Comment by ranger_danger

There's not even a test for HIPAA compliance, so you can't legally prove you were ever compliant in the first place, other than you did what you thought was right. People love to use the term "HIPAA-compliant" but it's technically not a thing.

From my understanding, HIPAA mostly just says that you need to have policies in place for various things, such as rotating passwords or encrypting data, but it doesn't go into explicit detail about what all must be IN those policies, or how you enforce them.