HIPAA: the compliance your US clients require

HIPAA (Health Insurance Portability and Accountability Act) is the US federal law protecting identifiable health information (PHI). It applies to American Covered Entities — healthcare providers, health plans, clearinghouses — and to their Business Associates: anyone who creates, receives, maintains or transmits PHI on their behalf, wherever they are located. An Italian company handling health data for US clients takes on the obligations contractually, through the Business Associate Agreement, and passes them on to its own subcontractors.

It is the contract HIPAA mandates between a Covered Entity and a Business Associate, and downstream towards subcontractors handling PHI. It defines the permitted uses of the data, the security safeguards, the obligation to report breaches and incidents, the conditions for engaging subcontractors and the return or destruction of data at the end of the relationship. It must be signed before any health data starts flowing.

HIPAA certification does not exist — for anyone: the Department of Health and Human Services does not recognise any official certification, and the attestations offered on the market are private and have no regulatory value. What we do is bring the method of our management system, certified to ISO/IEC 27001, 27017, 27018 and ISO 9001, to the HIPAA terrain: risk analysis, technical controls, documented evidence. We are not a law firm: the BAA is negotiated by the parties' lawyers — we prepare the infrastructure and the evidence that contract requires.

It depends on your starting maturity. For an organisation already running an ISO 27001 system, most of the controls required by the Security Rule are in place: the work is the mapping (using NIST SP 800-66 Rev. 2), closing the specific gaps and preparing the evidence — indicatively weeks, not years. Starting from scratch, the journey is longer and is best approached as building a security system, not as a one-off formality.

No. HIPAA imposes no data localisation: the HHS cloud computing guidance allows storage outside the US, provided there is a BAA with the cloud provider and the risks are covered by the risk analysis. For an Italian company, hosting in European datacenters is often the most sensible choice, as it also simplifies GDPR compliance. Data residency remains a contractual choice to define with the client. To learn more, read our in-depth article on HIPAA for Italian companies.

The proposed revision published in the Federal Register on 6 January 2025 (NPRM) is the first substantial change since 2013: mandatory multi-factor authentication, encryption of ePHI at rest and in transit, removal of the distinction between “required” and “addressable” specifications, a technology asset inventory with a data flow map and an annual compliance review. The final rule is expected in the course of 2026: it pays to design against the proposed requirements today.