At Drata, we know that having a holistic approach to your security program is essential to maintaining trust. Whether it’s SOC 2, FFIEC, or one of the many others, our customers need to adhere to a variety of compliance frameworks, standards, or regulations and need their partners to meet them too. It’s just one of the reasons why Drata is now compliant with HIPAA (Health Insurance Portability and Accountability Act), the federal law for patient health protection in the U.S.
How Does HIPAA Impact Drata?
Contrary to popular belief, HIPAA compliance isn’t solely designated for hospitals. There are two main groups that must comply with HIPAA—covered entities and business associates.
Covered entities include either a health plan, healthcare clearinghouse, or healthcare provider. Whereas business associates are defined as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a covered entity.” An example of a business associate could be an insurance provider or a security and compliance automation company like Drata.
And PHI isn’t just about specific health data like blood type; it’s actually much broader. For example, the information listed below are all considered PHI:
- Telephone numbers
With thousands of customers in wide-ranging industries, including healthcare, it’s important for us to keep trust at the forefront of our partnerships by adhering to the same expectations and standards as they do.
Not to mention, healthcare organizations have had the highest average cost of a data breach for the past 11 years, so implementing the appropriate controls and policies to protect PHI has never been more critical.
Results of the HIPAA Audit
The results of our HIPAA audit showed no findings, meaning that there were no issues, or concerns with having technical safeguards in place as well as the policies and procedures for its use that protect PHI. Because we met every requirement as a business associate for HIPAA’s security rule, we’ve achieved the highest level of PHI protection possible.
What Does This Mean for Drata Customers?
Having already achieved SOC 2 compliance and ISO 27001 certification, we were confident we met the controls necessary for HIPAA—but that confidence isn’t enough.
We made a choice to specifically test for HIPAA controls to show tangible proof of our compliance. With the constant evolution of threats to our data, it’s imperative for our customers (and Drata) to show evidence of a healthy security posture. Drata is committed to continuously achieving the highest privacy and security standards for all of our customers. We walk the security walk because earning and maintaining trust is one of our core values.
The Power of Drata
Drata was designed to save companies time preparing for the audit process and maintain compliance long after it’s completed—and we’re committed to proving that by using our platform for our own compliance journey.
Because of overlapping controls with SOC 2 and ISO 27001, we were able to reduce the amount of time spent preparing for the HIPAA audit and eliminate the stress of pursuing HIPAA compliance manually. And with our automated continuous control monitoring, we know the real-time state of our security posture to ensure we maintain HIPAA compliance over time.
Trust and Transparency
In addition to HIPAA compliance, Drata has achieved SOC 2 Type 2 (covering all 5 Trust Services Criteria) compliance again in its second year in business as well as SOC 3. We’ve also obtained SOC 1 Type 2 attestation, adhering to the highest standards which supports management, investors, auditors, and customers evaluate internal controls over financial reporting. With trust and transparency at the center of everything we do, the results of our audits are available on our Trust Center.
More Blog Posts
Subscribe & receive the latest content.
Subscribe & receive the latest content.
Get Started Today
Close more sales and build trust faster while eliminating the hundreds of hours of manual work that used to go into maintaining your SOC 2 report and ISO 27001 certification.