HIP, HIPAA, HOORAY! Drata is Now HIPAA Compliant

Drata is now compliant with HIPAA, the federal law for patient health protection in the U.S. Read how and why our team prioritized HIPAA.
Alev Viggio

by Alev Viggio

August 10, 2022

At Drata, we know that having a holistic approach to your security program is essential to maintaining trust. Whether it’s SOC 2, FFIEC, or one of the many others, our customers need to adhere to a variety of compliance frameworks, standards, or regulations and need their partners to meet them too.

It’s just one of the reasons why Drata is now compliant with HIPAA (Health Insurance Portability and Accountability Act), the federal law for patient health protection in the U.S.

How Does HIPAA Impact Drata?

Contrary to popular belief, HIPAA compliance isn’t solely designated for hospitals. There are two main groups that must comply with HIPAA—covered entities and business associates. 

Covered entities include either a health plan, healthcare clearinghouse, or healthcare provider.

Whereas business associates are defined as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a covered entity.” An example of a business associate could be an insurance provider or a security and compliance automation company like Drata.

And PHI isn’t just about specific health data like blood type; it’s actually much broader. For example, the information listed below are all considered PHI:

  • Names

  • Birthdates

  • Gender

  • Addresses

  • Telephone numbers

With thousands of customers in wide-ranging industries, including healthcare, it’s important for us to keep trust at the forefront of our partnerships by adhering to the same expectations and standards as they do. 

Not to mention, healthcare organizations have had the highest average cost of a data breach for the past 11 years, so implementing the appropriate controls and policies to protect PHI has never been more critical.

Results of the HIPAA Audit

The results of our HIPAA audit showed no findings, meaning that there were no issues, or concerns with having technical safeguards in place as well as the policies and procedures for its use that protect PHI. Because we met every requirement as a business associate for HIPAA’s security rule, we’ve achieved the highest level of PHI protection possible.


What Does This Mean for Drata Customers? 

Having already achieved SOC 2 compliance and ISO 27001 certification, we were confident we met the controls necessary for HIPAA—but that confidence isn’t enough. 

We made a choice to specifically test for HIPAA controls to show tangible proof of our compliance. With the constant evolution of threats to our data, it’s imperative for our customers (and Drata) to show evidence of a healthy security posture.

Drata is committed to continuously achieving the highest privacy and security standards for all of our customers. We walk the security walk because earning and maintaining trust is one of our core values.

The Power of Drata

Drata was designed to save companies time preparing for the audit process and maintain compliance long after it’s completed—and we’re committed to proving that by using our platform for our own compliance journey.

Because of overlapping controls with SOC 2 and ISO 27001, we were able to reduce the amount of time spent preparing for the HIPAA audit and eliminate the stress of pursuing HIPAA compliance manually. And with our automated continuous control monitoring, we know the real-time state of our security posture to ensure we maintain HIPAA compliance over time.

Trust and Transparency

In addition to HIPAA compliance, Drata has achieved SOC 2 Type 2 (covering all 5 Trust Services Criteria) compliance again in its second year in business as well as SOC 3. We’ve also obtained SOC 1 Type 2 attestation, adhering to the highest standards which supports management, investors, auditors, and customers evaluate internal controls over financial reporting.

With trust and transparency at the center of everything we do, the results of our audits are available on our Trust Center.

Trusted Newsletter
Resources for you
New Launches From Drataverse

New Launches From Drataverse: Chart Your Course

Highlights From Drataverse: Chart Your Course

Highlights From Drataverse: Chart Your Course

Image - SOC 2 penetration test list

Penetration Tests and SOC 2: Preference, Tradition, or Requirement?

Alev Viggio
Alev Viggio
Alev is the Compliance Director at Drata and has over 15 years of experience in global regulatory and compliance requirements. She oversees Drata’s compliance and privacy programs. Alev is a CISA, ISO 27001 Certified Lead Auditor, Certified Third-Party Risk Professional (CTPRP), Certified Quality Improvement Associate (ASQ) with expertise in SOC 2, ISO 27001, HIPAA, HITRUST, Sarbanes Oxley Section 404 Compliance, and third-party risk management assessments.
Related Resources
2024 Customer Excellence Awards

Drataverse: Winners of the 2024 Customer Excellence Awards

New AI for Questionnaire Automation (1280 x 720 px)

Shorten Sales Cycles With AI for Questionnaire Automation

Image - Attend Drataverse

5 Reasons to Attend Drataverse

Image - oak9

Drata’s Acquisition of oak9 Ushers in New Era of Compliance as Code