RiskWatch
HIPAA Compliance Platform · Continuous, not annual

HIPAA compliance, continuous not annual.

OCR doesn't accept “we did the risk analysis last March” anymore. Continuous controls monitoring across all four HIPAA Rules, BA register with subcontractor cascade, workforce training that includes BAs, and a risk-management cycle that runs after the risk analysis ships.

  • All §164.308 administrative safeguards (9 standards)
  • All §164.310 physical safeguards (4 standards)
  • All §164.312 technical safeguards (5 standards)
  • BAA register · OCR audit-ready exports
Start 30-day free trialWatch 4-min platform tour
No credit card · HIPAA Security Rule library ships day 1
app.riskwatch.com / hipaa
Live · 168 controls
HIPAA Security Rule · compliance
0/100
0 vs Q3
Administrative §30892%
Physical §31078%
Technical §31284%
Open findings14
BAAs tracked
0 active
PHI registers
0 mapped
Reassessments due
0 30d
Risk analyses
0 Q4
Top open findings · by days to close
Encryption gap · backup tapes
0d
Audit log retention < 6 yrs
0d
BAA missing · 3 vendors
0d
Workforce training overdue
0d
Facility access reviews
0d
Trusted by privacy and security officers across covered entities and business associates
Stryker
Catholic Health
Corewell Health
Janssen
Tricore
Baptist Hospital
Blue Cross NEPA
Monroe Plan
Stryker
Catholic Health
Corewell Health
Janssen
Tricore
Baptist Hospital
Blue Cross NEPA
Monroe Plan
Stryker
Catholic Health
Corewell Health
Janssen
Tricore
Baptist Hospital
Blue Cross NEPA
Monroe Plan
What it is

What is HIPAA compliance software?

OCR investigations follow breach reports. The auditor’s first question is the BAA cascade. RiskWatch tracks every direct BA’s contract for the 5 §164.504(e) terms, every subcontractor BAA per §164.308(b)(2), and the annual OCR-required risk analysis — surfacing the missing tier-2s before OCR does. The gap that turns a Tier 1 violation into a Tier 3.

Why teams move to RiskWatch

Risk analysis exists. Risk management doesn't.

The 2025 HIPAA Journal Annual Survey is blunt: privacy programs have mixed maturity, training skips business associates, and OCR's #1 enforcement target is “knowing about risks and failing to address them.” Here's what the three biggest pain themes look like for the privacy/security officer running this program.

Pain #1

Risk analysis exists. Risk management doesn&apos;t.

OCR's most-penalized HIPAA violation is knowing about risks to PHI and failing to address them — risks identified in the §164.308(a)(1)(ii)(A) analysis but never tracked through to remediation. Findings convert to risk-management items per §164.308(a)(1)(ii)(B), tracked to closure with owner, due date, evidence-of-close. The risk analysis becomes a living artifact, not an annual deliverable.

Pain #2

Workforce trained annually. BAs not at all.

The 2025 survey found business associates are routinely excluded from HIPAA training programs — and yet covered entities are vicariously liable for BA actions. Workforce training cadence per §164.308(a)(5) extends to BAs through the BAA register — assignments, attestation, quiz scoring, all timestamped per workforce member regardless of org boundary.

Pain #3

BA breach happens. OCR doesn&apos;t care that the BA caused it.

A covered entity is liable when it “knew, or by exercising reasonable diligence, should have known” of a pattern of BA non-compliance. Subcontractor BAA cascade tracking, BA risk-monitoring feeds, and the “reasonable diligence” audit trail that proves you were paying attention before the breach.

168+
HIPAA controls scored
§164.308 · §164.310 · §164.312
4
Rules covered, one platform
Privacy · Security · Breach · Omnibus
$2M+
Average OCR penalty avoided
with documented risk analysis
The HIPAA platform

Every module a HIPAA program needs — in one platform.

Sixteen modules sharing the §164 control library, BAA register, and PHI inventory. Built around the OCR-required risk analysis so the §164.308(a)(1)(ii)(A) deliverable updates continuously.

