Hipsana

Editorial standards

How we research and source, in plain terms.

Last updated: June 18, 2026

The short version: we hold every factual and regulatory statement on this site to one standard. It traces to a primary source, the agency that wrote the rule or recorded the case, or it gets labeled as unverified, never guessed. Much of the HIPAA guidance online leans on vendor summaries and secondhand coverage; we work from the regulator’s own text and link to it, so you never have to take our word for it. We write about a subject where one wrong detail can cost a practice real money, so when we are not certain, we say so. Here is how the work is done.

What Hipsana is

Hipsana is an educational publisher and a referral service. We are not a HIPAA “covered entity” or “business associate,” and we do not handle protected health information. The Scorecard asks how your practice operates, never about individual patients.

Who writes it

Hipsana is written by its founder, Dolev Arama, who is accountable for the accuracy of what appears here. He does not claim to be a compliance authority. What he holds to is the sourcing discipline below: if a statement cannot be traced to the regulator that made it, it does not go on the site. There is more about who we serve, and why, on our About page.

Where our facts come from

We rank our sources and lean on the most authoritative first. The rules themselves come from the government: HHS, its Office for Civil Rights, NIST, and the FTC. When a page states what a rule requires, we read the regulation’s official text rather than a summary of it, and we link to it so you can check the wording yourself.

Below the regulators sit peer-reviewed and academic sources, used where a clinical or technical point calls for them. Industry data, such as the Verizon Data Breach Investigations Report or IBM’s breach-cost research, informs context and is never the basis for a legal claim. We cite a news report only to establish that a specific breach or enforcement action happened. Vendor research is treated with caution and is never the only source behind a claim, and industry blogs are for opinion, not evidence.

How we check a claim before it runs

Before a regulatory statement goes live, we verify it against the current official text. A citation to a specific HIPAA section is checked against the regulation as it reads today. A penalty figure comes only from the resolution agreement HHS published in that case, not from a secondary roundup, and we link to that agreement. We do not quote statistics from memory. When an article rests on an enforcement case, we name the practice, the year, the amount, and the specific failure, and we show the source document so you can confirm it yourself.

When we publish our own data

Hipsana runs a free Security Scorecard, and over time the anonymized, aggregated results will show patterns worth reporting, such as which gaps come up most often in small practices. We have not published findings from that data yet. When we do, we will report how many practices a figure is based on, describe how the data was collected and stripped of anything identifying, and show the patterns as they are rather than the ones that flatter us. Until then, we rely on the named enforcement cases and primary sources above.

When the rules are not settled

Some of HIPAA is in motion. When a rule is proposed but not yet final, we say so plainly and label it as proposed, never as current law. Plenty of guidance online blurs that line. We do not. When a question has no clear regulatory answer, we tell you that instead of inventing certainty. The aim is simple: you can act on what is settled, and see exactly where the open questions are.

Keeping it current

Every article shows the date it was published and the date it was last updated. We review our main articles at least once a year, and again whenever the rule changes, an enforcement pattern shifts, or a reader points out something that has gone stale. The “last updated” date reflects a real review of the content, not a cosmetic edit.

What we will not do

We will not publish a regulatory claim we have not checked against the source. We will not state a penalty figure that does not come from an HHS resolution agreement. We will not present a proposed rule as if it were already law. We will not let a referral fee change a single word of what an article says.

How money fits in

Hipsana is free to use. We earn a referral fee only if you choose to work with a specialist we introduce you to, and that fee never changes what a review or an article says. The full detail is on our Disclosure page.

Correcting mistakes

We get things wrong sometimes, and we would rather fix a mistake quickly than pretend it did not happen. If you spot an error, a stale recommendation, or a source we should have cited, email hello@hipsana.com and tell us what is wrong. We check it against the source, correct the page when it is warranted, and note material changes with a date. Our corrections policy sets out what we treat as a correction and where corrections appear.

Educational content disclaimer

Hipsana provides informational content about cybersecurity and HIPAA compliance. We are not attorneys, compliance officers, or healthcare professionals. Nothing here is legal, regulatory, medical, or financial advice. For questions specific to your practice, consult a qualified professional. Regulations change; verify current requirements with the relevant regulator (HHS, OCR, FTC) before acting.