What is HIPAA compliance software?

HIPAA compliance software unifies the HIPAA Privacy Rule (45 CFR 164 Subpart E), HIPAA Security Rule (164 Subpart C), Breach Notification Rule (164 Subpart D), HITECH Act, 21st Century Cures Act + ONC information-blocking, state health-data laws (Texas HB 300, NY SHIELD), NIST 800-66 Rev 2 implementation guidance, HITRUST CSF v11, and ISO 27001:2022 + 27799:2016 on a single survey-based platform. It replaces parallel Privacy tools, security platforms, BAA spreadsheets, and breach-notification binders with one OCR-ready evidence trail.

How does RiskWatch handle the §164.308(a)(1) risk analysis?

The Security Rule requires a continuous risk analysis under §164.308(a)(1)(ii)(A). RiskWatch ships with NIST 800-30 r1 risk methodology pre-built and aligned to NIST 800-66 r2 implementation specifications. Risk analysis runs continuously across PHI flows, threat sources, vulnerabilities, likelihood, and impact, refreshed annually with delta-based updates rather than ground-up re-execution.

Does RiskWatch handle the BA cascade under §164.308(b)?

Yes. The BA cascade, covered entity → BA → BA's subcontractors, is tracked via the BAA Cascade tracker. Tier-1 BAA renewals are tracked alongside Tier-2 subcontractor BAAs (which OCR holds the covered entity responsible for). The cascade tracker shows expiring agreements, missing subcontractor BAAs, and the chain of accountability for each BA relationship.

How does the proposed 2024 HIPAA Security Rule update affect us?

HHS released a Notice of Proposed Rulemaking in December 2024, the first major Security Rule update since 2013. Proposed changes include mandatory multi-factor authentication, mandatory encryption (with limited exceptions), network segmentation, BA cybersecurity attestation, and stricter access management. RiskWatch tracks both the current Security Rule and the proposed update as parallel overlays, so you can run gap analysis against the proposed requirements before they take effect.

Does RiskWatch support HITRUST CSF v11?

Yes. HITRUST CSF v11 is built into the library cross-mapped to HIPAA, ISO 27001, NIST 800-53, PCI DSS, and the major state laws. RiskWatch supports e1 (essentials), i1 (implemented), and r2 (risk-based, certifiable) HITRUST assessments, with evidence shared between HITRUST and HIPAA, same control assessed once, scored against both.

How does RiskWatch handle multi-entity covered entities?

Designated Health Care Component (HCC) hybrid entities, OHCAs (organized health care arrangements), and multi-facility hospital systems are first-class concepts. Privacy + Security + Breach posture runs per entity with rollup to the consolidated dashboard. Per-entity Notice of Privacy Practices, per-entity risk analysis, and per-entity BAA register all coexist in the same platform.

How does breach assessment work?

The §164.402 breach assessment workflow walks through the four-factor analysis: nature of PHI, unauthorized recipient, whether PHI was actually acquired or viewed, and risk mitigation. RiskWatch generates the breach-assessment artifact, the OCR notification (within 60 days), individual notifications, media notifications when applicable (500+ individuals in a state), and the HHS portal submission, all from the same source data.

Does RiskWatch handle state-specific health-data laws?

Yes. Texas HB 300 (broader than HIPAA, including non-medical entities), NY SHIELD Act, California CMIA + AB 352, Massachusetts 201 CMR 17 are tracked as state overlays per facility. Multi-state health systems get a per-state compliance view alongside the federal HIPAA view, with state-specific evidence requirements surfaced automatically.

How does RiskWatch fit alongside Epic, Cerner, or other EHRs?

RiskWatch sits next to your EHR, not under it. EHRs handle clinical workflows, access logs, and audit trails for clinical records. RiskWatch threads risk + compliance scoring across whatever EHR you run, so EHR audit logs become evidence inside one OCR-ready view that also captures Privacy + Security + Breach posture EHRs don't natively assess.

How long does HIPAA implementation typically take?

Most health systems go live in 30 days. Pre-built libraries for the Privacy + Security + Breach Rules, NIST 800-66 r2, HITRUST CSF v11, plus state overlays and white-glove implementation handle the heavy lift. Multi-entity, multi-facility, and BA-heavy deployments add 2–4 weeks for scoping. HITRUST certification timelines depend on assessment level (e1 / i1 / r2) and gap-closure pace.

