HIPAA
Getting Started Guide

Health Insurance Portability and Accountability Act

Mandatory US regulation for protecting sensitive patient health information (PHI) from disclosure.

Audit Effort3–6 months for full compliance
Key FactIncludes Privacy, Security, and Breach Notification rules

What Is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal US law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. For tech companies, it defines how Protected Health Information (PHI) must be secured and handled.

The regulation comprises multiple rules, but SaaS companies primarily care about three: the Privacy Rule (who can access PHI and for what purposes), the Security Rule (the technical, physical, and administrative safeguards required to protect ePHI), and the Breach Notification Rule (how and when to report security incidents).

Unlike SOC 2, there is no official HIPAA 'certification' granted by the government. Companies undergo independent third-party HIPAA assessments to demonstrate compliance. If your SaaS touches PHI on behalf of a healthcare provider, you act as a Business Associate and are directly liable for compliance and breach penalties.

Does HIPAA Apply to Your Organisation?

Understanding typical procurement requirements and compliance thresholds.

HealthTech SaaS Platforms

If your platform stores, processes, or transmits patient health data for hospitals, clinics, or doctors, you are a Business Associate.

Mandatory

Cloud Providers and Infrastructure

Any infrastructure provider hosting medical data must sign a Business Associate Agreement (BAA) to guarantee the data's security.

Mandatory

Telehealth and Medical Billing Providers

Directly handling patient charts, billing codes, or conducting remote video visits subjects you to immediate HIPAA requirements.

Mandatory
You probably don't need HIPAA if:
  • Fitness or diet tracking apps that are direct-to-consumer and do not interact with a covered entity (doctor/hospital).
  • Companies that only process completely de-identified health data according to HIPAA's safe harbor standard.
  • Employers collecting basic sick-leave notes, which generally falls under employment records rather than HIPAA.

Why HIPAA Matters in 2026

Understanding the current regulatory pressures and market adoption vectors.

Vendor Agreements (BAAs)

US healthcare providers (Covered Entities) are legally barred from using your software until you sign a Business Associate Agreement.

Stiff Financial Penalties

The Office for Civil Rights (OCR) actively issues multi-million dollar fines for breaches, especially those caused by unpatched software or missing BAAs.

Patient Trust & Competitive Advantage

In the heavily regulated healthcare space, demonstrating HIPAA compliance via third-party audit is the only way to earn trust and close enterprise deals.

The Requirements

The core security controls and evidence parameters audited for HIPAA.

How Long Does It Take?

A realistic phase-by-phase implementation roadmap for HIPAA.

1
Weeks 1-4

Gap & Risk Assessment

Conduct a comprehensive HIPAA Risk Assessment to identify ePHI flows and evaluate current security controls against the Security Rule.

Key Deliverable:Risk Assessment Report, PHI Data Map
2
Weeks 5-10

Remediation & Policies

Implement missing technical controls (encryption, audit logs) and formalize administrative policies (training, access).

Key Deliverable:HIPAA Security Policies, Technical Safeguard implementations
3
Weeks 11-12

BAA Execution

Identify all sub-processors touching PHI and execute Business Associate Agreements with them.

Key Deliverable:Signed BAAs
With Existing Certifications

6-8 weeks: If you have SOC 2 Type II with the Confidentiality/Privacy criteria, your technical controls are largely in place. Focus on the formal Risk Assessment and BAAs.

Starting from Scratch

3-4 months: Establishing encryption architectures, audit logging, and comprehensive policies requires significant engineering and administrative effort.

The Mistakes That Delay Most HIPAA Programs

Sourced from real compliance audits. Avoid these pitfalls to keep your timeline on track.

Assuming cloud providers make you compliant

Why it happens:

Using 'HIPAA-eligible' AWS services does not mean you are compliant. You must configure them correctly and sign a BAA with AWS.

How to avoid it:

Understand the shared responsibility model. You are responsible for access control, encryption keys, and application-level security.

Failing to conduct a formal Risk Assessment

Why it happens:

A comprehensive, organization-wide risk assessment is the foundation of the Security Rule. Many companies skip this and just write policies.

How to avoid it:

Document a formal Risk Analysis addressing threats, vulnerabilities, likelihood, impact, and mitigating controls for all ePHI.

Ignoring the audit logs

Why it happens:

HIPAA requires tracking who accessed what PHI and when. Many startups log system events but fail to log application-level PHI access.

How to avoid it:

Implement application-level audit logging that captures user ID, timestamp, patient record accessed, and the action taken.

Loading Kickstart state...

Related Resources

Articles, guides, and tools to accelerate your compliance program.

Insights & Playbooks

HIPAA Insights

Read practical security, engineering, and audit management playbooks from the GRC hub.

Visit the GRC Blog
Readiness Tools

HIPAA Checklist

Assess your baseline control posture against HIPAA criteria in 10 minutes.

Start Assessment
Decision Engine

Compare Frameworks

Not sure which framework is best for your current situation? Run our intake to see a prioritized recommendation roadmap.

Start Framework Finder

Frequently Asked Questions

Common queries about HIPAA compliance and certification processes.