Buying Smart

What Compliance Software Can and Cannot Assess

Compliance software cannot walk into a room and look at a door. That sounds glib, but it is the entire buying decision compressed into one sentence — because the HIPAA Security Rule requires things that are facts about rooms, doors, monitors, and habits, and it says so in its own words. 45 CFR 164.308(a)(8) requires a periodic "technical and nontechnical evaluation." Software is very good at the technical half and structurally incapable of the nontechnical half on its own. None of that makes software a bad purchase — it is often the right one. It means the question worth asking is not "is this tool enough?" but "which half am I buying, and who is doing the other half?" That question has a real answer, and most buyers never ask it.

The division of labor nobody writes down

Every compliance tool purchase creates an implicit division of labor between the software and the customer. The software covers some of the obligation. The customer covers the rest. That division is real, it is unavoidable, and it is almost never stated on the pricing page.

It is not stated because it is not a defect — it is how the category works, and it works fine right up until nobody notices the boundary. The customer assumes the tool covered it. The tool assumed the customer would. The obligation sits in the gap, uncovered, documented nowhere, for as long as nothing goes wrong.

The word the rule actually uses

You do not have to infer any of this. The regulation names it.

45 CFR 164.308(a)(8), the Evaluation standard: perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under the rule and subsequently in response to environmental or operational changes, that establishes the extent to which the entity's security policies and procedures meet the requirements of the subpart.

Not "technical evaluation." Technical and nontechnical. A nontechnical evaluation examines policies, procedures, physical arrangement, and how people actually behave. It is the half performed by a person who goes and looks.

The three safeguard categories make the same point structurally. The Security Rule is administrative safeguards (164.308), physical safeguards (164.310), and technical safeguards (164.312). Only one of those three is natively a software domain.

What software does genuinely well

It is worth being fair here, because the honest case for compliance software is strong:

  • Structure. HHS guidance lists the elements a risk analysis must incorporate — scope, data collection, threat and vulnerability identification, assessing current security measures, likelihood, impact, risk level, documentation, and periodic review. Software keeps you from skipping one.
  • The technical half. Access control, audit controls, encryption configuration, and system activity review are exactly the things a tool can inspect or track directly.
  • Documentation and retention. 164.316 requires Security Rule documentation in writing, retained six years from the later of creation or last effective date. A system that timestamps and holds it is genuinely better than a folder.
  • Making it ongoing. HHS says the risk analysis process "should be ongoing," and 164.306(e) requires review and modification as needed. Software is good at not forgetting.
  • Prompting the nontechnical work. A tool can ask whether the server room is locked and record the answer. That is real value — provided a human went and checked before answering.

That last point is the hinge of this whole article. The tool can ask. It cannot know.

What no software can see on its own

The physical safeguards standard at 164.310 is a list of things that exist in physical space:

RequirementCitationWhat it is a fact about
Facility access controls164.310(a)(1)The building, and who gets into it
Access control and validation, including visitor control164.310(a)(2)(iii)Who walks past the closet unescorted
Maintenance records — "hardware, walls, doors, and locks"164.310(a)(2)(iv)Physical repairs, in the rule's own words
Workstation use — "the physical attributes of the surroundings"164.310(b)Which way the monitor faces
Workstation security164.310(c)Every workstation touching ePHI
Disposal (Required)164.310(d)(2)(i)The drive on its way to the dumpster
Media re-use (Required)164.310(d)(2)(ii)The laptop handed to the new hire

"The physical attributes of the surroundings of a specific workstation" is a regulation asking whether the check-in screen is readable from the waiting room chairs. No agent, scanner, or questionnaire answers that. Someone stands there and looks.

The administrative side has its own unautomatable residue: workforce training under 164.308(a)(5), the sanction policy at 164.308(a)(1)(ii)(C), and the designated security official at 164.308(a)(2) — a named person with an ongoing job, which is a thing software cannot be.

