This article brings together common customer questions and practical answers based on typical Secureframe workflows, compliance situations and unique tech stacks.

It is meant as quick reference material for day-to-day use of the product.

BAAs and vendor relationships

Do you need to sign a BAA with clients getting HIPAA compliant?

• No, we are not looking at any PHI or sensitive data that would require Secureframe to sign a BAA.

HIPAA scope and program

Can a Code of Conduct document in Secureframe be reused as evidence for HIPAA training compliance, or do I need something additional?

• A Code of Conduct document alone is typically not sufficient to meet HIPAA training compliance requirements. While it demonstrates that employees are expected to follow ethical and security guidelines, HIPAA requires proof that personnel have actually received training on HIPAA-specific privacy and security rules.

  To be accepted as evidence, the Code of Conduct should be paired with one or more of the following:

  A signed attestation log showing that employees acknowledged the Code of Conduct and completed HIPAA training.

  A training record or completion certificate from Secureframe or another learning management system (LMS).

  Audit logs or reports that confirm employees were assigned, completed, and passed HIPAA training content.

  In short: you can reference your Code of Conduct as part of the training evidence package, but it must be supported by attestations or training records to fully satisfy HIPAA auditor expectations.

Can I access a HIPAA or GDPR badge if I'm not going through a formal audit?

• If you're not participating in a formal audit or certification process, Secureframe does not provide HIPAA or GDPR badges. Here’s why:

  HIPAA is a law, not a certification — there’s no official certifying body or formal badge. Organizations can self-attest to HIPAA compliance, but this does not grant them the right to use any “official” badge unless backed by a verified audit or recognized third party.

  GDPR also has no central certification authority — compliance is demonstrated through adherence to the law, not a badge or seal.

  That said, some companies use careful language such as “Automated by” to indicate the use of a compliance platform without implying full certification. If you'd like to publicly share your progress toward compliance:

  You may reference that you're using Secureframe to manage or automate your compliance program.

  You may state that you're “HIPAA-aligned”, “working toward SOC 2”, or “following GDPR best practices.”

  If you're using Secureframe’s Trust Center, it can serve as a credible way to show your compliance posture without needing a badge.

Can Secureframe provide WorkOS compliance documentation (e.g., SOC 2, GDPR, HIPAA, security audit summaries) on behalf of WorkOS?

• Since WorkOS hosts and manages their own compliance materials, we’re not authorized to share their documentation directly. Most of their certifications and audit summaries are available through the WorkOS Trust Center, but you may need to create an account and agree to their terms or NDA to access it. We recommend reaching out to WorkOS directly if you need help accessing their compliance documents.

Could software be considered HIPAA compliant? Or only the organization?

• Only the organization can be HIPAA compliant. However, if the organization applies HIPAA-compliant controls to the software, then the app itself can also be considered HIPAA-compliant as part of the compliance effort.

Do personnel need to do security training for HIPAA? Any special trainings?

• All employees should complete security training, background checks, and policy acceptances. If in the HIPAA group, they also need to complete HIPAA training and accept HIPAA policies.

Do Secureframe’s SOC 2, ISO 27001, and HIPAA policy templates include Canadian compliance requirements?

• HIPAA is a U.S.-only healthcare regulation — so those policies apply strictly to U.S. regulatory needs.

  SOC 2 and ISO 27001 are global frameworks, and our policy templates for those standards are designed to meet the framework requirements, not specific country laws.
  → They are framework-focused rather than U.S.-specific.

  If customers must comply with Canadian privacy or industry regulations such as:

  PIPEDA (Personal Information Protection and Electronic Documents Act)

  Provincial privacy laws (e.g., Alberta’s PIPA, Québec’s Law 25)

  …those obligations can be added as regulatory requirements within the compliance program, but they are not included by default in the standard policy templates.

Do we offer HIPAA HITECH as a separate framework? A customer asked if this can be incorporated with their SOC 2, and how HITECH ties into the HIPAA we offer.

• We don’t offer HIPAA HITECH as a separate framework since HITECH is already built into HIPAA. When we support HIPAA, it inherently covers HITECH as well. If the customer wants to align HIPAA with their SOC 2, our partner network can scope that into their audit and reporting.

