Question 1

Are you a US-based HIPAA assessor?

Accepted Answer

No. We are a UK-incorporated consultancy and assess against the HIPAA Security Rule using the published OCR and HHS guidance and the audit protocol the OCR uses for its own enforcement. Most of our HIPAA engagements to date have been for organisations that act as Business Associates to US Covered Entities — SaaS vendors, BPOs, research partners, clinical-trial support firms.

Question 2

Who has to comply with HIPAA?

Accepted Answer

In US healthcare: Covered Entities (health plans, healthcare clearinghouses, healthcare providers transmitting health information electronically) and their Business Associates (any person or entity performing work involving access to protected health information on behalf of a Covered Entity). The Privacy Rule, Security Rule, and Breach Notification Rule all apply to both, though some provisions differ between them.

Question 3

What does it mean to be a UK Business Associate?

Accepted Answer

If you are a UK organisation that handles ePHI on behalf of a US Covered Entity — typically as a contracted vendor — you are a Business Associate under HIPAA. Your customer (the Covered Entity) is required to have a Business Associate Agreement with you, and you must comply with the parts of HIPAA the BAA flows down. The Privacy Rule applies in modified form; the Security Rule applies in full to ePHI you handle.

Question 4

What is a Business Associate Agreement?

Accepted Answer

A BAA is the contract that allocates HIPAA obligations between a Covered Entity and its Business Associate, and between BAs and their subcontractor BAs. It must cover specific terms set out in §164.504(e) — permitted uses and disclosures, safeguards, breach notification, subcontractor flow-down, and termination provisions. Customers will typically not engage you without a signed BAA.

Question 5

What is the relationship between HIPAA and UK GDPR?

Accepted Answer

They are independent legal regimes. UK GDPR applies to personal data of individuals in the UK; HIPAA applies to ePHI handled in the course of US healthcare operations. UK Business Associates handling ePHI typically fall under UK GDPR for the personal-data overlap and HIPAA for the ePHI specifics. We design programmes that cover both efficiently rather than running parallel programmes.

Question 6

How does HIPAA enforcement reach UK organisations?

Accepted Answer

The Office for Civil Rights (OCR) at HHS investigates HIPAA complaints and breaches. UK Business Associates can be named in OCR investigations and resolution agreements where their actions contributed to a breach. The OCR&rsquo;s reach to a UK organisation flows commercially: your Covered Entity customer will require remediation and may terminate. The fines for the Covered Entity can be substantial.

Question 7

Do we need a HIPAA-specific certification?

Accepted Answer

There is no official HIPAA "certification" — the HHS does not certify any specific assessor or scheme. What customers want is evidence that you have run a current risk analysis under §164.308(a)(1)(ii)(A) and that your safeguards address the findings. Our assessment report is built to that standard. Some customers also accept HITRUST, but HITRUST is a separate scheme with its own cost.

Question 8

How does HIPAA relate to ISO 27001?

Accepted Answer

Heavily overlapping at the technical level — access control, audit logging, encryption, incident response, supplier management. Organisations certified to ISO 27001:2022 are typically well-placed on HIPAA technical safeguards. The gaps tend to be in the HIPAA-specific administrative requirements (workforce sanctions, BAA flow-down, contingency plan documentation) and in the documentation format auditors expect.

Question 9

Do we need Penetration Testing for HIPAA?

Accepted Answer

The Security Rule does not name "Penetration Testing" as a required control, but §164.308(a)(1)(ii)(B) ("risk management") and §164.308(a)(8) ("evaluation") expect you to demonstrate that safeguards work. Annual Penetration Testing is the typical evidence — and is something most Covered Entity customers will ask for in their supplier security questionnaires. We deliver these as CREST-aligned engagements.

Question 10

How long does a first HIPAA assessment take?

Accepted Answer

For a UK organisation new to HIPAA, plan 8–14 weeks end-to-end: 3–5 weeks risk analysis, 2–4 weeks safeguards gap assessment, and a buffer for documentation work. Smaller organisations or those already mature on ISO 27001 compress to 6–8 weeks. Subsequent annual reassessments are faster — typically 4–6 weeks.

HIPAA Security Rule assessments for UK service providers.

What is HIPAA?

What we do

Risk analysis (§164.308(a)(1)(ii)(A))

Safeguards review and gap report

BAA review and support

Remediation and ongoing support

How a HIPAA engagement runs

Scoping call

Risk analysis

Safeguards gap assessment

Remediation support

Annual reassessment

The three Security Rule safeguard categories

Why 1 Sequence Cyber

PCI SSC-listed QSAC

CREST DPT alignment

Frequently asked questions

Ready for your HIPAA assessment?