NEW WHITE PAPER: See how Prevalent TPRM Platform capabilities map to specific compliance requirements!

HIPAA Security Rule Compliance

Complying with HIPAA Security Rule Requirements

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996, but over the past two decades its scope has grown considerably in the form of legislative updates and enforcement actions. In its broadest terms, the purpose of HIPAA is to improve efficiency in the healthcare industry; to improve the portability of health insurance; to protect the privacy of patients and health plan members; and to ensure health information is kept secure and patients are notified of breaches of their health data.

HIPAA and Third-Party Risk Management

HIPAA states that the electronically stored Protected Health Information (ePHI) that an organization creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. The HIPAA Security Rule sets forth general rules around security standards, including administrative, technical, and physical safeguards. Organizational requirements and documented policies and procedures round out the legislative specifications.

The assessment, analysis, and management of risk - including risk posed by third parties - provides the foundation of HIPAA Security Rule compliance efforts. HIPAA requires vendor contracts to include privacy and security assurances. Conducting risk assessments and continuous monitoring enables your organization to evaluate vendor readiness to comply with these security expectations and protect patient ePHI.

Relevant Requirements

The following HIPAA Rules apply to third-party risk management:

  • The HIPAA Privacy Rule defines Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”
  • The HIPAA Security Rule deals specifically with safeguarding electronically stored PHI (ePHI).

White Paper: Satisfying Compliance with Third-Party Risk Management Requirements

Discover the key third-party risk management requirements in common regulatory and security frameworks, and learn how the Prevalent Third-Party Risk Management Platform maps to specific mandates enabling you to achieve compliance while mitigating vendor risk. 

Read Now

Meeting HIPAA Security Rule Third-Party Risk Management Requirements

Here's how Prevalent can help you address HIPAA third-party risk management requirements:

Health Insurance Portability and Accountability Act (HIPAA) Security Rule

HIPAA Security Rule 45 CFR Parts 160, 162, and 164 – Health Insurance Reform: Security Standards; Final Rule How Prevalent Helps

Security Management Process 
Administrative Safeguards
(§ 164.308(a)(1))

(A) Risk analysis (REQUIRED)

"A covered entity or business associate must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”


Prevalent offers security, privacy, and risk management professionals an automated platform to manage the third-party risk assessment process and determine compliance with IT security, regulatory, and data privacy requirements. It employs both standard and custom questionnaires to help collect evidence and provides bi-directional remediation workflows, live reporting, and an easy-to-use dashboard for efficiency. With clear reporting and remediation guidance, the platform ensures that risks are identified, analyzed, and escalated to the proper channels.


Security Management Process
Administrative Safeguards
(§ 164.308(a)(1))

(B) Risk management (REQUIRED)

Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.”


The Prevalent TPRM Platform unifies internal control-based assessments (based on industry standard framework questionnaires or on custom questionnaires) with continuous vendor threat monitoring to deliver a holistic security risk rating enabling organizations to zero-in on the most important or impactful risks. 

The platform includes built-in workflow capability enabling assessors to interact efficiently with third parties during the due diligence collection and review periods. 

The platform includes continuous cyber and business risk review and analysis that can be performed at any time – during or between control-based assessments – providing an updated view of important cyber security risks and business developments that could impact risks. 


Security Management Process
Administrative Safeguards
(§ 164.308(a)(1))

(D) Information system activity review (REQUIRED)

“Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”


The Prevalent Third-Party Risk Management platform includes reporting to satisfy audit and compliance requirements, as well as to present findings to the board and senior management. The entire risk profile can be viewed in the centralized live reporting console, and reports can be downloaded and exported to determine compliance status. Deep reporting capabilities include filters and click-through interactive charts. The solution includes a complete repository of all documentation collected and reviewed during the diligence process, with specific regulatory compliance and security framework reporting.


Business Associate Contracts and Other Arrangements
(§ 164.308(b)(1))

“A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.”


The Prevalent Assessment service simplifies compliance and reduces risk with automated collection, analysis, and remediation of vendor surveys using industry standard and custom surveys.

Policies and procedures and documentation requirements
(§ 164.316(b)(1))

“Standard: Documentation

  • (i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and 
  • (ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.


The Prevalent Assessment service captures and audits conversations and matches documentation or evidence against risks. Visually appealing and coherent dashboards provide a clear overview of tasks, schedules, risk activities, survey completion status, agreements, and associated documents.

The Prevalent Difference

Prevalent’s Third-Party Risk Management Platform enables you to meet HIPAA requirements with a complete framework for reducing risk stemming from suppliers and vendors. Our Assessment service enables you to efficiently conduct risk assessments with comprehensive workflow and remediation management capabilities. Vendor tiering and customizable surveys enable you to manage, assess and score vendors according to the risk they present and their importance to the business. This is backed by flexible reporting capabilities that deliver the information you need to effectively communicate with various stakeholders across the organization.