Track Privacy Rule, Security Rule, and Breach Notification requirements with plain-English checklists built for healthtech and digital health teams.
10-day free trial · No credit card required · Setup in 3 minutes
HIPAA applies to covered entities and their business associates — any company that creates, receives, or handles Protected Health Information (PHI). There are three primary rules you must comply with.
Sets standards for how PHI can be used and disclosed. Covers patient rights, minimum necessary standards, and permissible disclosures without authorisation.
Requires administrative, physical, and technical safeguards for electronic PHI (ePHI). Covers access controls, encryption, audit trails, and workforce training.
Requires notification to affected individuals and HHS within 60 days of discovering a PHI breach. Large breaches also require media notification.
BAAs required with all vendors who access or process PHI on your behalf — cloud providers, EHRs, analytics platforms, and more.
A thorough, accurate assessment of potential risks and vulnerabilities to ePHI confidentiality, integrity, and availability.
All workforce members who handle PHI must receive HIPAA training appropriate to their role and responsibilities.
Instead of navigating the HHS guidance documents alone, Complara gives you a structured checklist covering every Privacy Rule, Security Rule, and Breach Notification requirement — in language your engineering team can act on.
Every HIPAA requirement mapped to actionable tasks. Know exactly what policies to write, what technical controls to implement, and what BAAs to sign.
Attach your BAAs, risk analysis documentation, training records, and security policies directly to each checklist item.
Assign Privacy Rule items to your legal team, Security Rule items to engineering, and training requirements to HR — all tracked in one place.
Generate a HIPAA readiness export to share with healthcare enterprise customers or during OCR audits.
Healthcare startups often need HIPAA alongside SOC 2 for SaaS security assurance and GDPR for EU patient data. Complara covers all three in one platform.
Covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates — companies that create, receive, maintain, or transmit PHI on behalf of covered entities. If you build healthtech software that touches patient data, you're likely a business associate.
The Privacy Rule governs use and disclosure of PHI. The Security Rule requires safeguards for electronic PHI. The Breach Notification Rule requires notifying affected parties within 60 days of a breach.
Fines range from $100 to $50,000 per violation, with an annual maximum of $1.9 million per violation category. Criminal penalties apply for wilful neglect.
Covered entities are required to designate a Privacy Official and a Security Official. Business associates are not explicitly required to, but it's strongly recommended as best practice. Read our HIPAA guide →
Privacy Rule, Security Rule, Breach Notification — all covered with plain-English checklists and evidence storage built in.