HIPAA governs US healthcare entities and their Canadian business associates. ThreeShield delivers Security Rule technical safeguard assessments, Privacy Rule documentation, and Breach Notification Rule readiness - with Lavawall® automating continuous technical evidence collection.
Unique user identification, automatic logoff, encryption/decryption. Lavawall® monitors M365 account access patterns, inactive accounts, and MFA status continuously.
Hardware, software, and procedural mechanisms to record and examine access to PHI. Lavawall® provides continuous audit log monitoring with anomaly alerting.
Protect PHI from improper alteration or destruction. Encryption at rest and in transit, integrity monitoring, and backup validation.
Encryption for PHI in transit. TLS configuration monitoring, email encryption verification, and cloud service encryption status tracked by Lavawall®.
Security officer designation, workforce training, risk analysis (§164.308(a)(1)), contingency plan, and Business Associate Agreements - required administrative documentation ThreeShield develops.
Facility access controls, workstation security, and device and media controls. Physical safeguard documentation and assessment for PHI-handling locations.
HIPAA violations carry civil penalties ranging from $100 to $50,000 per violation, up to $1.9 million per violation category per year. Criminal penalties can reach $250,000 and imprisonment. OCR (HHS Office for Civil Rights) enforcement has intensified - 2023 saw record penalty levels.
| HIPAA Requirement | Lavawall® Automated | Human Guidance Required |
|---|---|---|
| MFA enforcement status | ✓ Automated | - |
| Patch compliance for systems handling PHI | ✓ Automated | - |
| Encryption at rest/transit monitoring | ✓ Automated | - |
| Access log collection | ✓ Automated | - |
| PHI data flow mapping | ⚑ Partial | ThreeShield mapping exercise |
| Risk analysis (§164.308(a)(1)) | Platform data | CISSP/CISA-led risk analysis |
| BAA development and tracking | - | ThreeShield BAA templates |
| Workforce training documentation | ⚑ Tracking | ThreeShield training delivery |
HIPAA applies to US covered entities and their Business Associates. A Canadian company that provides services to US healthcare organizations - cloud hosting, software, analytics, billing, consulting - is likely a Business Associate and must sign a BAA and comply with the Security Rule's safeguard requirements. If your Canadian company has US healthcare clients, HIPAA very likely applies to you.
A health tech company with both Alberta healthcare clients and US healthcare clients may need to comply with both. The frameworks share common logic (protect health information with reasonable safeguards) but differ in specific requirements, breach notification timelines, and regulatory oversight. Lavawall® maps both simultaneously. See our Alberta HIA page for details.
A BAA is a contract between a covered entity and a business associate that establishes the BA's obligations regarding PHI. It must be in place before a BA handles PHI. Covered entities that don't have executed BAAs with all their vendors handling PHI are in violation. ThreeShield provides BAA templates and tracks BAA status across your vendor portfolio.
ThreeShield meets you at your current security maturity. Every level includes Lavawall®.
For lean IT teams and cost-conscious organizations with internal security capacity
Expert guidance alongside your team - ideal for MSPs and organizations with some internal IT capacity
Full compliance delivery - ThreeShield manages the entire program end to end
Choose your engagement model: DIY via Lavawall®, supported by ThreeShield's CISSP/CISA team, or fully done-for-you. Every model includes continuous monitoring so you stay compliant year-round.
Book a Scoping CallDIY · Supported · Done-for-You · Available globally