Healthcare Compliance Requirements: HIPAA, SOC 2, and Beyond

Healthcare organizations face a complex web of compliance requirements that extends far beyond HIPAA. From SOC 2 and HITRUST to state-level privacy laws, the regulatory landscape for healthcare in 2026 demands a multi-framework approach that protects patient data while enabling modern care delivery.

This guide breaks down every major compliance framework that healthcare organizations need to understand, with practical steps for implementation and common pitfalls to avoid.

Why Healthcare Compliance Is More Complex Than Other Industries

Healthcare sits at the intersection of multiple regulatory domains. A typical hospital system must comply with federal health privacy laws, state data breach notification requirements, payment card standards for billing, and cybersecurity frameworks required by their insurers.

The stakes are high. The average cost of a healthcare data breach reached $10.93 million in 2023, according to IBM's Cost of a Data Breach Report. That figure has remained the highest across all industries for 13 consecutive years.

Three factors make healthcare compliance uniquely challenging:

Protected Health Information (PHI) is everywhere. Unlike financial data that lives in defined systems, PHI flows through EHRs, billing platforms, email, fax machines, mobile devices, and even paper charts.
The workforce is diverse and distributed. Nurses, physicians, administrators, contractors, and volunteers all handle sensitive data with varying levels of technical sophistication.
Legacy systems persist. Many healthcare organizations run medical devices and software that cannot be patched or updated, creating permanent security gaps that must be managed through compensating controls.

HIPAA: The Foundation of Healthcare Compliance

The Health Insurance Portability and Accountability Act remains the cornerstone regulation (see our full HIPAA compliance guide) for any organization that handles PHI. HIPAA applies to covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates.

Key HIPAA Rules

The Privacy Rule establishes standards for who can access PHI and under what circumstances. It requires organizations to implement policies for minimum necessary use, patient rights to access their records, and breach notification procedures.

The Security Rule focuses specifically on electronic PHI (ePHI) and requires three categories of safeguards:

Administrative safeguards: Risk assessments, workforce training, access management policies, and contingency planning
Physical safeguards: Facility access controls, workstation security, and device/media disposal procedures
Technical safeguards: Access controls, audit logging, integrity controls, and transmission security

The Breach Notification Rule requires covered entities to notify affected individuals within 60 days of discovering a breach. Breaches affecting 500 or more individuals must also be reported to HHS and local media.

⚠ Warning

HIPAA has no formal "certification." Organizations demonstrate compliance through risk assessments, policies, and documentation. Any vendor claiming to provide "HIPAA certification" is misrepresenting the framework.

HIPAA Penalties in 2026

The Office for Civil Rights (OCR) enforces HIPAA with a tiered penalty structure:

| Tier | Knowledge Level | Penalty Per Violation | Annual Maximum | |------|----------------|----------------------|----------------| | 1 | Did not know | $137 - $68,928 | $2,067,813 | | 2 | Reasonable cause | $1,379 - $68,928 | $2,067,813 | | 3 | Willful neglect (corrected) | $13,785 - $68,928 | $2,067,813 | | 4 | Willful neglect (not corrected) | $68,928 | $2,067,813 |

Criminal penalties can reach $250,000 and 10 years imprisonment for offenses committed with intent to sell PHI.

SOC 2 for Healthcare Organizations

While HIPAA is mandatory, many healthcare organizations pursue SOC 2 compliance to demonstrate broader security practices to partners, insurers, and enterprise customers.

SOC 2 evaluates an organization against five Trust Service Criteria:

Security (required for all SOC 2 reports)
Availability (critical for telehealth and EHR systems)
Processing Integrity (important for billing and claims processing)
Confidentiality (directly relevant to PHI protection)
Privacy (aligns with HIPAA Privacy Rule requirements)

How SOC 2 Complements HIPAA

HIPAA tells healthcare organizations what to protect. SOC 2 provides a structured framework for proving how you protect it. Many controls overlap:

HIPAA requires access controls; SOC 2's Security criterion requires logical and physical access restrictions
HIPAA requires audit logging; SOC 2 requires monitoring and detection capabilities
HIPAA requires risk assessments; SOC 2 requires formal risk assessment processes

💡 Pro Tip

Healthcare organizations that already maintain HIPAA compliance can often achieve SOC 2 Type 2 certification 40-60% faster than organizations starting from scratch. The documentation and controls you already have provide a strong foundation.

