HIPAA / HITRUST
Compliance for healthcare and HITRUST CSF certification.
Overview
What it is, in plain English.
HIPAA establishes the federal floor for protecting Protected Health Information (PHI) — the Privacy Rule, Security Rule, Breach Notification Rule, and Omnibus Rule. HITRUST CSF is the prescriptive certification that payers, hospital systems, and large covered entities increasingly demand from their vendors. Lyra runs both: HIPAA Security Risk Analyses for covered entities and business associates, and full HITRUST e1, i1, and r2 certification programs.
HIPAA Privacy and Security Rule compliance, plus HITRUST CSF readiness and certification support — backed by a dedicated healthcare practice.
Who needs it
Built for organizations that have to get this right.
Hospitals, clinics, and physician groups (covered entities)
Health tech, RCM, telehealth, and clearinghouses (business associates)
Digital health startups selling into payers and IDNs
Vendors required by contract to deliver a HITRUST report
Our approach
How we get you audit-ready and keep you there.
We don't drop policy templates and disappear. We design controls, implement them in your environment, prepare every artifact, and walk with you through the audit — then operate the program after certification so you stay compliant year over year.
- 01
Scope & Gap Assessment
We map your environment, business processes, and existing controls against the framework to find every gap, redundancy, and risk.
- 02
Remediation & Control Design
We design and implement the technical and administrative controls — policies, configurations, monitoring, and evidence pipelines.
- 03
Evidence & Documentation
We build the artifact library auditors expect: policies, SSPs, risk registers, control matrices, and continuous evidence collection.
- 04
Audit Support & Continuous Monitoring
We sit with you through the audit, respond to auditor requests, and operate the program after certification so you stay compliant year-round.
Key controls
What's actually in scope.
HIPAA Security Risk Analysis (required annually)
Administrative safeguards — workforce training, access management, sanctions
Physical safeguards — facility access, workstation security, device disposal
Technical safeguards — access control, audit controls, integrity, transmission security
Business Associate Agreements (BAAs) and vendor management
Breach response and 60-day notification readiness
Deliverables
What you walk away with.
HIPAA Security Risk Analysis and remediation plan
Privacy and security policy library
BAA template and vendor inventory
HITRUST MyCSF assessment object and scoring
HITRUST e1 / i1 / r2 certification through an authorized External Assessor partner
Timeline
HIPAA SRA: 4–8 weeks. HITRUST e1: 3–4 months. HITRUST r2: 9–18 months for first certification.
Questions we hear
Straight answers to the real questions.
- Is HIPAA a certification?
- No — HIPAA compliance cannot be certified by a third party. The Security Risk Analysis is your defensible evidence. HITRUST is the closest thing to a HIPAA certification the market recognizes.
- Which HITRUST level do I need?
- e1 is a 1-year cybersecurity essentials certification. i1 is an intermediate, threat-adaptive certification. r2 is the gold standard — risk-based, prescriptive, and what most large payers require.
- What about HHS audits?
- OCR enforcement audits are real and increasing. A current Security Risk Analysis, documented remediation, and an updated policy library are the three artifacts auditors ask for first.
Other frameworks we support
SOC 2 (Type 1 and Type 2)
AICPA SOC 2
Learn moreISO 27001
ISO/IEC 27001 ISMS
Learn moreCMMC
Cybersecurity Maturity Model Certification
Learn moreNIST 800-171
Protecting CUI in non-federal systems
Learn moreNIST CSF (including 2.0)
NIST Cybersecurity Framework
Learn morePCI DSS
Payment Card Industry Data Security Standard
Learn more
24 / 7 Recovery
When the worst day hits, every minute matters.
Our breach team is standing by — call, email, or submit a request and we respond within minutes.