All posts

HIPAA or HITRUST compliance

5 min read

HIPAA or HITRUST compliance

Here are a few things you should already have in place if you're targeting HIPAA or HITRUST compliance:

Identity & Access Management
MFA enforced across all systems, SSO preferred. Role-based access with least privilege. Offboarding processes that revoke access within 24 hours across all systems, including partners where you're still managing access manually.

Encryption
Data encrypted at rest and in transit using well-established protocols. Key management decisions documented.

Logging and Monitoring
Centralized log aggregation, a defined log retention policy, and alerting on suspicious activity.

Vulnerability Management
Automated dependency scanning in the CI/CD pipeline, annual penetration testing, and defined remediation SLAs by severity.

Development Practice & Change Management
All code reviewed before merge. CI/CD with automated test coverage.

Incident Response Plan
Written plan with defined security levels, on-call coverage, post-mortem documentation, and customer notification SLAs.

Vendor Management
Full inventory of all sub-processors. Security review for critical vendors. BAA coverage for any vendor touching HIPAA data.

Hiring & Training
Background checks for all new hires. Annual security awareness training for the full company.

This is the bare minimum, but if you get this foundation right, you'll have a strong initial posture and a clear path toward SOC 2 or HITRUST certification when you're ready.

Written by Renata Pozhidaeva