Two main rule sets
Most SaaS Business Associates focus on Security Rule compliance. Privacy Rule responsibilities typically flow back to the Covered Entity (your customer).
Security Rule mapping
The Security Rule has 18 standards across 3 categories. Codex maps each to live evidence:Administrative safeguards (§ 164.308)
Physical safeguards (§ 164.310)
Technical safeguards (§ 164.312)
Business Associate Agreements (BAAs)
Every vendor that touches PHI on your behalf needs a signed BAA. Codex tracks BAA status alongside vendor metadata:- BAA signed: ✓ with date, version, expiration
- BAA pending: ✓ with vendor, requester, target sign-by date
- BAA not required: ✓ with justification (vendor never sees PHI)
What HIPAA doesn’t have (vs SOC 2 / ISO)
- No formal certification — you can’t get “HIPAA certified” by an external auditor; you self-attest. This makes Codex evidence even more important: it’s the only artifact proving you actually do what you claim.
- No prescribed audit cadence — but you should run an annual internal review and publish a SOC 2 + HITRUST or ISO 27001 + HIPAA mapping for serious healthcare buyers.
Recommended layered approach
If you’re selling into healthcare:- Year 1: SOC 2 Type II + HIPAA Security Rule attestation. Most healthcare buyers accept this combo.
- Year 2: Add HITRUST CSF certification (a healthcare-specific compliance framework that maps to HIPAA + ISO + SOC 2 + state laws). Codex’s existing evidence mostly carries over.
- Year 3: ISO 27001 if you sell internationally.
When you’re ready
Reports → HIPAA security rule attestation outputs:- Per-standard implementation evidence
- BAA inventory
- Risk assessment + risk register
- Incident response history
- Workforce training completion