For Covered Entities + Business Associates + Multi-Entity Health Systems

One platform for Privacy Rule, Security Rule, and Breach Notification across every entity.

Healthcare organizations face a uniquely complex HIPAA stack: the Privacy Rule, Security Rule, Breach Notification Rule, the BA cascade under §164.308(b), HITECH Act expansions, 21st Century Cures + ONC information-blocking, plus state-specific overlays (Texas HB 300, NY SHIELD). RiskWatch handles all of it as one survey-based assessment platform sized for Privacy + Security Officers running multi-facility covered entities and 100+ BA relationships.

Start 30-day free trial Download the HIPAA Security Rule + 800-66 pack

Risk

PHI · BA · Vendor

Compliance

Privacy · Security · Breach

Audit

OCR · 800-66 · HITRUST

One Score

93 / 100

OCR-ready posture

OCR-ready

Privacy · Security · Breach-readyLive

Trusted by hospitals, health systems, BAs, and multi-entity covered entities managing the Privacy + Security + Breach Rules, the BA cascade, OCR audits, NIST 800-66 implementation, and HITRUST certification across acute care, ambulatory, lab, payer, and life-sciences environments.

4.8G2 Crowd·126+

4.7Capterra·84+

4.8Gartner Peer Insights·Voice of Customer

Why Privacy + Security Officers Pick RiskWatch

RiskWatch turns Privacy, Security, Breach, and the BA cascade into one program.

RiskWatch runs the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, BA cascade, HITECH expansions, NIST 800-66 r2, HITRUST CSF v11, and state health-data overlays as one program on one platform, scored against the same controls library, and tracked through a single OCR-ready evidence trail. Built for Privacy + Security Officers where one team covers every facility, every BA relationship, and every audit cycle, without enterprise-bank GRC overhead.

Privacy + Security + Breach in one library

Privacy Rule §164.500 series + Security Rule §164.300 series + Breach Notification §164.400 series cross-mapped. Risk analysis, MOC, training, sanction, and incident workflows share evidence, no parallel binders.

BA cascade tracked end to end

§164.308(b)(2) subcontractor BAAs are tracked alongside Tier-1 BAAs. The BAA cascade tracker shows expiring agreements, missing subcontractor BAAs, and the chain of accountability OCR holds you responsible for.

Multi-entity + multi-facility built in

Designated Health Care Component (HCC) hybrid entities, OHCAs, and multi-facility hospital systems run Privacy + Security + Breach posture per entity with rollup to the consolidated dashboard. White-glove implementation in 30 days.

The HIPAA Regulatory Landscape

HIPAA enforcement keeps escalating. The numbers prove it.

OCR collected $144.9M+ in HIPAA settlements 2009–2023 with the Right of Access Initiative driving 50+ enforcement actions. The proposed Security Rule update (released Dec 2024) is the first major Security Rule modification since 2013, adding mandatory MFA, encryption, network segmentation, and BA cybersecurity attestation. State laws are layering: Texas HB 300 amendments, NY SHIELD, California CMIA. Each regulator wants its own evidence package, and the BA cascade keeps growing as health systems adopt 100+ SaaS vendors per facility.

$144.9M+

Total OCR HIPAA settlements 2009–2023, Right of Access driving 50+ actions

HHS OCR enforcement

Dec 2024

HHS proposed Security Rule update, first major change since 2013

HHS Security Rule NPRM

164(b)(2)

Subcontractor BAA cascade, OCR holds the covered entity responsible

HIPAA Privacy Rule §164.308(b)

800-66 r2

NIST implementation guidance for HIPAA Security Rule (Feb 2024)

NIST SP 800-66 Rev 2

Three Domains, One Platform

HIPAA risk lives in three concrete domains

RiskWatch covers all three. Each domain has a dedicated workflow, scoring model, and remediation queue. They share data so a single risk analysis satisfies §164.308(a)(1), the NIST 800-66 r2 implementation specification, and the HITRUST CSF requirement simultaneously.

Risk

PHI + BA + Vendor Risk

Survey-based risk analysis across PHI flows, BA relationships, vendor cybersecurity posture, and the §164.308(b) cascade.

