Products Intelligence Pricing Methodology Contact
DEFENSE & GOVERNMENT CONTRACTING

HIPAA privacy and security

Defense and government contractors holding protected health information face a dual compliance burden: meeting U.S. Department of Defense cybersecurity requirements under DFARS while simultaneously satisfying the U.S. Department of Health and Human Services Office for Civil Rights on HIPAA Privacy and Security Rule obligations. The U.S. Federal Trade Commission has also expanded its health data enforcement posture following the 2023 Health Breach Notification Rule update, which now reaches contractor-adjacent data flows that legacy HIPAA frameworks did not cover. Compliance teams in this sector are actively auditing business associate agreements and access control documentation against both regimes before contracting officers begin asking.

Watch

  • HHS OCR HIPAA Security Rule proposed update: new risk analysis specificity requirements pending finalization
  • DFARS 252.204-7012 overlap with HIPAA when ePHI sits on covered defense information systems
  • FTC Health Breach Notification Rule 2023 amendments extending to health app and vendor data
  • Business associate agreement gaps flagged in recent OCR audit protocols for subcontractor chains

Recent material activity in Defense & Government Contracting

Active monitoring in place across Defense & Government Contracting. Material developments related to hipaa privacy and security will appear here as they are published.