Skip to main content
HIPAA covers protected health information (PHI) for any company that’s a Covered Entity (most healthcare providers, insurers, clearinghouses) or a Business Associate (SaaS vendors processing PHI on behalf of a Covered Entity). If your customers are healthcare orgs and your product touches PHI, you’re a Business Associate and HIPAA applies.

Two main rule sets

Most SaaS Business Associates focus on Security Rule compliance. Privacy Rule responsibilities typically flow back to the Covered Entity (your customer).

Security Rule mapping

The Security Rule has 18 standards across 3 categories. Codex maps each to live evidence:

Administrative safeguards (§ 164.308)

Physical safeguards (§ 164.310)

Technical safeguards (§ 164.312)

Business Associate Agreements (BAAs)

Every vendor that touches PHI on your behalf needs a signed BAA. Codex tracks BAA status alongside vendor metadata:
  • BAA signed: ✓ with date, version, expiration
  • BAA pending: ✓ with vendor, requester, target sign-by date
  • BAA not required: ✓ with justification (vendor never sees PHI)
When your customer asks for your BAA inventory, Reports → BAA report outputs a current snapshot.

What HIPAA doesn’t have (vs SOC 2 / ISO)

  • No formal certification — you can’t get “HIPAA certified” by an external auditor; you self-attest. This makes Codex evidence even more important: it’s the only artifact proving you actually do what you claim.
  • No prescribed audit cadence — but you should run an annual internal review and publish a SOC 2 + HITRUST or ISO 27001 + HIPAA mapping for serious healthcare buyers.
If you’re selling into healthcare:
  1. Year 1: SOC 2 Type II + HIPAA Security Rule attestation. Most healthcare buyers accept this combo.
  2. Year 2: Add HITRUST CSF certification (a healthcare-specific compliance framework that maps to HIPAA + ISO + SOC 2 + state laws). Codex’s existing evidence mostly carries over.
  3. Year 3: ISO 27001 if you sell internationally.
Codex tracks all three in parallel without duplicate work — controls that satisfy multiple frameworks are tagged once and counted across each report.

When you’re ready

Reports → HIPAA security rule attestation outputs:
  • Per-standard implementation evidence
  • BAA inventory
  • Risk assessment + risk register
  • Incident response history
  • Workforce training completion
This is what your customer’s procurement/security team will ask for during their vendor risk review.