HITRUST CSF: The Healthcare-Specific Framework

The HITRUST Common Security Framework was designed specifically for healthcare and incorporates requirements from HIPAA, NIST, ISO 27001, PCI DSS, and other standards into a single certifiable framework.

HITRUST Certification Levels

HITRUST offers three assessment levels as of 2026:

HITRUST e1 (Essentials): 44 requirement statements covering fundamental cybersecurity practices. Valid for 1 year. Best for small organizations or those beginning their compliance journey.
HITRUST i1 (Implemented): 182 requirement statements demonstrating a mature security program. Valid for 1 year. Provides reasonable assurance for moderate-risk environments.
HITRUST r2 (Risk-based): The comprehensive assessment with 2,000+ controls tailored to the organization's risk profile. Valid for 2 years. Required by many large health systems and payers.

HITRUST vs HIPAA

HITRUST is not a replacement for HIPAA. Rather, it provides a certifiable framework that includes all HIPAA requirements plus additional controls. Organizations use HITRUST certification to demonstrate HIPAA compliance in a standardized, third-party validated way.

The key difference: HIPAA compliance is self-assessed (with OCR enforcement), while HITRUST certification requires a validated assessment by an authorized external assessor.

PCI DSS for Healthcare Billing

Any healthcare organization that accepts credit or debit card payments must comply with the Payment Card Industry Data Security Standard. This applies to patient copays, online bill payment portals, and payment plans.

PCI DSS Requirements Relevant to Healthcare

PCI DSS 4.0, which became mandatory on March 31, 2025, includes 12 requirements. The most relevant for healthcare:

Requirement 3: Protect stored cardholder data. Healthcare billing systems that store card numbers must encrypt them and limit retention.
Requirement 6: Develop and maintain secure systems. Patient portals and billing applications must follow secure development practices.
Requirement 8: Identify users and authenticate access. Shared accounts on billing workstations are no longer acceptable.
Requirement 12: Support information security with policies. Organizations need documented policies covering payment data handling.

📝 Note

Many healthcare organizations reduce PCI DSS scope by using tokenization. Payment processors like Stripe Health or PaySimple replace card numbers with tokens, so the healthcare organization never stores actual card data.

State Privacy Laws Affecting Healthcare

As of 2026, 20 US states have enacted comprehensive data privacy laws. While most exempt HIPAA-covered data, several create additional obligations for healthcare organizations:

California (CCPA/CPRA)

The California Consumer Privacy Act applies to health data that falls outside HIPAA coverage, such as data collected by health apps, wellness programs, and direct-to-consumer genetic testing. Healthcare organizations with California patients must honor consumer deletion and opt-out requests for non-HIPAA data.

Washington (My Health My Data Act)

Washington's health privacy law, effective March 31, 2024, applies broadly to "consumer health data" regardless of HIPAA coverage. It requires separate consent for collection and sharing of health data and provides a private right of action, making it one of the strictest health privacy laws in the country.

Maryland (MODPA)

The Maryland Online Data Privacy Act went into full effect on April 1, 2026. It includes strong data minimization requirements and restricts the sale of sensitive data, including health information.

New York (SHIELD Act)

New York's Stop Hacks and Improve Electronic Data Security Act requires healthcare organizations to implement "reasonable safeguards" for private information and mandates breach notification within specific timeframes.

ISO 27001 for Healthcare

ISO 27001 certification demonstrates that a healthcare organization has implemented a systematic Information Security Management System (ISMS). While not healthcare-specific, ISO 27001 provides an internationally recognized security standard.