Does SecureFrame provide training and track completion for both "HIPAA Privacy Policy & Procedures Manual" and "HIPAA Security Policies & Procedures Manual"?

• Secureframe provides a built-in HIPAA Training course that covers key topics related to both the Privacy Rule and Security Rule, as outlined in the HIPAA Privacy and Security Policies & Procedures Manuals.

  What’s included:

  Video-based training with 7 short modules, including:

  Lesson #3: The Privacy Rule

  Lesson #4: The Security Rule

  Quizzes at the end of each lesson

  Progress tracking and automatic certificate issuance upon completion.

Does Secureframe review or update the trainings provided in the platform (e.g., Security Awareness, HIPAA, PCI, GDPR, etc.)?

• Yes, we update our training often. With that said, outside of the general frameworks we offer, It is the customer’s responsibility to periodically review all trainings they assign (annually at minimum is common) and ensure the content remains sufficient, accurate, and relevant for their employees and compliance needs.

  If a customer needs, we do offer a breakdown of the current trainings [here](https://support.secureframe.com/hc/en-us/articles/44016572608787-Secureframe-Framework-Compliance-Training).

Does Secureframe's HIPAA framework include HITECH (Omnibus Rule) requirements, and how can I identify them?

• Yes — HITECH requirements are fully embedded within our HIPAA framework. HITECH was integrated into HIPAA over 10 years ago (2013), so it's no longer a separate standard. The key HITECH-originating requirements — Breach Notification and Business Associate requirements — are now simply part of HIPAA.
  To find these requirements in the framework, go to the HIPAA framework and use the search bar to search "breach notification" and "business associate" — the relevant requirements will populate for each.

For HIPAA, is uploading the security incident template and running a BCDR exercise enough?

• Completing and uploading evidence for both the Security Incident Response tabletop exercise and the BCDR tabletop exercise will satisfy the requirements for those specific HIPAA tests. Each requires documentation of a completed exercise within the past year, including notes, lessons learned, and any corrective actions.

  However, HIPAA compliance also has other requirements outside of these two tests (e.g., risk analysis, policies, training, breach notification). So while these two uploads will close out those test items, you should still review the rest of your HIPAA framework tasks in Secureframe to ensure full coverage.

HIPAA data/log retention requirements

• HIPAA data retention requires logs and audit evidence to be stored for at least 6 years. If your company is new to HIPAA compliance, you must begin storing logs from inception. If you’ve only stored data for a short time, you can indicate that you will maintain records going forward.

How do I scope my environment for HIPAA compliance?

• Scoping for HIPAA requires understanding how PHI (Protected Health Information) is stored, processed, or transmitted. Confirm which systems and vendors handle PHI, and ensure you have signed Business Associate Agreements (BAAs) with those vendors. Enable related tests for encryption, access controls, and logging.

How do you satisfy the HIPAA related compliance reports?

• This is N/A for the first year. For the second year, provide an export of the Secureframe report from the first year, or if an audit was performed, provide the audit report.

How does a customer know if they need HIPAA?

• If an organization handles (stores, processes, transmits) Protected Health Information (PHI), it must comply with HIPAA.

How is HITECH different than HIPAA?

• The HITECH Act is an extension of HIPAA focusing on electronic health records and data breaches, while HIPAA covers privacy and security for all health records, both electronic and paper.

How is HITRUST different than HIPAA?

• HITRUST is a global security and risk management framework, while HIPAA is a U.S. law specifically for health industry standards related to protecting patient health information.

How long will a HIPAA audit take?

• HIPAA audits tend to be faster for companies with existing SOC 2 or ISO certifications, as they usually require additional risk questions, BAA tasks, policies, and addendums. A standalone HIPAA audit typically takes longer. The process includes one week for fieldwork, a week for follow-up, and two weeks for quality assurance, typically taking about a month for the draft report.

If a client uses an email marketing campaign manager, does it have to be HIPAA compliant?

• If the vendor has access to PHI or is handling a patient roster (which is PHI), it must be HIPAA-compliant.

Is an annual HIPAA audit required to keep the HIPAA badge?

• An annual HIPAA audit is not strictly required to maintain the HIPAA badge, but re-certification is often done annually by most auditors.

