What HIPAA actually requires from tech companies.
HIPAA does not apply to every company that touches healthcare data. It applies to two categories of organizations: covered entities and business associates. Understanding which category you fall into, or whether you fall into either, determines the scope of everything that follows.
Covered entities are health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically. If you are a hospital, insurance company, or pharmacy, you are a covered entity.
Business associates are organizations that perform services for covered entities and handle protected health information (PHI) in the process. This is where most technology companies land. If a hospital uses your SaaS platform to manage patient records, you are a business associate. If an insurance company uses your analytics tool and sends you claims data, you are a business associate.
The critical question is whether you actually receive, store, transmit, or process PHI. If your product connects to a healthcare system but never touches the actual patient data, HIPAA may not apply to you directly. Some companies build integrations that pass data through without storing it, and the compliance obligations differ significantly based on that architecture.
If a prospect asks whether you are HIPAA-compliant, the answer is not a simple yes or no. The right answer describes what you do with PHI, what safeguards you have in place, and whether you are willing to sign a Business Associate Agreement (BAA). HIPAA compliance is not a certification you receive. It is a set of requirements you meet on an ongoing basis.