HIPAA / HITECH
Privacy, security, and breach notification rules for Protected Health Information (PHI) in the United States.
Covered entities (providers, health plans, clearinghouses) and their Business Associates.
Safeguard is itself a Business Associate; HIPAA assurance package available under NDA.
What HIPAA actually requires.
These are the obligations a regulated entity owes — the things an assessor or supervisor will ask about.
Administrative, physical, and technical safeguards per the Security Rule (164.308 / 164.310 / 164.312).
Business Associate Agreements (BAA) before sharing PHI with vendors.
Risk analysis and management documented per 164.308(a)(1)(ii)(A).
Breach notification within 60 days of discovery; HHS portal notice for breaches affecting 500+.
Encryption or addressable equivalent for PHI at rest and in transit.
Workforce access controls with role-based scoping and termination revocation.
Pre-mapped controls. Continuous evidence.
Each requirement above is bound to live telemetry — not screenshots. The mapping below is what your auditor or regulator sees.
Continuous mapping of every Safeguard-collected PHI flow to the Security Rule control set.
BAAs templated and signed for every Safeguard customer touching PHI.
Encryption-at-rest and TLS 1.3 in transit with HSM-backed key management as default.
Access reviews exportable on demand with role and PHI-scope visibility.
Breach timeline reconstruction tooling for the 60-day window — auto-generated incident summary.
Artifacts your auditor accepts.
Each evidence artifact is signed and timestamped. Auditors can verify integrity without trusting Safeguard.
Risk analysis document (164.308(a)(1)(ii)(A)) generated quarterly.
BAA registry with active counterparties.
PHI access audit logs with quarterly review attestations.
Encryption posture report by data classification.
Breach-readiness tabletop exercise records.
One evidence base. Many regulators.
These frameworks share substantial control overlap with HIPAA. Customers running one assessment typically satisfy the others with the same evidence base.
HITRUST CSF
North America
The HITRUST Common Security Framework — certification widely used to satisfy HIPAA, NIST, and ISO 27001 in healthcare.
SOC 2 Type II
North America
The Trust Services Criteria attestation that has become the de-facto B2B SaaS security baseline globally.
ISO/IEC 27001:2022
Cross-jurisdictional
The global Information Security Management System standard, updated in 2022 with 93 Annex A controls in four themes.
GDPR
European Union
The EU's General Data Protection Regulation — the global gravity well of privacy law since 2018.
Ready for HIPAA?
Bring the framework. We'll walk the controls with you — section by section, evidence packet by evidence packet, with the regulators you actually have to answer to.