Is it HIPAA compliant to assign multiple users to a single computer?

• Assigning multiple users to a single computer can be HIPAA compliant, but only if specific safeguards are in place to protect ePHI (electronic Protected Health Information). HIPAA doesn’t explicitly forbid shared devices—it requires administrative, physical, and technical safeguards to prevent unauthorized access to ePHI.

  Here are key requirements that must be met to maintain compliance:

  ✅ Access Controls

  Each user must have a unique login/credentials to ensure accountability (per HIPAA §164.312(a)(2)(i)).

  The system must enforce role-based access, so users can only access data necessary for their duties.

  ✅ Audit Controls

  The system must log access by user ID, including what data was accessed and when.

  ✅ Automatic Logout

  Systems should auto-log out inactive sessions to reduce unauthorized access risk.

  ✅ Workstation Security

  Physical safeguards must be in place—like positioning the computer screen away from public view or using screen privacy filters.

  ✅ Training

  All users must be trained to log out of sessions and not share credentials.

  ❌ Non-compliant Practices

  Shared logins (e.g., one "nurse" account used by 5 nurses).

  No audit logging or inability to determine which user accessed what data.

  Bottom line: Yes, multiple users can use a single computer under HIPAA if you implement proper access, audit, and physical safeguards.

What is the best way (HIPAA) to manage a shared email account used for patient communication?

• Using a password manager to securely share credentials is HIPAA-compliant. Alternatively, using a ticketing system that logs actions is also acceptable.

What is the overlap between SOC 2 & HIPAA with HITRUST? I.e. if they're SOC 2 & HIPAA compliant, how ready are they for HITRUST?

• There is around a 25-30% overlap between SOC 2 & HIPAA with HITRUST. HITRUST incorporates elements from multiple frameworks like SOC 2, ISO, and NIST. Being SOC 2 & HIPAA compliant helps, but there are still a lot of deltas to be addressed.

What percent do customers need to achieve to say they are HIPAA compliant?

• There is no percentage for HIPAA compliance; it must be 100% compliant, or the organization is in violation.

What should be considered in HIPAA framework scoping?

• Identify how PHI is stored, processed, or transmitted. Also, verify that Business Associate Agreements are in place for vendors handling PHI.

What vendors do customers need to add for HIPAA?

• For HIPAA compliance, any vendor storing, processing, or transmitting PHI on behalf of the organization should be included, and a Business Associate Agreement (BAA) should be established.

What’s the best approach for handling and tracking HIPAA-related data deletion requests, especially when sensitive identifiers like name and DOB are involved?

• You're absolutely right to pause and consider the implications—tracking requests involving PHI (Protected Health Information) in tools like Jira may raise compliance concerns, especially if Jira isn’t configured as a HIPAA-compliant system.

  Here’s what I’ve seen other companies do:

  Jira can be used, but only as a workflow tracker, not a place to store PHI. The ticket can include high-level notes and reference an external, secure source of truth.

  For the evidence of deletion, companies often use a separate encrypted repository or HIPAA-compliant drive to store detailed logs or confirmation files, then link to it or reference it in Jira without exposing the PHI.

  Some organizations maintain a secure deletion log (e.g., encrypted spreadsheet or database)—especially for individual requests—storing details like the request date, data type, and deletion confirmation, while limiting access only to authorized personnel.

  In short, Jira can work if used carefully, but it’s best to avoid putting sensitive identifiers directly into tickets. Treat Jira as a pointer system, and use a separate, HIPAA-compliant storage or log for the actual PHI-related data.

What’s the best way to attest to HIPAA compliance?

• The best way is third-party attestation, like adding it to a SOC audit or standalone. Alternatively, you could self-attest by showing passing tests for HIPAA controls in the readiness export.

When does a client need HIPAA?

• A customer must determine if HIPAA applies to their organization and whether they are a covered entity or business associate. Secureframe cannot make this determination. We can refer customers to legal experts or law firms for help.

When should a company self-report HIPAA compliance and when should they consider getting an auditor attestation for HIPAA?

• Getting an audit done shows additional due care and due diligence, which can reassure customers. Additionally, many companies find it difficult to determine whether they are compliant when self-reporting, especially if they lack the necessary in-house expertise.

