Privacy, security, and breach notification rules for Protected Health Information (PHI) in the United States.
Covered entities (providers, health plans, clearinghouses) and their Business Associates.
Safeguard is itself a Business Associate; HIPAA assurance package available under NDA.
These are the obligations a regulated entity owes — the things an assessor or supervisor will ask about.
Administrative, physical, and technical safeguards per the Security Rule (164.308 / 164.310 / 164.312).
Business Associate Agreements (BAA) before sharing PHI with vendors.
Risk analysis and management documented per 164.308(a)(1)(ii)(A).
Breach notification within 60 days of discovery; HHS portal notice for breaches affecting 500+.
Encryption or addressable equivalent for PHI at rest and in transit.
Workforce access controls with role-based scoping and termination revocation.
Each requirement above is bound to live telemetry — not screenshots. The mapping below is what your auditor or regulator sees.
Continuous mapping of every Safeguard-collected PHI flow to the Security Rule control set.
BAAs templated and signed for every Safeguard customer touching PHI.
Encryption-at-rest and TLS 1.3 in transit with HSM-backed key management as default.
Access reviews exportable on demand with role and PHI-scope visibility.
Breach timeline reconstruction tooling for the 60-day window — auto-generated incident summary.
Each evidence artifact is signed and timestamped. Auditors can verify integrity without trusting Safeguard.
Risk analysis document (164.308(a)(1)(ii)(A)) generated quarterly.
BAA registry with active counterparties.
PHI access audit logs with quarterly review attestations.
Encryption posture report by data classification.
Breach-readiness tabletop exercise records.
These frameworks share substantial control overlap with HIPAA. Customers running one assessment typically satisfy the others with the same evidence base.
North America
The HITRUST Common Security Framework — certification widely used to satisfy HIPAA, NIST, and ISO 27001 in healthcare.
North America
The Trust Services Criteria attestation that has become the de-facto B2B SaaS security baseline globally.
Cross-jurisdictional
The global Information Security Management System standard, updated in 2022 with 93 Annex A controls in four themes.
European Union
The EU's General Data Protection Regulation — the global gravity well of privacy law since 2018.
Bring the framework. We'll walk the controls with you — section by section, evidence packet by evidence packet, with the regulators you actually have to answer to.