Health Insurance Portability and Accountability Act
Mandatory US regulation for protecting sensitive patient health information (PHI) from disclosure.
What Is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal US law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. For tech companies, it defines how Protected Health Information (PHI) must be secured and handled.
The regulation comprises multiple rules, but SaaS companies primarily care about three: the Privacy Rule (who can access PHI and for what purposes), the Security Rule (the technical, physical, and administrative safeguards required to protect ePHI), and the Breach Notification Rule (how and when to report security incidents).
Unlike SOC 2, there is no official HIPAA 'certification' granted by the government. Companies undergo independent third-party HIPAA assessments to demonstrate compliance. If your SaaS touches PHI on behalf of a healthcare provider, you act as a Business Associate and are directly liable for compliance and breach penalties.
Does HIPAA Apply to Your Organisation?
Understanding typical procurement requirements and compliance thresholds.
HealthTech SaaS Platforms
If your platform stores, processes, or transmits patient health data for hospitals, clinics, or doctors, you are a Business Associate.
Cloud Providers and Infrastructure
Any infrastructure provider hosting medical data must sign a Business Associate Agreement (BAA) to guarantee the data's security.
Telehealth and Medical Billing Providers
Directly handling patient charts, billing codes, or conducting remote video visits subjects you to immediate HIPAA requirements.
- Fitness or diet tracking apps that are direct-to-consumer and do not interact with a covered entity (doctor/hospital).
- Companies that only process completely de-identified health data according to HIPAA's safe harbor standard.
- Employers collecting basic sick-leave notes, which generally falls under employment records rather than HIPAA.
Why HIPAA Matters in 2026
Understanding the current regulatory pressures and market adoption vectors.
Vendor Agreements (BAAs)
US healthcare providers (Covered Entities) are legally barred from using your software until you sign a Business Associate Agreement.
Stiff Financial Penalties
The Office for Civil Rights (OCR) actively issues multi-million dollar fines for breaches, especially those caused by unpatched software or missing BAAs.
Patient Trust & Competitive Advantage
In the heavily regulated healthcare space, demonstrating HIPAA compliance via third-party audit is the only way to earn trust and close enterprise deals.
The Requirements
The core security controls and evidence parameters audited for HIPAA.
How Long Does It Take?
A realistic phase-by-phase implementation roadmap for HIPAA.
Gap & Risk Assessment
Conduct a comprehensive HIPAA Risk Assessment to identify ePHI flows and evaluate current security controls against the Security Rule.
Remediation & Policies
Implement missing technical controls (encryption, audit logs) and formalize administrative policies (training, access).
BAA Execution
Identify all sub-processors touching PHI and execute Business Associate Agreements with them.
With Existing Certifications
6-8 weeks: If you have SOC 2 Type II with the Confidentiality/Privacy criteria, your technical controls are largely in place. Focus on the formal Risk Assessment and BAAs.
Starting from Scratch
3-4 months: Establishing encryption architectures, audit logging, and comprehensive policies requires significant engineering and administrative effort.
The Mistakes That Delay Most HIPAA Programs
Sourced from real compliance audits. Avoid these pitfalls to keep your timeline on track.
Assuming cloud providers make you compliant
Using 'HIPAA-eligible' AWS services does not mean you are compliant. You must configure them correctly and sign a BAA with AWS.
Understand the shared responsibility model. You are responsible for access control, encryption keys, and application-level security.
Failing to conduct a formal Risk Assessment
A comprehensive, organization-wide risk assessment is the foundation of the Security Rule. Many companies skip this and just write policies.
Document a formal Risk Analysis addressing threats, vulnerabilities, likelihood, impact, and mitigating controls for all ePHI.
Ignoring the audit logs
HIPAA requires tracking who accessed what PHI and when. Many startups log system events but fail to log application-level PHI access.
Implement application-level audit logging that captures user ID, timestamp, patient record accessed, and the action taken.
Rishabh's Take on HIPAA
Practitioner Voice“HIPAA compliance for startups often boils down to three hurdles: the Risk Assessment, the BAAs, and the Audit Logs. You cannot shortcut the Risk Assessment—it is the first thing OCR asks for during an investigation. For BAAs, remember that if you send PHI to a vendor (like an email service or analytics tool) and they refuse to sign a BAA, you must rip them out of your stack. Finally, ensure your engineers understand that database-level logging isn't enough; you need to know exactly which nurse viewed which patient's chart at what time.”
Related Resources
Articles, guides, and tools to accelerate your compliance program.
HIPAA Insights
Read practical security, engineering, and audit management playbooks from the GRC hub.
HIPAA Checklist
Assess your baseline control posture against HIPAA criteria in 10 minutes.
Compare Frameworks
Not sure which framework is best for your current situation? Run our intake to see a prioritized recommendation roadmap.
Frequently Asked Questions
Common queries about HIPAA compliance and certification processes.