Skip to main content
Guide

HIPAA compliance is simpler than you think — if you know what actually applies.

Most tech companies over-scope or under-scope their HIPAA obligations. This guide breaks down what the regulation actually requires from SaaS companies, healthtech startups, and anyone handling protected health information.

→ Not sure where you stand? Take the free 25-point HIPAA checker (no email required)

What HIPAA actually requires from tech companies.

HIPAA does not apply to every company that touches healthcare data. It applies to two categories of organizations: covered entities and business associates. Understanding which category you fall into, or whether you fall into either, determines the scope of everything that follows.

Covered entities are health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically. If you are a hospital, insurance company, or pharmacy, you are a covered entity.

Business associates are organizations that perform services for covered entities and handle protected health information (PHI) in the process. This is where most technology companies land. If a hospital uses your SaaS platform to manage patient records, you are a business associate. If an insurance company uses your analytics tool and sends you claims data, you are a business associate.

The critical question is whether you actually receive, store, transmit, or process PHI. If your product connects to a healthcare system but never touches the actual patient data, HIPAA may not apply to you directly. Some companies build integrations that pass data through without storing it, and the compliance obligations differ significantly based on that architecture.

Practical tip

If a prospect asks whether you are HIPAA-compliant, the answer is not a simple yes or no. The right answer describes what you do with PHI, what safeguards you have in place, and whether you are willing to sign a Business Associate Agreement (BAA). HIPAA compliance is not a certification you receive. It is a set of requirements you meet on an ongoing basis.

The three safeguard categories.

The HIPAA Security Rule organizes its requirements into three categories of safeguards. Each addresses a different dimension of protecting electronic PHI (ePHI). For a SaaS company, the practical implications of each category look very different than they do for a hospital with physical servers and filing cabinets.

  • Administrative safeguards are the policies and procedures that govern how your organization manages security. This includes designating a security officer, conducting risk assessments, establishing workforce training, creating incident response procedures, defining access management policies, and — importantly — contingency planning under §164.308(a)(7): data backup, disaster recovery, emergency mode operations, and tabletop testing. LukaGRC's BC/DR module covers all of those: BIAs, recovery plans with RTO/RPO targets, dependencies, exercises, and crisis communications, with auditor-ready exports. Open the BC/DR module ›
  • Physical safeguards address the physical security of systems that store ePHI. For a traditional healthcare provider, this means locked server rooms and visitor logs. For a SaaS company running on AWS or GCP, your cloud provider handles most physical security through their own compliance programs (AWS is HIPAA-eligible, for example). Your responsibility shifts to things like laptop encryption, clean desk policies for remote workers, and ensuring that physical access to any on-premises equipment is controlled.
  • Technical safeguards are the technology controls that protect ePHI. Access controls, audit logs, encryption in transit and at rest, authentication mechanisms, and integrity controls. This is where most tech companies are already strong because modern SaaS architecture naturally incorporates many of these controls: TLS for data in transit, AES-256 for data at rest, role-based access control, and centralized logging.

The Security Rule distinguishes between "required" and "addressable" implementation specifications. Required means you must implement it. Addressable means you must assess whether it is reasonable and appropriate for your environment, and if you decide not to implement it, you must document why and what alternative measure you are using instead. Addressable does not mean optional.

Security Rule vs Privacy Rule — which matters more for tech.

HIPAA has two major rules that people often conflate, and understanding the difference saves significant time and effort when scoping your compliance program.

The Privacy Rule governs the use and disclosure of PHI in any form, including paper records and verbal communications. It defines patient rights such as the right to access their records, the right to request corrections, and the right to know who their information has been shared with. The Privacy Rule primarily applies to covered entities. Business associates must comply with the Privacy Rule only to the extent that they use or disclose PHI, and they must follow the terms of their BAA.

The Security Rule focuses specifically on electronic PHI (ePHI) and requires the administrative, physical, and technical safeguards described above. For technology companies, the Security Rule is where most of your compliance work lives. It is concrete, measurable, and maps directly to the security controls you are probably already building.

There is also the Breach Notification Rule, which requires you to notify affected individuals, HHS, and sometimes the media if a breach of unsecured PHI occurs. The timelines are strict: individual notifications within 60 days of discovery, HHS notification annually for breaches affecting fewer than 500 people, and within 60 days for larger breaches. Having a tested incident response plan that accounts for these notification requirements is not optional.