PHI inventory captured
BA register maintained
Vendor cyber posture scored

Explore Risk Management

Compliance

Privacy + Security + Breach

Privacy Rule (Subpart E), Security Rule (Subpart C), Breach Notification Rule (Subpart D), HITECH Act, 21st Century Cures + ONC, state laws cross-mapped.

Privacy Rule §164.500 series
Security Rule §164.300 series
Breach Rule §164.400 series

Explore Compliance Management

Audit

OCR + NIST 800-66 + HITRUST

OCR audit-ready evidence, NIST 800-66 r2 implementation, HITRUST CSF v11 certification, and ISO 27001 + 27799 cross-mapping.

OCR-ready packages on demand
NIST 800-66 r2 implementation
HITRUST CSF v11 mapping

Explore Cybersecurity

45 CFR §164.308(b) · BAA Cascade Spotlight

Tier-1 BAAs aren't enough. OCR holds you responsible for the cascade.

§164.308(b)(2) makes BA subcontractors directly liable to the covered entity. When a Tier-2 vendor (Stripe via Twilio, AWS via Epic) processes PHI without a BAA, OCR comes back to you. The BAA Cascade tracker maintains the agreement chain through Tier-2 + Tier-3 subcontractors, surfaces expiring renewals 90 days out, and flags missing subcontractor BAAs before the next OCR investigation finds them.

45 CFR §164.308(b) · BAA cascade

BAA + subcontractor BAA · all tiers visible

OCR enforcement: missing subcontractor BAA = Tier 3 violation

Covered Entity

Regional Health System

Business Associate

Epic · EHR vendor

Active · 2024 · renews 2026-08-15

Current

Business Associate

Datadog · monitoring

Active · 2025 · renews 2027-03-20

Current

Business Associate

Twilio · patient SMS

Expires 2026-06-01 · renews 2026-06-01

Expiring

Subcontractor BAA

AWS (via Epic) · §164.308(b)(2)

Confirmed · renews Cascaded

Current

Subcontractor BAA

Stripe (via Twilio) · missing

Not on file · renews Action required

Missing

47 BAAs current · 2 expiring · 1 missing subcontractor§164.308(b)(2) covered.

The Coverage Gap

Most HIPAA software covers one rule

Privacy compliance vendors handle Privacy. Security platforms cover the Security Rule. Breach notification tools handle incidents. Vendor management handles BAs. Each does one job. Privacy + Security Officers still operate four parallel programs.

Platform Category	Privacy	Security	Breach	BA cascade	HITRUST	Multi-entity
Privacy Compliance VendorsCompliancy Group, Accountable	Yes	Partial	Partial	Partial	·	·
Healthcare Security PlatformsClearwater, Censinet	Partial	Yes	Partial	Partial	Partial	Partial
Generic GRCServiceNow GRC, Archer	Partial	Partial	Partial	Partial	·	Partial
BAA Management ToolsOnspring, Whistic	·	·	·	Yes	·	Partial
HITRUST SpecialtyHITRUST MyCSF	Partial	Partial	·	·	Yes	·
Spreadsheets & Email	·	·	·	·	·	·
RiskWatchThe unified OCR-ready platform	Yes	Yes	Yes	Yes	Yes	Yes

RiskWatch is the only platform covering all six HIPAA compliance domains: Privacy Rule, Security Rule, Breach Notification, the BA cascade, HITRUST CSF, and multi-entity coordination. Privacy vendors handle Privacy. Security platforms cover the Security Rule. BAA tools handle vendors. Each does one job. RiskWatch unifies all six in one survey-based assessment workflow.

How It Works

One platform. Continuous compliance across every rule.

RiskWatch is a survey-based assessment platform. The work is structured around questionnaires that capture Privacy, Security, and Breach posture in a consistent format, then scored against every framework you align to.

For HIPAA, that workflow runs continuously across the Privacy Rule, Security Rule, Breach Notification Rule, the BA cascade under §164.308(b), HITECH expansions, NIST 800-66 r2, HITRUST CSF v11, and state-specific overlays. A single risk analysis scores against §164.308(a)(1), the corresponding NIST 800-66 r2 implementation specification, and the HITRUST CSF requirement simultaneously.

The same platform runs all of it, surfaces gaps before OCR arrival, assigns remediation owners, and tracks completion. Replace the Privacy tool, the Security platform, the BAA spreadsheet, and the breach-notification binder between them.

