Verify your business associates' devices before HIPAA requires it.
The proposed HIPAA Security Rule will require annual written verification that every business associate has the right technical safeguards on the actual devices touching ePHI. Ensure replaces paper attestations with a check on every login.
HIPAA Security Rule NPRM (Jan 2025). Final rule expected 2026, with a 180-day clock. The "addressable" loophole on encryption is gone.
What Ensure makes possible
One check verifies HIPAA business associate devices, enforces posture, and produces your audit evidence.
100%
of BA logins verified, not attested
Verify the device, not the paperwork
Ensure checks the actual device at every login: encryption, patches, firewall, screen lock. The result feeds your access policy.
1-click
audit export
Generate the verification HIPAA will require
Every check writes a timestamped record. Export the annual technical-safeguard verification HIPAA will require, without chasing 200 vendors.
< 5 min
average BA setup time
Onboard BAs without enrolling them in MDM
BAs install a lightweight check, not an MDM profile. They keep their own device. Most self-remediate without a help-desk ticket.
Your situation
Which problem are you solving today?
Privacy Officer / Compliance
I need defensible evidence for the next OCR audit
Paper attestations won't survive the proposed rule. See how Ensure produces the written technical-safeguard verification HIPAA will require.
See the audit evidenceCISO / Security Architect
I need to verify devices I don't manage
Business associates and external clinicians touch ePHI from devices outside your control. See what Ensure verifies and how it plugs into Entra Conditional Access.
See the architectureThird-Party Risk Manager
I need to operationalize annual BA verification
Manual verification across hundreds of BAs doesn't scale, and a signed BAA won't satisfy the new rule. See how Ensure runs verification continuously.
See the workflowIn production since 2019
How a national insurance carrier verifies 8,000+ broker devices without MDM.
The architecture that satisfies a state insurance examiner satisfies an OCR investigator. Continuous device verification, exportable evidence, no agent on the carrier's side.
Read the case study7+ years
in continuous production at U.S. carriers
8,000+
third-party devices verified per deployment
Three steps
How Ensure verifies a BA device before ePHI access, in three steps.
The BA logs in as they do today. Ensure runs the check, posts the result to your access policy, and writes an immutable record. Their experience is unchanged. Your evidence picture is not.
BA attempts to access your portal
Two lines of code in your login portal trigger Ensure on sign-in. No corporate enrollment. No new identity.
Device posture is verified in seconds
Encryption, anti-malware, firewall, OS patch level, screen lock. If something fails, the BA gets guided steps to fix it before reaching ePHI.
Evidence is logged automatically
Every check produces a timestamped record: BA, device, controls, result, remediation. Export to satisfy the rule's annual verification requirement.
The regulatory shift
The proposed rule moves business associate oversight from "documented" to "verified."
The January 2025 NPRM is the biggest Security Rule change since 2013. Three provisions hit BA oversight directly.
§164.308
Annual written verification
Covered entities must obtain written verification every 12 months that each business associate has deployed the required technical safeguards. A signed BAA is not the verification.
§164.312
Encryption is no longer addressable
ePHI must be encrypted at rest and in transit, with limited exceptions. The flexibility to document why encryption isn't reasonable is being eliminated.
§164.306
Compliance audits every 12 months
Both covered entities and business associates must run a documented compliance audit at least annually. OCR audit volume is expected to rise materially in 2026.
Why not just…
Most existing approaches break under the proposed rule.
The new rule moves from "have you documented your safeguards?" to "have you verified your business associates' technical controls?" Several common approaches don't make that jump.
| Approach | Where it breaks |
|---|---|
| Annual paper attestations from each BA | Documents intent, not implementation. Fails a strict reading of the proposed rule. |
| Vendor risk questionnaires (Vanta, OneTrust, etc.) | Captures policy, not actual device state. Doesn't verify deployed safeguards. |
| Issue managed devices to all BAs | Cost-prohibitive at scale. BAs typically refuse to swap their working device. |
| Force BAs into your MDM (Intune, Jamf) | BAs reject enrollment of personal devices. Onboarding slows from minutes to weeks. |
| VDI / virtual desktop access only | Expensive licenses, degraded UX, and no insight into the underlying device. |
| Enterprise browser (Island, Talon) | Higher cost than needed. Forces a browser change. Not a posture-verification product. |
| Ensure Endpoint | $3 per user per month. No MDM. Two lines of code on your portal. Verifies real device controls. Audit-ready evidence by default. |
Why now
The compliance window is shorter than it looks.
Wait for the final rule and you'll have roughly 180 days to operationalize verification across hundreds or thousands of business associates. Standing up the program now means evidence in hand before the deadline.
January 2025
HHS publishes NPRM
First major Security Rule update since 2013. About 5,000 public comments submitted by March.
2025–2026
Comment review and final rule
OCR reviews submissions. Industry expects a final rule in 2026 with a 180-day clock.
Final rule + 180 days
Compliance deadline
Annual BA technical-safeguard verification becomes enforceable. Audits ramp.
Today
The cheapest time to start
Ensure goes live in days. BA onboarding ramps over 60 to 90 days. Evidence accumulates from day one.
Watch a BA sign in, get verified, and produce audit evidence in 15 minutes.
No slide deck. Real portal, real unmanaged device, real verification. Exactly what your auditor would see.