When choosing digital tools to manage health information, many families assume they should look for a “HIPAA compliance” badge or logo. It’s a reasonable assumption, but it’s also a common misconception.
There is no official HIPAA compliance logo, seal, or government certification.
The U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR), which enforce HIPAA, do not certify apps, platforms, or vendors as “HIPAA compliant.” Compliance is determined only if there is an investigation or audit after a complaint or breach.
So why do you see HIPAA badges online?
Those are created by private companies, often as part of training programs or marketing materials. They are not government-issued and do not guarantee that an organization has strong security practices.
Instead of looking for a HIPAA logo, families and caregivers should look for independent security and privacy certifications that evaluate how companies actually protect data.
As mental health provider Amber Young, LMHC, explains:
“When someone asks, ‘Is it HIPAA secure?’ my brain jumps to business associate agreements (BAAs), encryption, access controls, audit logs, and whether I can meet my legal and ethical obligations as a provider and practice owner. But often HIPAA is just the only word people have for much bigger concerns: Who has this information? Where does it go? What can be done with it? How could it impact me? And increasingly, people worry how future technology or legal loopholes might change protections. HIPAA is a baseline, not a guarantee. The real conversation is about ethics, transparency, and trust around sensitive data.”
What Certifications Do Matter?
SOC 2 (System and Organization Controls)
SOC 2 is an independent audit that evaluates how a company protects:
- Security
- Availability
- Confidentiality
- Privacy
To earn SOC 2, companies must demonstrate, with real operational evidence, that they follow strict controls for access, encryption, monitoring, and incident response. It’s not a one-time checklist; it’s an ongoing compliance process reviewed by third-party auditors.
HITRUST Certification
HITRUST is a healthcare-focused security framework that combines:
- HIPAA requirements
- NIST cybersecurity standards
- Industry best practices
HITRUST certification is often required by hospitals and health plans when they evaluate vendors, because it provides a structured way to assess whether an organization meets rigorous healthcare security expectations.
Importantly, neither SOC 2 nor HITRUST replace HIPAA, they operationalize it.
They demonstrate whether an organization has the technical and administrative safeguards needed to protect sensitive health information in real-world systems.
Industry Commitments Beyond Certification
Another emerging standard families may hear about is the CARIN Alliance Code of Conduct, which sets expectations for how consumer-directed health data should be handled.
Organizations committing to the CARIN Code agree to principles such as:
- Consumers control how their data is shared
- Data use is transparent and understandable
- No hidden secondary uses of health information
- Accountability for protecting consumer data
These principles help ensure that as health data becomes more portable and consumer-directed, it remains handled ethically and transparently.
Primary Record has committed to following the CARIN Code of Conduct, and families can review how these principles are reflected in our privacy and data practices on our website.
What Else Should Health App Consumers Look For?
Beyond certifications, trustworthy health apps should clearly explain:
- Who can access your data, and how can you revoke access
- Whether your data is ever sold or used for advertising
- How consent works when sharing with caregivers or care teams
- What happens if something goes wrong
As more health data moves directly into the hands of patients and families through connected apps, strong consumer protections, transparent policies, and verifiable security practices matter more than logos.
Being an informed healthcare consumer today means looking past simple labels and asking better questions about how your data is actually protected, and who is accountable for keeping it that way.
Why We Chose to Pursue SOC 2 at Primary Record
At Primary Record, we work with families, caregivers, advocates, and community health partners, coordinating care across multiple systems and portals. That means we carry a serious responsibility to protect not just data, but trust.
That’s why we chose to pursue and pass the SOC 2, an independent security and privacy audit that evaluates how our systems, policies, and daily operations protect sensitive information.
SOC 2 doesn’t just review technical safeguards like encryption and access controls. It also covers:
- How we manage internal access to data
- How we monitor systems for unusual activity
- How we train our team on privacy and security
- How we respond if something goes wrong
Most importantly, SOC 2 Type II requires ongoing compliance, not a one-time check. Independent auditors regularly review whether we are actually following the controls we claim to have in place.
We also believe families deserve more than technical security. They deserve:
- Clear control over who can see their information
- The ability to revoke access at any time
- Assurance that their data will not be sold or used for advertising
Conducting SOC 2 Type II audits is one way we hold ourselves accountable to those commitments, not because a badge makes data safe, but because process, transparency, and independent verification do.
For those who want deeper transparency, we publish ongoing security, compliance, and operational updates in our public Trust Center, available at https://trust.primaryrecord.com.
As healthcare becomes more connected and more digital, families are being asked to play a bigger role in managing and sharing health information. Our goal is to make that role safer, clearer, and more empowering, not more confusing.
And that starts with helping people know what questions to ask, what standards matter, and why they deserve better than a logo.