The Workflow

01
Assess
Survey-based questionnaires capture Privacy, Security, and Breach posture across every facility, BA relationship, and PHI flow.
02
Score
Responses score against your chosen framework: Privacy Rule, Security Rule, Breach Notification Rule, NIST 800-66 r2, HITRUST CSF v11, ISO 27001:2022 + 27799:2016, or custom.
03
Remediate
Gaps become assigned tasks. Owners get deadlines. BA + subcontractor + 3rd-party tasks cascade to the supplier portal automatically.
04
Audit
Evidence trails export to PDF, OCR investigation format, NIST 800-66 r2 implementation map, HITRUST submission, or breach-notification packet. OCR-ready in minutes.

PrivacySecurityBreachBA CascadeHITRUST

Built For Your Role

Who uses RiskWatch in a healthcare organization

Chief Privacy Officer

Owns enterprise Privacy Rule compliance, Notice of Privacy Practices, Right of Access requests, and OCR-facing privacy posture.

Privacy Rule §164.500 series scoring continuous. Right of Access SLA tracked. Disclosures accounting live. OCR investigation response ready in hours.

HIPAA Security Officer

Owns the Security Rule (45 CFR 164 Subpart C), NIST 800-66 r2 implementation, and the technical safeguards across every facility.

All Security Rule standards scored. NIST 800-66 r2 implementation map live. Risk analysis §164.308(a)(1) refreshed annually. Encryption + MFA evidence captured.

Compliance + Audit Lead

Owns OCR audits, internal compliance audits, HITRUST certification, and multi-state regulatory reporting (Texas HB 300, NY SHIELD).

OCR audit-ready packages on demand. HITRUST CSF v11 mapped. State-law overlays tracked. Multi-entity rollup to consolidated dashboard.

BA + Vendor Risk Lead

Owns the BA register, BAA cascade under §164.308(b), and the vendor cybersecurity posture for 100+ SaaS + clinical-system vendors.

BA register live. Subcontractor BAA cascade tracked. Renewal calendar surfaces 90 days out. Vendor cyber posture scored continuously.

Risk Manager

Owns the §164.308(a)(1) risk analysis, enterprise risk register, and the cross-functional Privacy + Security risk reviews.

Risk analysis refreshed annually. Risk register live. Treatment plans tracked. PHI flow mapped. Threat-source + likelihood scoring continuous.

Breach + Incident Response Lead

Owns the §164.402 breach assessment, OCR notification timelines, individual notifications, and media notifications when applicable.

Breach assessment workflow live. OCR notification timelines tracked. Individual + media + HHS notifications generated. Post-breach corrective action tracked.

Built For Your Segment

Healthcare segments we serve

Hospitals + Health Systems

Acute care + multi-facility health systems running Privacy + Security + Breach across hospitals, clinics, ambulatory surgery centers, and home health.

Health Plans + Payers

Commercial, Medicare Advantage, Medicaid, and self-funded health plans running Privacy + Security + Breach plus state-specific insurance regulator overlays.

Diagnostic + Reference Labs

Clinical labs, reference labs, pathology + diagnostic imaging running CLIA-aware Privacy + Security + Breach with 21st Century Cures + ONC information-blocking.

Business Associates

EHR vendors, RCM companies, billing services, IT/MSP providers, and SaaS vendors running BA-side Privacy + Security + Breach with subcontractor cascade visibility.

Pharmacies + PBMs

Retail pharmacies, mail-order, specialty pharmacy, and PBMs running HIPAA + state board + DEA + 340B overlays.

Pharma + Life Sciences

Pharma manufacturers, biotechs, CROs running HIPAA-relevant patient-data flows + FDA + ICH-GCP + multi-jurisdiction overlays.

Frameworks We Cover

HIPAA frameworks built into the library

RiskWatch ships with pre-built libraries for every major US health-data regulation + recommended practice + industry standard. Map controls once. Score against the framework that matters this audit cycle.