HIPAA Dashboard

Privacy + security in one view

§164.308/310/312 rollups, top open findings, BAAs expiring, workforce-training rates, breach-readiness state.

§164 Control Library

All 168 controls pre-loaded

Administrative, physical, technical safeguards from the Security Rule plus Privacy Rule §164.500-§164.534 controls.

Risk Analysis

§164.308(a)(1)(ii)(A) as a living doc

Continuous, quarter-by-quarter scoring. Trended deltas. OCR-ready exports with methodology, scope, and findings.

BAA Register

Principals + subcontractors

Track BAAs, expirations, breach-notification clauses. Subcontractor BAA cascades flagged automatically.

PHI Inventory

Where PHI lives

EHR, claims, imaging, wearables, partner systems. Data flows mapped to systems and BAs.

Workforce Training

§164.308(a)(5) attestation

Schedule, deliver, attest, quiz — with timestamped evidence per §164.308(a)(5)(ii)(A–D).

Breach Readiness

60-day clock starts now

Breach Notification Rule (§164.404–414) playbook, OCR breach portal templates, individual + media notification drafts.

Notice of Privacy Practices

NPP version control

§164.520 NPP authoring, posting, attestation. Every revision timestamped, every patient ack recorded.

Cross-Framework Mapping

HIPAA + HITRUST + ISO 27001

Each control links to HITRUST CSF v11, ISO 27001 Annex A, NIST 800-53. One assessment, multiple deliverables.

Sanctions & Watchlists

Workforce + BA screening

OIG LEIE, SAM exclusions, state Medicaid lists. Continuous screening with breach alerts on hits.

Incident Tracking

Security incidents → breaches

§164.308(a)(6) incident response procedures, evidence collection, breach assessment per §164.402(2)(i–iv).

Remediation Tasks

Findings → tracked work

Convert findings into assigned tasks with owner, due date, evidence-of-close. Bidirectional Jira/ServiceNow sync.

OCR Audit Pack

What auditors actually ask for

Risk analysis, sanctions log, training records, BAA register, NPP versions, breach log — one ZIP, one click.

Audit Trail

"Who changed this?" answered instantly

Timestamped log of every score change, BAA upload, training-completion mark, breach-classification decision.

Recurring Reassessment

Quarterly cadence per §164 family

Administrative every quarter, physical every 6 months, technical continuously. Reminders + escalation automatic.

Bulk Tools

Onboard 50 BAAs in 5 minutes

Bulk import workforce, BAs, PHI systems, prior risk analyses. CSV + API sync. Customize fields without IT.

All four HIPAA rules

Privacy · Security · Breach Notification · Omnibus.

Most HIPAA tools cover the Security Rule. RiskWatch covers all four — including the Privacy Rule's 80+ standards, the Breach Notification Rule's 60-day clock, and the Omnibus 2013 updates that brought BAs into direct OCR liability. Each rule maps to specific §164 sections, each section to specific controls.

  • Privacy Rule §164.500–.534Notice of Privacy Practices, individual rights, minimum necessary, marketing & fundraising restrictions
  • Security Rule §164.302–.318All 18 safeguard categories — administrative, physical, technical, plus organizational and policies/procedures
  • Breach Notification §164.400–.41460-day clock to individuals, OCR portal submission, media notification for 500+ affected
  • Omnibus 2013 updatesBA direct liability, GINA additions, sale-of-PHI restrictions, marketing/fundraising tightening
See all 4 rules in action
HIPAA Security Rule · §164 controls
§164.308
Administrative safeguards (9 standards)
92%
§164.310
Physical safeguards (4 standards)
78%
§164.312
Technical safeguards (5 standards)
84%
§164.314
Organizational requirements (BAA + group)
88%
§164.316
Policies, procedures, documentation
81%
§164.404
Breach notification to individuals
100%
§164.502
Privacy Rule · uses and disclosures
76%
§164.520
Notice of Privacy Practices
95%
All §164 sections →OCR-ready exports in 2 clicks
One assessment
Control library
ISO 27001
SOC 2
HIPAA
NIST CSF
PCI DSS
GDPR
Cross-framework mapping

HIPAA + HITRUST + ISO 27001 + SOC 2.

