HIPAA

US law · $10K–$60K · varies

Controls: HIPAA Security, Privacy, and Breach Notification Rules
Recertification: No certificate; ongoing legal obligation
Oversight: US Dept. of Health & Human Services (OCR)
Common gaps: Risk analysis, BAAs, access controls, encryption
Related: HITRUST CSF, SOC 2 Type 2
Public registry: HHS.gov ↗

What is HIPAA?

HIPAA is a US law governing how protected health information (PHI) is handled. It is a legal obligation, not a certification, so there is no official HIPAA certificate.

Is HIPAA a certification or an attestation?

Neither — HIPAA compliance is a legal requirement. Vendors typically demonstrate it via a third-party HIPAA assessment, often bundled with SOC 2.

Who needs HIPAA?

Any company that creates, receives, stores, or transmits PHI — health-tech vendors and their sub-processors (business associates).

What does it cost and how long does it take?

A third-party HIPAA assessment is often scoped alongside SOC 2; cost depends on overlap and the size of the PHI environment.

Sources

HHS HIPAA ↗

Other frameworks buyers ask about

SOC 2 Type 2$15K–$400K · 6–15 months SOC 2 Type 1$10K–$150K · 4–10 weeks ISO 27001$15K–$120K · 3–12 months PCI DSS$15K–$200K · 3–9 months GDPRVaries · ongoing FedRAMP$250K+ · 12–24 months HITRUST CSF$40K–$200K · 6–18 months CMMC$25K–$200K+ · 6–18 months NIST CSFNo cert · ongoing