What is HIPAA?

The short answer

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is a US federal law that sets rules for protecting Protected Health Information (PHI). It applies to two groups: covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates (any third party that handles PHI on their behalf — including most SaaS companies in the healthtech space).

If your software processes, stores, or transmits PHI on behalf of a covered entity, you are a business associate, you must sign a Business Associate Agreement (BAA), and you must comply with HIPAA.

Who has to comply?

Covered entities

Healthcare providers (hospitals, doctors' offices, dentists, pharmacies), health plans (insurers, HMOs), healthcare clearinghouses (claims-processing intermediaries).

Business associates

Anyone who handles PHI on behalf of a covered entity — SaaS vendors, billing services, cloud hosts, IT consultants, lawyers, accountants. If you receive, create, transmit, or store PHI, you're in scope.

Not in scope

Direct-to-consumer wellness apps, fitness trackers, employer wellness programs (mostly), data sold without identifiers. The distinction matters: HIPAA only kicks in if the data comes from or relates to a covered entity.

The three core rules

Security Rule

Sets technical, physical, and administrative safeguards for protecting electronic PHI (ePHI). This is the part most SaaS companies focus on. Examples: access controls, encryption, audit logs, workstation security, contingency planning.

Privacy Rule

Governs how PHI can be used and disclosed. Patients have rights to access their records, request corrections, and get an accounting of who has seen their data. As a business associate, you generally only handle the use/disclosure rules indirectly through your BAA with the covered entity.

Breach Notification Rule

If unsecured PHI is breached, you must notify the covered entity within 60 days (sometimes faster per contract). The covered entity then notifies affected individuals, HHS, and (for breaches affecting 500+ individuals) the media. Encryption per the HHS safe-harbour standard means an incident is not a "breach" under the rule.

Penalties

HIPAA penalties scale with culpability. Per HHS's 2026 enforcement tiers:

• Unknowing violation: $137–$68,928 per violation, capped at $2.067M/year per category
• Reasonable cause: $1,379–$68,928 per violation
• Willful neglect (corrected): $13,785–$68,928 per violation
• Willful neglect (not corrected): $68,928 per violation, capped at $2.067M/year

Criminal penalties also exist for knowing misuse (up to 10 years for offences for personal gain or malicious harm).

What "HIPAA-compliant" actually means

There is no official "HIPAA certification" — anyone selling you a certificate is selling marketing, not compliance. What you can demonstrate is an active compliance program:

• A signed BAA with each covered entity
• Documented policies covering each Security Rule safeguard
• Risk analysis (the foundation — required by §164.308(a)(1))
• Workforce training records
• Incident response procedures and a breach notification process
• Evidence that controls are actually operating (access logs, audit trails, encryption keys)

Auditors and customers will look for these artifacts during procurement reviews. Without them, the BAA is just a contract — the actual compliance work is in the controls behind it.

Where to start

If you're a SaaS company and a healthcare prospect just asked for a BAA:

1. Do a risk analysis covering every system that touches PHI
2. Encrypt PHI at rest (AES-256) and in transit (TLS 1.3) — this gets you the breach safe harbour
3. Implement role-based access with audit logging
4. Adopt or write policies for the Security Rule's administrative safeguards
5. Train your workforce annually; keep records
6. Sign the BAA only after the program is real

For a full walkthrough specific to SaaS, see our HIPAA compliance guide for SaaS.

Related reading

• HIPAA compliance: the practical guide — turn this glossary entry into a 90-day plan
• HIPAA compliance checklist — every required policy and control
• HIPAA technical safeguards explained — encryption, access, audit, integrity, transmission
• Business Associate Agreements explained — when you need one and what must be in it
• HIPAA vs HITRUST — when the certification adds value
• SOC 2 explained — the audit deliverable most HIPAA-compliant SaaS also pursue

Common questions

Do I need a BAA?

If you handle PHI on behalf of a covered entity, yes — and you must have it signed before they share any PHI with you. No BAA = both parties are in violation.

Who is a covered entity?

Three categories: health plans (insurance, HMOs, government programs), health care clearinghouses (processing entities), and health care providers that transmit health information electronically (most doctors, hospitals, pharmacies).

What's a business associate?

Any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity — including SaaS companies, cloud providers, billing services, IT consultants, and analytics platforms. Business associates are directly liable under HIPAA since 2013.

What counts as PHI?

Protected Health Information is any individually-identifiable health information held or transmitted by a covered entity or business associate. The HIPAA Privacy Rule lists 18 identifiers — names, dates, geographic data smaller than a state, phone numbers, email addresses, SSN, MRN, photographs, biometrics, IP addresses, and more.

How much are HIPAA violation fines?

Tiered: $137–$68,928 per violation for unknowing violations, up to $2.07 million per identical violation per year for willful neglect not corrected. The Office for Civil Rights also seeks corrective action plans that can cost millions in implementation.

Is encryption required by HIPAA?

Encryption is 'addressable,' not strictly 'required.' But in practice, encrypting PHI at rest and in transit is the standard expectation and gives you the breach-notification safe harbour. If you encrypt PHI to HHS standards and lose a device, you don't have to notify.

What are the HIPAA Security Rule safeguards?

Three categories: administrative safeguards (risk analysis, workforce training, contingency planning), physical safeguards (facility access, workstation security, device controls), and technical safeguards (access control, audit controls, integrity, transmission security).

Is there a HIPAA certification?

No. HHS doesn't certify anyone. Any third-party 'HIPAA certification' is marketing — they're attesting to your controls, not granting government compliance. HITRUST is the closest thing to a recognized HIPAA-aligned certification but it's a private framework.

Does HIPAA apply outside the US?

HIPAA itself applies only to US covered entities and their business associates. But if you're a non-US SaaS handling PHI for a US healthcare customer, you're a business associate and HIPAA applies to you through the BAA, regardless of where your servers live.

How long does it take to become HIPAA compliant?

From scratch, 3–6 months for a small SaaS. The work breaks down roughly as: 4 weeks on risk analysis and policies, 6–10 weeks on technical controls (encryption, access logging, audit trail), 2 weeks on BAA infrastructure, and 4 weeks on workforce training and rollout.

What's the difference between HIPAA and HITECH?

HITECH (2009) strengthened HIPAA enforcement and added breach notification requirements. They're often referenced together; HITECH is essentially HIPAA's tougher cousin.

Last updated: May 25, 2026 · Reviewed by the LukaGRC compliance team