Home / HIPAA Compliance Checklist for LA: HIPAA, SOC 2, CMMC
Compliance · 6 min · Updated Jul 2026

IT Compliance for Los Angeles Businesses: From a HIPAA Compliance Checklist to SOC 2 and CMMC

A HIPAA compliance checklist is where most Los Angeles healthcare businesses start, but it covers just one of three security rules that LA companies now get asked to prove. The other two are SOC 2 and CMMC. Each one applies to a different kind of business, and some firms fall under more than one.

This page sorts out which rule applies to you. We reviewed more than a dozen LA-area IT firms while building this guide, and the same confusion came up again and again: owners think "compliance" is a single thing to buy. It isn't. It's a set of separate frameworks, each with its own regulator and its own reason to exist.

Read the framework table first. Then follow the link to the detailed page for the one that governs your business.

Which framework applies to your business

The three frameworks split cleanly by industry and by who is asking for proof.

Framework Who it applies to (LA examples) Who sets or enforces it
HIPAA Healthcare providers, health plans, and any vendor that handles patient data: LA clinics, dental and therapy practices, medical billing shops, and their IT provider HHS Office for Civil Rights (federal law)
SOC 2 Software, tech, fintech, and IT firms that must show enterprise customers their data is safe: LA startups, media-tech, SaaS vendors AICPA (a voluntary audit, not a law)
CMMC Defense and aerospace contractors that handle government contract data: the El Segundo and Long Beach aerospace corridor US Department of Defense (built on NIST rules)

One firm can need two of these at once. A healthcare software company in LA often has to meet HIPAA and SOC 2: HIPAA because it touches patient data, SOC 2 because its hospital customers demand an audit before they sign.

HIPAA: for anyone who touches health data

HIPAA covers two groups. The first is "covered entities": doctors, clinics, and health plans. The second is "business associates," which includes the IT company that stores or backs up patient records for them.

Both groups carry the same duty. If your systems hold protected health information, the rules apply to you whether you have five staff or five hundred.

Los Angeles has one of the densest healthcare markets in the country, so this is the framework most local firms ask about. The detailed page walks through each control and turns it into a plain list you can work down.

SOC 2: for firms that must prove security to customers

SOC 2 is not a law. It is a report a CPA firm writes after examining how you protect customer data. Enterprise buyers ask for it before they trust a vendor with their information.

No company can declare itself SOC 2 compliant on its own. The report only exists once an outside auditor signs it, which is why you should ask any vendor to show the report, not just the badge.

SOC 2 matters most for LA software, fintech, and IT firms selling to larger companies. Law firms and finance shops handling sensitive client files often get asked for it too.

CMMC: for the defense and aerospace supply chain

CMMC is the Cybersecurity Maturity Model Certification. The Department of Defense requires it from contractors that handle federal contract information or controlled unclassified information.

The rules sit on top of NIST Special Publication 800-171. If you supply the DoD (common across the El Segundo, Long Beach, and greater LA aerospace corridor), you will likely need a CMMC level to keep bidding.

Which LA firms focus on compliance

Compliance work is a specialty, not a checkbox every IT provider handles well. A few LA-area firms build their practice around it.

Alcala Consulting, in Pasadena, centers its work on cybersecurity and CMMC. CyberDuo, in Glendale, runs a security and compliance practice. Both appear in our full provider comparison alongside general LA managed IT firms.

We do not name a single "best for compliance" firm here, because the right choice depends on which framework governs you. A CMMC problem and a HIPAA problem call for different specialists.

Where to start

Three steps get most LA owners moving.

  1. Find your framework. Use the table above. If two rows describe you, you likely need both.
  2. Run the checklist. Open the detailed page for your framework and work down the controls.
  3. Ask your IT provider how they will prove it. A good provider shows evidence, not adjectives. If you are still choosing one, see how to choose a managed IT provider.

For general security habits that support all three frameworks, CISA publishes free cybersecurity best practices for small and mid-sized businesses.

Back to the complete guide to IT consulting in Los Angeles.

Frequently asked

Does HIPAA apply to small businesses?

Yes. HIPAA has no size exemption, so a two-person clinic is covered exactly like a large hospital. It applies to any covered entity that handles patient data, and to the business associates (including IT vendors) that handle that data on their behalf.

What are the 5 basic rules of HIPAA?

The five core HIPAA rules are the Privacy Rule, the Security Rule, the Transactions and Code Sets Rule, the Unique Identifiers Rule, and the Enforcement Rule. The Privacy Rule protects patient information, the Security Rule sets safeguards for electronic records, and the Enforcement Rule sets the penalties; a separate Breach Notification Rule requires you to report exposed data.


Sources: HHS Office for Civil Rights (HIPAA) · NIST SP 800-171 (CMMC basis) · DoD CMMC program · AICPA SOC suite · CISA cybersecurity best practices