Framework library / HIPAA
Data & Security · regulatory framework
HIPAA — Health Insurance Portability and Accountability Act.
US health-data law — every vendor touching PHI needs a BAA and documented oversight.
What it is
HIPAA’s Privacy and Security Rules protect PHI. Covered entities and business associates must execute Business Associate Agreements (BAAs) with every vendor that touches PHI, conduct risk analyses, and maintain documentation for six years — including the vendor-oversight records regulators request after an incident.
Who it applies to
Healthcare providers, plans, clearinghouses — and every SaaS, lab, logistics or manufacturing partner acting as a business associate.
The evidence auditors expect
- Executed BAAs for every PHI-touching vendor
- Security risk analysis and remediation records
- Vendor security documentation and review records
- Six-year documentation retention with retrievability
How ComplianceFlow keeps you ready
- BAAs and vendor security documents are tracked per vendor with expiry and renewal monitoring
- Reviews and exceptions carry their full trail, satisfying documentation retention requirements
- Incident-time vendor evidence is an export, not an archaeology project
Related frameworks
See HIPAA evidence assemble itself.
ComplianceFlow keeps a living copy of HIPAA mapped to your suppliers, products and evidence — so what you must prove is always current, and always exportable.
Book a demo Get the audit checklist
TraceR2C