Regulatory Compliance

Compliance that makes business sense.

SOC 2, HIPAA, ISO 27001, and beyond. Practical compliance intelligence for business leaders — not compliance officers. Updated weekly.

Frameworks We Cover

SOC 2Trust Services Criteria
HIPAAHealthcare Privacy & Security
ISO 27001Information Security Mgmt
NIST CSFCybersecurity Framework
PCI DSSPayment Card Industry
HITRUSTHealthcare IT Trust Alliance
FeaturedHIPAAHIPAA Security Rule — OCR Enforcement 7 min read

HHS OCR Just Settled Four HIPAA Ransomware Cases for $1.17M. Every One Failed on the Same Thing.

HHS OCR settled four HIPAA ransomware investigations totaling $1.17M and affecting 427,000 individuals. Every single one failed on the same requirement. Here's what that tells you about where your program needs to be.

HIPAA 5 min read

HIPAA's Security Rule Turns 21 This Year. The New Era Is Prescriptive, Not Flexible.

The HIPAA Security Rule has been in effect for 21 years. The 2026 proposed updates mark a fundamental shift in philosophy — from flexible guidance to specific, enforceable requirements. Here's what that means.

April 29, 2026Read
State Regulations 4 min read

Alabama Just Strengthened Its Data Breach Law. Here's What Changed and Who It Affects.

Alabama's updated data breach notification requirements took effect in 2026, tightening timelines and expanding covered data categories. If you have customers or employees in Alabama, this applies to you.

April 28, 2026Read
SOC 2 5 min read

SOC 2 and AI Governance: What Auditors Are Now Asking That They Weren't Asking 18 Months Ago

AI governance is becoming a standard part of SOC 2 audit scope. If your product uses AI to process customer data, here's what auditors are looking for and how to prepare.

April 26, 2026Read
HIPAA 5 min read

The HIPAA Security Risk Assessment: Why Most Companies Get It Wrong and What to Do Instead

The HIPAA Security Risk Assessment is required by law. It's also one of the most misunderstood compliance requirements in healthcare. Here's what it actually means and how to do it right.

March 12, 2026Read
ISO 27001 5 min read

ISO 27001 vs. SOC 2: Which Framework Is Right for Your Company in 2026?

Both are legitimate security frameworks. But they serve different markets and different purposes. Here's how to choose without wasting 6 months going down the wrong path.

March 5, 2026Read
State Regulations 4 min read

State Privacy Laws in 2026: What High-Growth Companies Need to Know Right Now

The patchwork of US state privacy laws has gotten more complex. Here's a practical summary of what's in effect, what's coming, and what your compliance team needs to be tracking.

February 26, 2026Read

Not sure which framework applies to you?

Here's a quick guide for SaaS and Healthcare companies.

B2B SaaS Companies

  • SOC 2 Type II — required by most enterprise customers
  • ISO 27001 — if selling internationally
  • State privacy laws — CPRA, VCDPA, and others
  • NIST CSF — as an internal framework baseline

Healthcare Services & Health Tech

  • HIPAA Security Rule — required for all ePHI
  • HIPAA Privacy Rule — required for PHI handling
  • HITRUST — if enterprise healthcare customers require it
  • SOC 2 — increasingly required alongside HIPAA
  • State health privacy laws — CMIA and others

Get compliance updates in your inbox.

Weekly compliance intelligence for SaaS and Healthcare leaders. Know what's changing before it affects your business.

Subscribe via Email Follow on LinkedIn