Healthcare-Specific Benefits

International recognition: Essential for healthcare organizations operating across borders or partnering with international research institutions
Comprehensive scope: Covers information security management beyond just patient data
Continuous improvement: The Plan-Do-Check-Act cycle ensures security practices evolve with emerging threats
Supply chain confidence: Many pharmaceutical companies and medical device manufacturers require ISO 27001 from their partners

ISO 27001:2022 Controls for Healthcare

The 2022 revision includes 93 controls across four categories. Healthcare organizations should pay special attention to:

A.5.34: Privacy and protection of personal information
A.8.10: Information deletion (critical for patient data retention policies)
A.8.11: Data masking (important for research and analytics use cases)
A.8.12: Data leakage prevention (protecting PHI across channels)

NIST Cybersecurity Framework for Healthcare

The NIST Cybersecurity Framework (CSF) 2.0 provides a voluntary framework that many healthcare organizations adopt for several reasons:

HHS references NIST controls in HIPAA Security Rule guidance
Cyber insurance providers increasingly require NIST alignment
The framework maps to HIPAA, making it a practical implementation guide

The Six NIST CSF 2.0 Functions

Govern: Establish cybersecurity risk management strategy and policies
Identify: Understand your assets, business environment, and risk exposure
Protect: Implement safeguards for critical services
Detect: Develop capabilities to identify cybersecurity events
Respond: Plan and execute response activities
Recover: Restore capabilities impaired by cybersecurity incidents

💡 Pro Tip

HHS published voluntary Cybersecurity Performance Goals (CPGs) in January 2024, directly mapping to NIST CSF functions. These CPGs serve as a practical checklist for healthcare organizations implementing NIST CSF.

Building a Multi-Framework Compliance Program

Most healthcare organizations need to comply with multiple frameworks simultaneously. The key to managing this complexity is identifying control overlaps and building a unified compliance program.

Step 1: Map Your Regulatory Obligations

Start by identifying which frameworks apply to your organization:

| Organization Type | Required | Strongly Recommended | |------------------|----------|---------------------| | Hospital/Health System | HIPAA, State Laws | HITRUST r2, NIST CSF | | Telehealth Startup | HIPAA, State Laws | SOC 2, HITRUST i1 | | Health IT Vendor | HIPAA (BAA), State Laws | SOC 2, HITRUST, ISO 27001 | | Healthcare Billing | HIPAA, PCI DSS | SOC 2 | | Research Institution | HIPAA, FERPA (if education) | NIST 800-171, ISO 27001 | | Medical Device Manufacturer | FDA Cybersecurity, HIPAA | ISO 27001, NIST CSF |

Step 2: Identify Control Overlaps

A single access control policy can satisfy requirements across HIPAA, SOC 2, HITRUST, and ISO 27001. Map your controls to multiple frameworks to avoid duplicate work:

Risk assessment: Required by HIPAA, HITRUST, ISO 27001, NIST CSF, and SOC 2
Encryption: Required by HIPAA (addressable), PCI DSS (required), ISO 27001 (A.8.24)
Incident response: Required by HIPAA Breach Notification Rule, NIST CSF Respond function, ISO 27001 A.5.24-A.5.28
Access controls: Required by every framework listed in this guide

Step 3: Implement a GRC Platform

For organizations juggling three or more frameworks, a Governance, Risk, and Compliance (GRC) platform becomes essential. These platforms:

Maintain a single control library mapped to multiple frameworks
Automate evidence collection from cloud infrastructure
Track compliance status across all frameworks in one dashboard
Generate audit-ready reports for different assessors

Popular healthcare GRC platforms include Vanta, Drata, and Secureframe, HITRUST MyCSF, and Onspring.

