Overview
Healthcare contractors live at the intersection of two regimes: federal contracting cybersecurity (FAR, and NIST 800-171 if CUI is involved) and the HIPAA Security Rule protecting electronic protected health information (ePHI). You often must satisfy both.
The HIPAA Security Rule
If you create, receive, maintain, or transmit ePHI as a covered entity or business associate, the Security Rule (45 CFR Part 164) requires three categories of safeguards:
- Administrative — risk analysis, workforce training, access management, contingency planning.
- Physical — facility access controls, workstation and device security.
- Technical — access controls, audit controls, integrity protections, transmission security (encryption).
A formal, documented risk analysis is the foundation — and the most common gap regulators cite.
Overlap With Federal Contracting Rules
When your federal contract involves CUI (which health data often is), you also implement NIST SP 800-171, and DoD health contracts can bring DFARS 252.204-7012 and CMMC. HHS contracts may add agency-specific security and privacy clauses, and FISMA applies to systems you operate on the government's behalf. The good news: the controls overlap heavily, so a single well-built control set can satisfy multiple regimes.
Enforcement Note
Healthcare has featured prominently in DOJ cyber enforcement — the 2025 Health Net Federal Services / Centene settlement ($11.25M) resolved allegations of falsely certifying cybersecurity compliance on a federal health contract. See the Enforcement page.
What to Do Next
Run a current HIPAA risk analysis, map your ePHI flows, and reconcile your HIPAA safeguards with any NIST 800-171 obligations so you maintain one coherent program. Then check Find My Requirements.
Sources
- HHS HIPAA Security Rule, 45 CFR Part 164 (hhs.gov); NIST SP 800-171; NIST SP 800-66 (HIPAA Security Rule guidance)