One control answer flows into HITRUST CSF v11, ISO 27001 Annex A, and SOC 2 trust services criteria simultaneously. The HITRUST authorization is the single highest-bar audit in healthcare — RiskWatch maps every HIPAA control to its HITRUST counterpart so progress on one is progress on both.

  • HITRUST CSF v11every HIPAA control mapped to the corresponding CSF requirement statement
  • ISO 27001:2022 Annex Across-mapping covering A.5–A.8 organizational, people, physical, technological controls
  • SOC 2 trust servicesCC1–CC9 plus PI / A / C principles for healthcare SaaS
  • NIST 800-66 r2 implementationthe official HIPAA Security Rule implementation guide structure
  • State law overlaysTX HB 300, NY SHIELD Act, CA CMIA — additional requirements layered on
Three safeguard categories

The §164 Security Rule, organized.

Item 1
Administrative §164.308

9 standards covering risk analysis, workforce training, info access, contingency, evaluation, BAAs

Item 2
Physical §164.310

4 standards covering facility access, workstation use/security, device and media controls

Item 3
Technical §164.312

5 standards covering access control, audit, integrity, transmission, person/entity authentication

Item 4
Organizational §164.314

Business Associate Agreements + group health plan requirements

§164.308(b) · BAA cascade

The BAA isn't the contract. It's the cascade.

OCR enforcement consistently flags missing subcontractor BAAs as a Tier 3 violation. §164.308(b)(2) makes you responsible for ensuring every business associate has BAAs with their subcontractors who handle PHI — and proving the chain holds. Most teams sign BAAs with their direct vendors and stop there. The cascade view makes the missing tier 2s impossible to miss.

  • BAA registerevery direct BA tracked with §164.504(e) required terms, renewal dates, and contact
  • Subcontractor BAA cascade§164.308(b)(2) cascade visible per BA; missing tier-2 BAAs flagged for action
  • Renewal alerts60/30/7-day renewal alerts to the privacy officer + procurement
  • OCR-ready exportBAA register + cascade map packaged as evidence in any OCR investigation
45 CFR §164.308(b) · BAA cascade
BAA + subcontractor BAA · all tiers visible
OCR enforcement: missing subcontractor BAA = Tier 3 violation
Covered Entity
Regional Health System
CE
Business Associate
Epic · EHR vendor
Active · 2024 · renews 2026-08-15
Current
Business Associate
Datadog · monitoring
Active · 2025 · renews 2027-03-20
Current
Business Associate
Twilio · patient SMS
Expires 2026-06-01 · renews 2026-06-01
Expiring
Subcontractor BAA
AWS (via Epic) · §164.308(b)(2)
Confirmed · renews Cascaded
Current
Subcontractor BAA
Stripe (via Twilio) · missing
Not on file · renews Action required
Missing
47 BAAs current · 2 expiring · 1 missing subcontractor§164.308(b)(2) covered.
How it works

From first risk analysis to OCR-ready in five stages.

Most teams complete a baseline §164.308(a)(1)(ii)(A) risk analysis within their first week. Stage 4 runs continuously. Stage 5 is on-demand the moment OCR or your auditor asks.

1
Stage 01·Day 1

Inventory PHI

Map ePHI to systems, BAs, and data flows. Bulk-import from SCCM/CMDB or upload an inventory spreadsheet.

2
Stage 02·Day 2–7

Score §164 controls

Question-by-question scoring across all 168 Security Rule + Privacy Rule controls. Auto-fill from prior assessments.

3
Stage 03·Week 2

Risk-rank findings

Findings ranked by likelihood × impact per §164.308(a)(1)(ii)(B). Top-N gaps surfaced for the OCR risk-mgmt deliverable.

4
Stage 04·Continuous

Remediate and reassess

Findings convert to tasks. BAA renewals tracked. Workforce training scheduled. Quarterly re-scoring runs automatically.

Stage 05·On-demand

Report and produce

OCR audit pack — risk analysis, sanctions log, training records, BAA register, NPP versions, breach log — in two clicks.