Three delivery models, all legitimate

ModelSoftware coversYou coverFits when
Self-service toolStructure, technical half, documentationThe walkthrough, the training, the judgmentYou have capable staff and few enough sites that they can actually do it
Tool plus expert reviewStructure and technical halfLess — an expert reviews or performs the nontechnical halfYou want the tool's economics with a check on the judgment
Expert-led engagementWhatever the vendor's platform doesAccess, and timeMany sites, thin staff, or the physical estate is the risk

None of these is the correct answer in general. A single-office practice where the manager can see every workstation from one chair genuinely does not need someone flown in to confirm it. A group with eleven clinics, three storage units, and a server closet with a propped-open door has a different problem, and it is not a software problem.

How to tell which one fits you

Four honest questions, in order:

  1. How many physical locations hold ePHI? Include satellite offices, billing offices, and storage. HHS is explicit that the analysis covers all ePHI "regardless of the source or location of its e-PHI," and that electronic media includes "complex networks connected between multiple locations." Your site count is the single biggest driver of which model fits.
  2. Who, by name, will walk each one? If you cannot name the person, the self-service model is not currently working — not because the tool is bad, but because the model has an unfilled role in it.
  3. Do they have the time and the standing? The walkthrough is a job. If it lands on someone who already has a full one, it becomes a form filled in from memory, which is the same as not doing it but with a document that says otherwise.
  4. What happens in month seven? HHS names the triggers for revisiting: a security incident, change in ownership, turnover in key staff or management, planned new technology. Who notices those and acts?

The failure mode to avoid

It is not buying the cheap tool. It is not buying the expensive engagement either.

It is buying anything and not knowing where its scope stops — then holding a confident, well-formatted, professionally produced report that covers 60% of your obligation while reading, to everyone who looks at it, as though it covers 100%. A partial assessment presented as a complete one is worse than no assessment, because it terminates the search. Nobody looks for the gap after they have seen the report.

Cost is a legitimate factor and the rule says so — 164.306(b) lists the cost of security measures among the things you weigh, alongside your size and complexity, your technical infrastructure, and the probability and criticality of potential risks. Cost is one of four. It is not the first, and it is not the one that determines whether your scope matches your obligation.

The takeaway

The rule asks for a technical and nontechnical evaluation. Software is excellent at the first word and cannot, by itself, perform the second. That is not a criticism of the category — it is a description of it, and every honest vendor in it will tell you the same thing if you ask directly.

So ask directly. Which standards does your scope cover, and which do you assume we perform? Who walks each of our locations? Both answers are short. Getting them before you sign converts a hidden gap into a staffing decision, and a staffing decision is a thing you can actually make.

Common questions

Can compliance software make you HIPAA compliant?

No software makes an organization compliant, because a significant part of what the rule requires is not a software artifact. 45 CFR 164.308(a)(8) requires a periodic technical and nontechnical evaluation. The physical safeguards standard at 164.310 covers facility access, the physical surroundings of workstations, and disposal of hardware and media. Those are facts about buildings and behavior. Software can structure the assessment, hold the documentation, and cover the technical half well, but someone still has to walk the building. The right question is not whether software is sufficient but who is assigned to the parts it does not reach.

Is a free HIPAA risk assessment tool good enough?

It can be, depending on who uses it. HHS and ONC jointly publish a Security Risk Assessment Tool designed to help small and medium-sized practices and business associates work through the Security Rule. It is a real tool built by the regulator's own collaborators. What it cannot do is perform the assessment for you. The tool asks the questions; the completeness of the answers depends on whether someone actually inspected what is being asked about. A carefully completed free tool beats a carelessly completed paid one.

What parts of HIPAA compliance can software not automate?

Broadly, anything that is a fact about a room, a person, or a habit. The physical safeguards at 45 CFR 164.310 include facility access controls, workstation use policies covering the physical attributes of a workstation's surroundings, workstation security, and device and media controls where disposal and media re-use are both Required specifications. The administrative safeguards include workforce training, sanction policy, and the nontechnical half of the periodic evaluation. Software can prompt, track, and document all of these. It cannot observe them.

How do I know if a compliance tool's scope covers everything we need?

Ask the vendor to state, in writing, which Security Rule standards their scope addresses and which they assume the customer performs. Map the answer against the three safeguard categories: administrative at 164.308, physical at 164.310, technical at 164.312. Then ask who performs the nontechnical evaluation required by 164.308(a)(8), and who is responsible for each physical location holding ePHI. Any honest vendor can answer both. The answers vary legitimately. Not asking is what produces the gap.