Regulatory Frameworks

HIPAA Privacy Rule: 45 CFR 164 Subpart E, uses + disclosures, Notice of Privacy Practices, Right of Access, accounting of disclosures.
HIPAA Security Rule: 45 CFR 164 Subpart C, administrative, physical, technical safeguards for ePHI. Proposed Dec 2024 update mandates MFA + encryption + segmentation.
HIPAA Breach Notification: 45 CFR 164 Subpart D, breach assessment, individual + HHS + media notifications, BA-to-CE notification timelines.
HITECH Act: Health Information Technology for Economic and Clinical Health Act, expanded HIPAA enforcement, BA direct liability, breach notification.
21st Century Cures + ONC: ONC information-blocking rule (45 CFR 171) and 21st Century Cures interoperability requirements, distinct from HIPAA but cross-affecting Privacy.
State Health-Data Laws: Texas HB 300 (broader than HIPAA), NY SHIELD Act, California CMIA + AB 352, Massachusetts 201 CMR 17, state-specific overlays tracked per facility.

Industry + Implementation Frameworks

NIST 800-66 Rev 2: Implementing the HIPAA Security Rule: A Cybersecurity Resource Guide (Feb 2024), the federal implementation playbook integrated into the library.
HITRUST CSF v11: Health-industry common-security framework cross-mapping HIPAA, ISO 27001, NIST 800-53, PCI DSS, certification-grade evidence shared.
NIST CSF 2.0: Cybersecurity Framework 2.0 (Feb 2024), outcome-based mapping of HIPAA Security Rule to Govern / Identify / Protect / Detect / Respond / Recover.
NIST 800-30 Rev 1: Guide for Conducting Risk Assessments, the methodology behind §164.308(a)(1)(ii)(A) risk analysis.
ISO 27001:2022 + 27799:2016: ISMS standard with the 2022 Annex A plus ISO 27799 health-informatics extension, international hospital networks running both.
AHIMA / HIMSS: American Health Information Management Association + Healthcare Information and Management Systems Society, health-info-management leading practices.

Trusted by 1,500+ risk and compliance teams

We had Privacy in one binder, Security in a SharePoint site, BAAs in an Excel spreadsheet, and breach response in a PDF runbook. Now it's one platform. Privacy + Security + Breach scoring, BAA cascade tracking, NIST 800-66 r2 implementation, and HITRUST CSF cross-mapping all run from the same evidence vault. Our last OCR investigation produced two compliance recommendations instead of nine, and we cleared HITRUST i1 in 11 weeks.

D. Esposito

Chief Privacy Officer + HIPAA Security Officer, Regional health system · 5,800 employees · 11 facilities · 140 Business Associates

4 → 1tools consolidated to one platform

9 → 2OCR investigation findings on most recent review

11 weeksfrom kickoff to HITRUST i1 cleared

Resources

Practical playbooks for Privacy + Security Officers

Checklist

Frequently asked questions

Privacy · Security · Breach · BA Cascade

See RiskWatch run a Privacy + Security + Breach cycle live

30-minute walkthrough of the HIPAA library, your facility + BA inputs, and the OCR-ready evidence-trail output. No slideware, no consulting upsell.

Book a 30-minute walkthrough Talk to a HIPAA specialist

Or call US: +1 941-500-4525

One platform for Privacy Rule, Security Rule, and Breach Notification across every entity.

RiskWatch turns Privacy, Security, Breach, and the BA cascade into one program.

HIPAA enforcement keeps escalating. The numbers prove it.

HIPAA risk lives in three concrete domains

PHI + BA + Vendor Risk

Privacy + Security + Breach

OCR + NIST 800-66 + HITRUST

Tier-1 BAAs aren't enough. OCR holds you responsible for the cascade.

Most HIPAA software covers one rule

One platform. Continuous compliance across every rule.

The Workflow

Who uses RiskWatch in a healthcare organization

Chief Privacy Officer

HIPAA Security Officer

Compliance + Audit Lead

BA + Vendor Risk Lead

Risk Manager

Breach + Incident Response Lead

Healthcare segments we serve

Hospitals + Health Systems

Health Plans + Payers

Diagnostic + Reference Labs

Business Associates

Pharmacies + PBMs

Pharma + Life Sciences

HIPAA frameworks built into the library

Regulatory Frameworks

Industry + Implementation Frameworks

Practical playbooks for Privacy + Security Officers

HIPAA Security Rule Audit Readiness Checklist

BAA Cascade + §164.308(b)(2) Mapping Worksheet

Privacy Tool vs Security Platform vs Unified GRC for HIPAA: How to Choose

HIPAA + HITRUST Quote Builder

Frequently asked questions

See RiskWatch run a Privacy + Security + Breach cycle live