HHS: contemporaneous with individual notification for breaches affecting 500 or more individuals; annually within 60 days of year-end for smaller breaches (§ 164.408)

•      Notification to media: for breaches affecting 500 or more residents of a state or jurisdiction (§ 164.406)

•      Business associate notification to covered entity: without unreasonable delay and no later than 60 days from discovery (§ 164.410)

The organization needs current contact lists for required notifications, template notification letters reviewed by counsel, and a designated incident commander.

Regulatory monitoring. HIPAA regulations are amended periodically, and OCR issues guidance, frequently asked questions, and enforcement actions that shape compliance expectations. Someone in the organization — usually the Privacy/Security Officer, often with counsel support — must monitor these changes. OCR's Cybersecurity Newsletter(available at hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-archive) is a particularly useful resource, as is the HHS 405(d) program (405d.hhs.gov).

What Periodic External Engagement Looks Like

Beyond the internal program maintenance, most compliance programs benefit from periodic external engagement:

•      Annual or biennial third-party SRA refresh, even if internal SRAs are conducted in interim years

•      Periodic penetration testing (annually for organizations with significant external attack surface)

•      Counsel review of BAA template and material BAA renewals

•      Counsel review when material operational changes occur

•      Periodic policy review by counsel

The cost of this ongoing engagement is real — typically $25,000 to $75,000 per year for a small organization, in addition to internal staff time and platform costs — but it is dramatically less than the cost of a breach or an OCR enforcement action. Settlements under OCR's Risk Analysis Initiative alone since October 2024 have ranged from $5,000 to over $200,000 for individual small entities, plus the costs of two-year corrective action plans that themselves often exceed initial program costs.

The Realistic Long-Term Cost Picture

For a small healthcare organization or business associate, a realistic compliance budget across the first three years typically looks like:

Year One (build-out): $50,000 to $150,000 in external costs (counsel, SRA, policies, training, technology, certifications if pursued early), plus 0.25 to 1.0 FTE of internal time depending on organizational size.

Year Two (operationalization): $25,000 to $75,000 in external costs for ongoing assessments, policy maintenance, and any pursued certifications, plus continued internal time.

Year Three and Beyond (steady state): $25,000 to $100,000 per year in external costs depending on certifications maintained and scope of operations, plus dedicated internal compliance role at some level (often shared with other functions in smaller organizations).

These numbers vary significantly based on organizational complexity, certifications pursued, and scope of operations. They are meant as planning guidance, not as a definitive estimate for any specific organization.

For context, HHS estimated in the 2024 NPRM preamble (90 Fed. Reg. 898, 1042 et seq.) that the proposed Security Rule update would impose first-year implementation costs of approximately $9.3 billion across all regulated entities — translating to meaningfully higher per-entity costs than the current rule already imposes. Organizations should expect upward cost pressure if the rule is finalized substantially as proposed.

Common Mistakes in the "Demonstration" Phase

Three patterns come up consistently in conversations with business associates about how to present their compliance posture:

Overstating compliance posture. Marketing materials and partnership presentations sometimes overstate what the organization has actually achieved — claiming "HIPAA certified" status that does not exist, claiming completed assessments that are still in progress, or claiming controls that are not fully implemented. This is both an ethics problem and a legal exposure problem. Misrepresentations of compliance status can be the basis for breach-of-contract claims, common law fraud claims, and, in some circumstances, False Claims Act exposure where the misrepresentation relates to a federal program. See, e.g., Universal Health Services, Inc. v. United States ex rel. Escobar, 579 U.S. 176 (2016) (implied false certification theory under the FCA). Be precise.

Understating compliance posture. The opposite error is also common, particularly among technically-strong organizations that are skeptical of compliance theater. An organization with a robust SRA, well-documented policies, strong technical controls, and trained workforce should describe that program clearly and accurately. Sophisticated partners can tell the difference between a real program and a paper one, and they will not punish accurate self-description.

Confusing technical security with HIPAA compliance. HIPAA is a regulatory framework with specific document and process requirements. An organization can have excellent technical security and still be non-compliant if it lacks the required documentation, policies, BAAs, training records, and risk analysis methodology. Conversely, an organization can be HIPAA-compliant on paper while having weak technical security. The two need to align.

