HIPAA Security Rule
Assessment by an
Independent Audit Firm
CertPro conducts HIPAA Security Rule assessments covering administrative, physical, and technical safeguards in accordance with the HIPAA Security Rule. Our assessment evaluates control design and conformity across business associates, with findings documented in a formal assessment report based on evidence gathered during the engagement. Structured, evidence-based, and conducted by credentialed professionals across every engagement.
The Federal Law Governing Protected Health Information
HIPAA stands for the Health Insurance Portability and Accountability Act, federal legislation enacted in the United States in 1996. HIPAA meaning in practice: it establishes national standards for the protection of Protected Health Information (PHI) and electronic PHI (ePHI), governing how covered entities and business associates collect, store, transmit, and disclose health information. HIPAA establishes enforceable requirements for the protection of PHI and ePHI. Enforcement is carried out by the Office for Civil Rights (OCR) under the U.S. Department of Health and Human Services through audits, investigations, and civil monetary penalties.
HIPAA compliance is a legal obligation for covered entities and their business associates. There is no official government-issued HIPAA certification program. Compliance is demonstrated through documented controls, risk assessments, and operational evidence that safeguards are implemented and functioning.
CertPro conducts independent HIPAA Security Rule assessments for business associates, evaluating administrative, physical, and technical safeguards against applicable regulatory requirements. Findings are documented in a formal assessment report, providing an independent, evidence-based view of conformity with HIPAA Security Rule obligations. The HITECH Act of 2009 significantly expanded HIPAA by extending direct liability to business associates, strengthening enforcement, and introducing mandatory breach notification requirements.
Physical Safeguards
45 CFR 164.310 covers facility access controls, workstation use and security, and device and media controls to protect the physical environment where ePHI is stored or accessed.
The Security Rule
Establishes national standards for protecting ePHI through required and addressable administrative, physical, and technical safeguards under 45 CFR Part 164.
The Breach Notification Rule
Requires covered entities to notify affected individuals, HHS, and media (when the breach affects 500 or more residents of a state or jurisdiction) following a breach of unsecured PHI.
Administrative Safeguards
45 CFR 164.308 covers the security management process, assigned security responsibility, workforce security, information access management, training, security incident procedures, contingency planning, evaluation, and business associate contracts.
Technical Safeguards
45 CFR 164.312 covers access controls, audit controls, integrity controls, and transmission security to protect ePHI stored or transmitted through electronic information systems.
Covered Entity and Business Associate: Understanding Your HIPAA Obligations
HIPAA defines separate obligations for covered entities and business associates. This classification determines the required controls and compliance scope. Violations in either category are subject to OCR enforcement. CertPro's assessment focuses on business associate compliance with the HIPAA Security Rule, with findings documented in a formal report.
Healthcare Providers, Health Plans, and Clearinghouses
A covered entity is a healthcare provider that transmits PHI electronically in connection with covered transactions, a health plan, or a healthcare clearinghouse. Covered entities bear direct obligations under all three HIPAA rules and are the primary regulated parties under the statute.
Organizations Handling PHI on Behalf of Covered Entities
A business associate is any organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Since the HITECH Act and Omnibus Rule, business associates are directly liable under HIPAA and subject to the same OCR enforcement and penalty tiers as covered entities.
Four Phases. Structured Process. Evidence-Based Throughout.
Every CertPro HIPAA assessment follows a structured four-phase process governed by the applicable requirements of the HIPAA Security Rule under 45 CFR Part 164.
Kick-off and Assessment Scoping
A 30-minute kick-off call confirms the assessment scope, PHI and ePHI processing activities, applicable HIPAA Security Rule safeguard categories, and engagement timeline. The organization's role as a business associate and categories of PHI handled are confirmed in writing. In-scope systems, locations, and workforce populations are defined before any evidence review begins.
Evidence Access and Initial Review
The client provides access to the evidence repository, including security policies, risk assessment records, BAAs, access control documentation, training records, incident response records, and physical security documentation. CertPro reviews documented safeguards against applicable HIPAA Security Rule requirements. A structured gap list is documented and shared for review.
Gap Clarification and Safeguard Assessment
A Zoom session reviews identified gaps collaboratively. Additional evidence is submitted or controls are demonstrated live. CertPro assesses implementation and operational effectiveness of all in-scope safeguards through interview, observation, document and record review. Each finding is documented with the applicable 45 CFR Part 164 regulatory reference, severity classification, and factual basis.
Report Compilation and Issuance
The formal HIPAA assessment report is compiled incorporating all findings and assessed safeguards from Phases 1 through 3. An independent internal QA review is completed before the draft is shared. The client receives a factual accuracy review window. The final assessment report is issued following completion of internal quality review and factual accuracy confirmation.
Is Your Organization Ready for a HIPAA Security Rule Assessment?
The five areas below represent the most common gaps across CertPro's HIPAA assessment engagements for business associates. Each maps directly to HIPAA Security Rule requirements under 45 CFR Part 164.
Risk Analysis and Risk Management Documentation
A documented risk analysis under 45 CFR 164.308(a)(1) is mandatory and the most cited OCR deficiency. It must identify all ePHI systems, assess risks, and define a treatment plan. Template-based or undated analyses are material findings.