Who does HIPAA apply to?

• HIPAA applies to covered entities (e.g., healthcare providers, insurance carriers) and business associates (vendors or subcontractors that work with PHI). Subcontractors of business associates are also subject to HIPAA regulations.

Working with an international company that is going for SOC 2, HIPAA, ISO 27001, and GDPR - how do they need to handle data if they are international and operate in many countries?

• Only medical data from the USA is relevant for HIPAA, and only EU personal data is relevant for GDPR. For SOC 2 and ISO, the focus is on having security controls in place to protect sensitive data, regardless of where it comes from.

PHI handling and safeguards

Can Secureframe notify a customer if data is considered protected health information (PHI)?

• We cannot classify PHI for customers, as this is akin to giving legal advice.

Does OpenAI have to be HIPAA compliant in order for this platform to use them to interact with PHI?

• OpenAI must comply with HIPAA, and not every endpoint is available for that purpose. Please refer to this article.

Does Secureframe include tests for annual PHI inventory reviews and Information System Activity Reviews for HIPAA?

• Yes — although these requirements are not explicitly labeled as "PHI Inventory Review" or "System Activity Review" in Secureframe, they are covered through a combination of existing platform functionality and available tests:

  PHI Inventory Review:
  While Secureframe continuously monitors your asset inventory, HIPAA also expects point-in-time evidence of an annual inventory review.
  You can use the "Annual Inventory Review" test available in the Test Library, and map it to HIPAA control AC-01.
  Alternatively, you can create a custom test if your organization has a specific review process or naming convention.

  Information System Activity Review:
  This requirement is typically met through Secureframe’s ongoing monitoring and alerting tests. These tests monitor system-level activities and alert on anomalous behavior, aligning with HIPAA expectations for routine activity review.

  Best Practice: Export your asset inventory on a defined cadence (e.g., annually), attach it to the "Annual Inventory Review" test, and mark it as evidence of your PHI repository review.

How does donor data apply to PHI & HIPAA?

• Donor data is treated as PHI under HIPAA. Covered entities must comply with HIPAA rules when sharing or disclosing donor data for organ or tissue donation and transplantation.

Additional customer questions

Do we need to publish company vacancies or job descriptions on our website for compliance?

• No. From a compliance perspective (e.g., SOC 2, ISO 27001, HIPAA, PCI-DSS), there is no requirement to list job vacancies or job descriptions publicly on your company website.

  What is required is that job descriptions are:

  Documented and up to date

  Freely accessible to employees within the organization

  Updated when new roles are added or responsibilities change

  If you don’t have an HR platform, a shared document (such as Google Docs) is a good solution to maintain and distribute this information internally.

  Note: Some companies may choose to post vacancies publicly as part of HR or local labor law requirements, but this is not an information security or compliance framework requirement.

Does the company maintain Business Associate Agreements (BAAs) with customers?

• Yes. The company maintains Business Associate Agreements (BAAs) with customers where required.

Why doesn't the Business Associates list test pass?

• The test will only pass if the customer also checks the box indicating that the vendor is a Business Associate.

Why isn't my vendor populating as evidence in the "Business Associate Agreement" test, even though I marked them as a Business Associate?

• There are two common reasons a vendor may not appear in the Business Associate Agreement test:
  1. The vendor is not set as a Production vendor.
  The Business Associate Agreement test only looks at vendors marked as used in a production environment. Vendors set to dev/test environments are ignored. Make sure the vendor's environment is set to "Production."
  2. VRM (Vendor Risk Management) setting affects the logic path.
  The test uses one of two logic paths depending on whether your company has VRM enabled (it is enabled by default):

  VRM enabled: The test looks at completed vendor risk reviews where the question "Is this vendor a Business Associate?" was answered "Yes," then checks whether a Business Associate Agreement has been uploaded for that vendor.
  VRM disabled: The test looks at vendors flagged as a Business Associate in their collected data, then checks whether a Business Associate Agreement certification record exists for that vendor.

  The test passes only when every identified Business Associate vendor has a corresponding BAA on file. If you've just added or updated a vendor, try refreshing the page -- newly configured vendors may not populate until after a refresh.