A formal verification—usually issued by a third-party auditing firm (such as a CPA)—confirming that an organization’s security and privacy controls meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA).

Because the U.S. government does not offer an “official” certification, an Attestation Report (often an AICPA AT-C 315 or a SOC 2 + HIPAA Mapping) serves as the industry-standard evidence that a vendor has implemented the necessary administrative, physical, and technical safeguards. For Life Sciences firms, this document is critical during due diligence; without it, a vendor’s claim of being “HIPAA compliant” is merely a self-reported statement without independent validation, which can increase the regulatory liability of the hiring entity.