Step 4: Establish a Compliance Calendar

Healthcare compliance is not a one-time project. Build a calendar that includes:

Monthly: Review access logs, patch management reports, security incident summaries
Quarterly: Workforce security training, vulnerability scans, policy reviews
Annually: Full risk assessment, business associate agreement reviews, disaster recovery testing
Biennially: HITRUST r2 recertification (if applicable)

Common Healthcare Compliance Mistakes

After working with dozens of healthcare organizations on their compliance programs, these are the most frequent failures:

Treating compliance as an IT problem. Compliance requires executive sponsorship, clinical staff engagement, and organization-wide culture change. IT cannot carry this alone.
Ignoring business associates. Your security is only as strong as your weakest vendor. Every business associate must have a signed BAA and undergo periodic security reviews.
Overlooking mobile devices. Clinical staff use personal smartphones, tablets, and laptops to access PHI. Without a mobile device management (MDM) solution and clear BYOD policies, this creates uncontrolled exposure.
Assuming cloud equals compliant. Using AWS or Azure does not make you compliant. Cloud providers operate under a shared responsibility model. They secure the infrastructure; you secure the data and configurations.
Neglecting physical security. Unlocked server rooms, unattended workstations, and paper records in open areas remain common findings in healthcare audits.

Healthcare Compliance Costs in 2026

Budgeting for healthcare compliance depends on organization size and the frameworks pursued:

| Framework | Small Practice (< 50 staff) | Mid-size Org (50-500) | Large Health System (500+) | |-----------|---------------------------|----------------------|--------------------------| | HIPAA Program | $5,000 - $20,000/yr | $50,000 - $150,000/yr | $200,000 - $500,000+/yr | | SOC 2 Type 2 | $30,000 - $60,000 | $50,000 - $120,000 | $100,000 - $250,000 | | HITRUST r2 | $50,000 - $100,000 | $100,000 - $250,000 | $200,000 - $500,000 | | ISO 27001 | $20,000 - $50,000 | $50,000 - $150,000 | $100,000 - $300,000 | | PCI DSS (SAQ D) | $10,000 - $30,000 | $30,000 - $80,000 | $50,000 - $200,000 |

These figures include assessment fees, consultant costs, and tool subscriptions. They do not include internal staff time, which typically doubles the total cost.

Frequently Asked Questions

Q: Is HIPAA compliance enough for healthcare organizations?

A: HIPAA is the legal baseline, but it is often not enough. Many partners, insurers, and enterprise customers require additional certifications like SOC 2 or HITRUST. State privacy laws add requirements beyond HIPAA, and cyber insurance policies increasingly mandate specific security frameworks.

Q: What is the difference between HIPAA and HITRUST?

A: HIPAA is a federal law that sets minimum requirements for protecting health information. HITRUST is a certifiable framework that includes all HIPAA requirements plus controls from NIST, ISO 27001, and other standards. HIPAA compliance is self-assessed, while HITRUST requires third-party validation.

Q: Do healthcare startups need SOC 2?

A: Healthcare startups selling to hospitals, health plans, or enterprise customers will almost certainly be asked for a SOC 2 Type 2 report. Even if not legally required, SOC 2 has become a de facto sales requirement in healthcare B2B. Starting with SOC 2 Type 1 and progressing to Type 2 within 6-12 months is a common approach.

Q: How do state privacy laws affect healthcare organizations?

A: Most state privacy laws exempt HIPAA-covered data, but they apply to health-related data collected outside the HIPAA framework. Wellness program data, health app data, and employee health information may fall under state privacy laws even when the organization is a HIPAA covered entity.

Q: What compliance framework should a healthcare organization start with?

A: Start with HIPAA, as it is legally required. Then pursue SOC 2 if you sell to enterprise customers, or HITRUST if your clients specifically request it. Use the NIST Cybersecurity Framework as your implementation guide, since it maps directly to HIPAA requirements and is referenced in HHS guidance.

Q: How often should healthcare organizations conduct risk assessments?

A: HIPAA requires periodic risk assessments but does not specify frequency. Best practice is to conduct a full risk assessment annually and update it whenever there are significant changes to systems, processes, or the threat landscape. HITRUST requires risk assessments at least annually.