Business Associate Agreements with All Applicable Parties
Executed Business Associate Agreements (BAAs) are required for all subcontractors handling ePHI. Requirements are governed by both administrative safeguards and organizational requirements under 45 CFR 164.308(b) and 164.314(a). Missing or incomplete agreements are common assessment findings.
Access Controls
Access controls under 45 CFR 164.312(a) require unique user identification, access provisioning procedures, and system-level safeguards such as automatic logoff and encryption. Logs, access reviews, and deprovisioning records are assessed. Shared or undocumented access is a common finding.
Workforce Security Awareness and Training Records
Training under 45 CFR 164.308(a)(5) must cover all workforce members with ePHI access. Records must be current, complete, and documented. Missing or outdated training is a recurring gap.
Security Incident Procedures
Procedures under 45 CFR 164.308(a)(6) must define how security incidents are identified, documented, and managed. Auditors review incident logs, response actions, and evidence of incident handling processes. Breach notification obligations for business associates are governed separately under 45 CFR 164.410.
Readiness Score
Based on a review across HIPAA Security Rule safeguard categories under 45 CFR Part 164. Four areas require additional evidence before formal assessment commencement.
Independent Assessment. Formal Report.
Evidence-Based Approach.
Six principles govern how CertPro conducts every HIPAA Security Rule assessment engagement, from scoping through final report issuance. These commitments are structural, documented in every engagement file, and applied consistently across all organizations assessed against the HIPAA Security Rule under 45 CFR Part 164.
Assessment Independence and Objectivity
CertPro does not provide security policy drafting, safeguard implementation support, or advisory services to organizations it assesses. A pre-engagement independence check is documented for every engagement without exception. Assessment conclusions are derived solely from objective evidence reviewed during the current engagement.
Assessed Against the HIPAA Security Rule
Every CertPro HIPAA compliance assessment is conducted against the applicable provisions of 45 CFR Part 164, with findings documented by regulatory reference. The formal assessment report documents conformity observations based exclusively on evidence gathered during the engagement.
Evidence-Based Safeguard Assessment
Every assessment conclusion is supported by sufficient and appropriate objective evidence. Administrative, physical, and technical safeguards are assessed through interview, observation, document and record review.
Credentialed Assessment Team
Every HIPAA Security Rule assessment is led by professionals with demonstrated expertise in healthcare information security and the applicable requirements of 45 CFR Part 164, supported by CISA-certified information systems auditors with sector experience across health technology, healthcare SaaS, and medical device environments.
Structured Communication Throughout
Assessment findings are communicated in precise, unambiguous language at every stage. Each finding is documented with the applicable 45 CFR Part 164 regulatory reference, severity classification, factual basis, and specific evidence reviewed.
Globally Trusted
HIPAA security rule assessments by CertPro signal trusted handling of protected health information. Audit-driven evaluation supports consistent acceptance of our reports by enterprise customers and healthcare stakeholders.
HIPAA Compliance: Questions We Hear Most
HIPAA stands for the Health Insurance Portability and Accountability Act, enacted in 1996. HIPAA applies to covered entities, including healthcare providers transmitting PHI electronically, health plans, and healthcare clearinghouses, and to business associates who create, receive, maintain, or transmit PHI on their behalf. Since the HITECH Act and Omnibus Rule, business associates are directly liable under HIPAA and subject to the same OCR enforcement as covered entities.
A HIPAA violation is any impermissible use or disclosure of PHI, failure to implement required Security Rule safeguards, failure to execute required BAAs, or failure to provide required breach notifications within statutory timeframes. HIPAA violations are enforced by civil monetary penalties defined under a tiered structure, subject to periodic inflation adjustments by the U.S. Department of Health and Human Services. Business associates must notify covered entities of breaches of unsecured PHI without unreasonable delay under 45 CFR 164.410.
Since the HITECH Act and Omnibus Rule, business associates are directly subject to OCR enforcement under the HIPAA Security Rule and Breach Notification Rule. They also have specific privacy rule obligations as defined in their business associate agreements. However, their obligations are more limited than those of covered entities.
A CertPro HIPAA assessment covers control design and conformity across all three Security Rule safeguard categories under 45 CFR Part 164. Administrative safeguards include the risk analysis, risk management process, workforce security, access management, training, incident procedures, contingency planning, and BAAs. Physical safeguards cover facility access, workstation use, and device controls. Technical safeguards address access controls, audit controls, integrity controls, and transmission security for ePHI.
There is no official government-issued HIPAA certification program. HIPAA compliance is a regulatory obligation enforced by the OCR through audits and investigations. Organizations demonstrate compliance through documented safeguard implementation, risk assessments, workforce training, and operational evidence.
SOC 2 examines security controls against the AICPA Trust Services Criteria and is frequently required by enterprise technology buyers alongside HIPAA compliance for healthcare SaaS organizations. ISO/IEC 27001:2022 provides a certifiable information security management framework that supports the administrative and technical safeguard requirements of the HIPAA Security Rule. Organizations often pursue HIPAA assessment alongside ISO 27001 and SOC 2 engagements to satisfy the full range of customer and regulatory assurance requirements.
Begin Your Compliance Audit with a
Licensed CPA Firm.
Schedule a 30-minute scoping call with a credentialed auditor. We will identify the right framework, discuss audit scope and outline a clear path based on your current state.