Customer stories

The OCR audit that stopped feeling existential.

Real privacy officers. Real OCR audit responses. Real corrective-action plans avoided.

The §164.308(a)(1)(ii)(A) risk analysis used to take six weeks of full-time work. Now it's a saved report we update quarterly.
DA
Dr. Anita R.
CISO · Regional health system · 14,000 employees
Risk analysis time
↓ 85%
6 weeks → 5 days
BAAs tracked
240 → 1
spreadsheets to one register
Time-to-deploy
3 weeks
first OCR-ready cycle

OCR walked in expecting a fire drill and walked out asking for our methodology. The audit-trail-per-control feature alone is what moved the conversation forward.

JC
Jamie C.
Privacy Officer · Hospital network · 6,200 employees

BAA register changed how we onboard vendors. We catch missing BAAs at intake instead of finding out two months later when something breaks.

MR
Marcus R.
Director of Compliance · Healthcare SaaS · 1,400 employees

HITRUST cross-mapping cut our second audit cycle in half. We were already 80% done with HITRUST when we started — because every HIPAA control had already been scored.

EH
Elena H.
VP Risk · Health insurance · 5,800 employees
Cross-mapped frameworks

Plus every framework healthcare orgs run alongside HIPAA — cross-mapped.

Score one HIPAA control, satisfy HITRUST CSF, ISO 27001, SOC 2, and NIST 800-66 simultaneously. Plus state-law overlays for the multi-state covered entity.

HITRUST CSF v11
Healthcare info security
ISO 27001:2022
ISMS · Annex A controls
SOC 2 Type 2
Healthcare SaaS audits
NIST 800-66 r2
HIPAA implementation guide
NIST 800-53 r5
Federal control catalog
NIST CSF 2.0
Outcome-based maturity
21 CFR Part 11
FDA electronic records
HHS 405(d)
Cybersecurity practices
TX HB 300
Texas medical privacy
NY SHIELD Act
NY data security
CA CMIA
California medical info
GDPR (cross-border)
EU patient data
PCI DSS Req. 9
Healthcare payments
FERPA (academic)
Teaching hospitals
+20 more
Custom on request
Free resources

Take RiskWatch home before you sign anything.

Three downloads. Use them to evaluate, share with privacy/security teams, or build the OCR-readiness business case.

Most popular
HIPAA Risk Analysis · 36 pages
HIPAA Security
§164.308(a)(1)(ii)(A) Risk Analysis Template
AS
PS
TS
OR
PD
PDF + Excel · OCR-ready

HIPAA Security Rule Risk Analysis Template

OCR-aligned §164.308(a)(1)(ii)(A) risk analysis template — covers all 18 safeguard categories, includes the §164.308(a)(1)(ii)(B) risk-management plan worksheet and a methodology statement.

  • Aligned to NIST 800-66 r2 methodology
  • All §164.308/310/312 controls
  • Editable Word + branded PDF
Get the template
BAA Pack · 2026
BAA Pack
Business Associate Agreement Template
RISKWATCH 2026
Word · Editable BAA

Business Associate Agreement Template

OCR-aligned BAA template covering all required §164.504(e)(2) provisions plus the Omnibus 2013 sub-contractor flow-down clauses. Includes a redline-ready vendor BAA-comparison checklist.

  • All §164.504(e)(2) required provisions
  • Subcontractor flow-down clauses
  • Vendor-comparison checklist
Get the BAA pack
Buyer's Guide
Buyer's Guide
HIPAA Compliance Platform
2026 Vendor Comparison
20-page PDF

HIPAA Compliance Platform Buyer's Guide

Vendor scorecard, OCR audit-pack benchmarks, BAA-tracking comparison, pricing by org size, and HITRUST-readiness depth.

  • Feature matrix · 6 vendors
  • Scorecard template
  • Pricing benchmarks
Get the guide
FAQ

Common questions, answered up front.

About HIPAA compliance software, the §164 Security Rule, BAAs, OCR audit prep, and HITRUST — and how RiskWatch covers all of them.