For most SaaS companies operating as business associates, the priority order is: Security Rule first, Breach Notification Rule second, Privacy Rule third. Build your technical and administrative controls, prepare your incident response plan, and align your data handling practices with the terms of your BAAs.

Building your HIPAA compliance program.

A HIPAA compliance program for a technology company is built on four pillars: risk assessment, policies, Business Associate Agreements, and ongoing evidence collection.

Risk assessment is the foundation. The Security Rule explicitly requires a thorough assessment of potential risks and vulnerabilities to ePHI. This is not a one-time exercise. You need to identify every system that touches ePHI, evaluate the threats to each, assess the likelihood and impact of those threats, and document the controls you have in place to mitigate them. Many companies use a risk register to track this, scoring each risk and mapping it to specific controls.

Policies you will need include:

  • HIPAA Security Policy — Your overarching policy covering workforce security, access management, and security awareness training.
  • Encryption Policy — Documenting how you encrypt ePHI at rest and in transit, including key management procedures.
  • Access Control Policy — Who gets access to ePHI, how it is granted and revoked, and how you enforce least privilege.
  • Incident Response Plan — Detection, containment, eradication, recovery, and the breach notification workflow with HIPAA-specific timelines.
  • Business Associate Management Policy — How you evaluate and monitor your own subcontractors who may access ePHI.
  • Data Retention and Disposal Policy — How long you retain ePHI and how you securely destroy it when retention periods expire.

Business Associate Agreements are contracts between you and the covered entities you serve. A BAA defines what PHI you can access, what you can do with it, what safeguards you must maintain, and what happens in the event of a breach. You cannot handle PHI without a BAA in place. If a covered entity asks you to sign their BAA, review it carefully. The obligations flow down, meaning if you use subcontractors who access PHI, you need BAAs with them as well.

A GRC platform like LukaGRC can map your controls to HIPAA requirements, track evidence collection, and flag gaps before they become audit findings. Having a single place where your risk assessment, policies, and evidence live together makes the difference between a manageable program and a scattered one. See our guide on managing multiple frameworks for how HIPAA controls map to SOC 2 and ISO 27001.

Common HIPAA mistakes tech companies make.

After working with dozens of technology companies on their HIPAA programs, certain patterns emerge repeatedly. Avoiding these mistakes can save months of wasted effort and reduce your actual risk exposure.

  • Over-scoping the program. Companies often try to make their entire infrastructure HIPAA-compliant when only a specific product or service handles PHI. Scope your HIPAA program tightly around the systems and data flows that actually involve ePHI. You can always expand scope later, but a narrow, well-controlled environment is easier to secure and audit than your entire company.
  • Ignoring the breach notification timeline. Many tech companies have incident response plans but forget to integrate HIPAA's specific notification requirements. When you discover a breach involving PHI, the 60-day clock starts ticking. Your incident response plan needs explicit steps for determining whether PHI was involved, assessing the scope, and executing the notification process. Test this process before you need it.
  • Treating compliance as a checkbox. HIPAA is not a point-in-time certification. There is no HIPAA certificate to hang on your wall. Compliance is an ongoing state that you maintain through regular risk assessments, policy reviews, workforce training, and evidence collection. Companies that treat it as a one-time project inevitably discover gaps when a covered entity audits them or when a breach occurs.
  • Forgetting about subcontractors. If you use third-party services that may access ePHI, you need BAAs with them too. This includes cloud hosting providers, logging services, customer support platforms, and anyone else in the data flow. Your vendor risk management process should specifically address HIPAA requirements for subcontractors.
  • Confusing HIPAA with HITRUST. HITRUST is a certifiable framework that incorporates HIPAA requirements along with many other standards. Achieving HITRUST certification is one way to demonstrate HIPAA compliance, but it is not the only way and it is significantly more expensive and time-consuming. Many business associates successfully demonstrate compliance through a well-documented HIPAA program, a completed risk assessment, and a set of policies and controls mapped to the Security Rule requirements.

The organizations that handle HIPAA well approach it the same way they approach any security program: start with understanding your risks, implement controls proportional to those risks, document everything, and maintain it as an ongoing practice rather than a project with an end date.

Get your HIPAA program under control.

Map safeguards to controls, track evidence, and stay audit-ready with a platform built for compliance teams.