What This Means Practically

For an organization that has completed the build-out described in Parts 1 through 4 of this series:

•      Develop a HIPAA Compliance Profile document, updated annually, that you can share with prospective partners

•      Decide whether SOC 2 Type II or HITRUST certification is needed based on your target partnerships, and if so, build a multi-year roadmap with budget

•      Build the ongoing compliance calendar — quarterly access reviews, annual training, annual SRA refresh, policy review schedule — and assign accountability for each

•      Document recognized security practices adoption under 42 U.S.C. § 17941 as a mitigating-factor measure

•      Maintain a vendor due diligence package ready to share under NDA

•      Treat compliance as a function with permanent staffing and budget, not as a project

Closing Thoughts on This Series

HIPAA compliance for small healthcare organizations and the vendors that serve them is not as opaque as it sometimes appears. The regulation is specific about what is required, OCR has published extensive guidance, and a mature ecosystem of consultants, counsel, and platforms exists to help organizations build compliant programs.

What the regulation is not is easy. It requires real investment, real ongoing operational discipline, and real engagement from leadership. Organizations that approach it as a checkbox exercise produce programs that look good in marketing materials but fail in OCR investigations or, worse, fail to actually protect the patients whose information they hold. OCR's current enforcement posture — exemplified by the Risk Analysis Initiative, the December 2024 NPRM, and the resumed Phase 3 audit program — makes clear that checkbox compliance will not survive scrutiny.

The most valuable single piece of advice for any organization beginning this work: engage qualified healthcare counsel before making any other compliance investment. The threshold determination, the BAA strategy, the policy framework, and the risk allocation decisions that flow from these are legal questions with significant downstream operational implications. Getting them right at the outset is dramatically less expensive than fixing them later.

The five parts of this series are meant to give readers enough working knowledge to have productive conversations with their counsel and their consultants. They are not a substitute for those conversations. HIPAA is fact-specific, and every organization's program needs to be designed for its actual operations rather than assembled from a template.

Thank you for reading this series. Questions, corrections, and suggestions for future topics are welcome.

Selected Authorities and Resources

Statutory framework:

•      Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191

•      Health Information Technology for Economic and Clinical Health Act, Pub. L. 111-5, div. A, tit. XIII (HITECH Act)

•      Pub. L. 116-321 (Jan. 5, 2021) (recognized security practices amendment), codified at 42 U.S.C. § 17941

Regulatory provisions:

•      45 C.F.R. Parts 160, 162, and 164 (HIPAA Administrative Simplification Rules)

•      45 C.F.R. §§ 164.400–164.414 (Breach Notification Rule)

•      45 C.F.R. § 164.316 (documentation requirements; six-year retention)

•      45 C.F.R. § 164.530(j) (Privacy Rule documentation retention)

•      45 C.F.R. § 102.3 (civil monetary penalty amounts, as adjusted)

•      HHS Annual Civil Monetary Penalties Inflation Adjustment, 91 Fed. Reg. 3664 (Jan. 28, 2026)

Pending regulatory change:

•      HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information, 90 Fed. Reg. 898 (Jan. 6, 2025) (proposed)

HHS/OCR guidance:

•      OCR, Considerations for Implementing Recognized Security Practices, hhs.gov/hipaa/for-professionals/security/guidance/recognized-security-practices

•      OCR, HIPAA Frequently Asked Questions, hhs.gov/hipaa/for-professionals/faq

•      OCR, Resolution Agreements and Civil Money Penalties, hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements

•      OCR, Cybersecurity Newsletter Archive, hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-archive

Industry and federal frameworks:

•      HHS, Health Industry Cybersecurity Practices (HICP) (2023 ed.), 405(d) program at 405d.hhs.gov

•      HHS, Healthcare and Public Health Sector Cybersecurity Performance Goals (Jan. 2024)

•      NIST Cybersecurity Framework 2.0 (Feb. 2024)

•      AICPA, Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (current edition)

•      HITRUST CSF (current version, hitrustalliance.net)

•      ISO/IEC 27001:2022, Information Security Management Systems — Requirements

Case authority:

•      Universal Health Services, Inc. v. United States ex rel. Escobar, 579 U.S. 176 (2016)

•      Upjohn Co. v. United States, 449 U.S. 383 (1981)