What is HIPAA compliance software?
HIPAA compliance software is a platform that helps covered entities and business associates achieve and continuously maintain compliance with the HIPAA Privacy, Security, Breach Notification, and Omnibus Rules. The 2026 buyer expectation has shifted from annual checklist tools to continuous controls monitoring — regulators and cyber insurers now expect ongoing evidence of HIPAA safeguards, not annual snapshots. RiskWatch covers all 168 Security Rule controls, the Privacy Rule §164.500–.534 requirements, BAA register with subcontractor cascade, OCR audit-pack export, HITRUST CSF v11 cross-mapping, and continuous quarterly reassessment per Annex family.
What's the difference between the HIPAA Privacy Rule and Security Rule?
The Privacy Rule (§164.500–.534) governs how protected health information (PHI) can be used and disclosed — minimum necessary, individual rights, marketing restrictions, Notice of Privacy Practices, etc. The Security Rule (§164.302–.318) governs how electronic PHI (ePHI) must be protected — administrative, physical, and technical safeguards. Privacy Rule applies to all PHI in any form. Security Rule applies only to ePHI. RiskWatch covers both.
What's the difference between the OCR risk analysis and risk management?
The §164.308(a)(1)(ii)(A) risk analysis identifies threats and vulnerabilities to ePHI. The §164.308(a)(1)(ii)(B) risk management process is what you do about them — implementing controls to reduce risks to a reasonable and appropriate level. OCR's most-penalized violation is exactly the gap between these two: organizations conduct the risk analysis, file the report, and never act on the findings. RiskWatch links every risk-analysis finding to a tracked risk-management item with owner, due date, remediation evidence — so the risk analysis becomes input to a continuous process, not a standalone artifact.
How does the BAA register work?
The BAA register tracks every Business Associate Agreement — your direct BAs (the principal BAA) and their subcontractors (the BA-of-BA chain required by Omnibus 2013). For each BAA the platform stores the agreement document, expiration date, breach-notification clauses, scope of PHI access, and renewal status. Missing BAAs (any vendor handling PHI without an executed agreement) are flagged automatically. Subcontractor BAA cascades trigger alerts when a principal BA's roster changes.
Does the platform produce OCR-ready audit responses?
Yes. The OCR audit pack export bundles the risk analysis, risk-management plan, sanctions log, workforce-training records, BAA register, Notice of Privacy Practices version history, breach log, and policy-and-procedure inventory in a single ZIP organized by the OCR HIPAA Audit Protocol section. The same export covers OCR investigations, state attorney general inquiries, and HITRUST audit prep.
How does HITRUST cross-mapping help?
HITRUST CSF v11 is the most rigorous healthcare security certification — it bundles HIPAA, ISO 27001, NIST 800-53, PCI DSS, and dozens of other framework requirements into a single set of control statements. RiskWatch maps every HIPAA control to its HITRUST counterpart, so progress on HIPAA compliance becomes progress toward HITRUST authorization. The same answers, scored once, populate both deliverables. Healthcare SaaS vendors typically cut HITRUST prep time by 40–50% by starting from a complete HIPAA risk analysis.
Does the platform handle the Breach Notification Rule?
Yes. The Breach Notification module covers §164.400–.414: the four-factor breach assessment from §164.402(2)(i–iv), the 60-day individual notification clock, the OCR portal submission template, media notification drafts for breaches affecting 500+ individuals, and the annual breach log required for breaches affecting fewer than 500. Every step timestamped and audit-trailed for OCR.
Is there a free trial?
Yes. The 30-day free trial requires no credit card and includes full access — every §164 control, the BAA register, OCR audit-pack export, HITRUST CSF v11 cross-mapping, and quarterly reassessment cadences. You can run a real risk analysis against your own organization and decide before purchasing.
Ready to make HIPAA continuous?

Run your first §164.308 risk analysis this week.

Start a 30-day free trial — every §164 control, the BAA register, the OCR audit pack, HITRUST cross-mapping, and continuous reassessment cadences. No credit card required.

Start free trialBook a demo

No credit card required · 30-day free trial · Cancel anytime