Home/HIPAA for SaaS
HIPAA Resource Hub

HIPAA compliance for SaaS & digital health

Every guide, checklist, and tool we've built for software companies that handle protected health information — organized so you can find what you need at whatever stage you're at.

HIPAA for software companies is a different problem

Most HIPAA content online is written for hospitals and clinics. If you're a SaaS or digital health company, your situation is structurally different — and the hospital playbook will lead you to do the wrong work.

First, you're almost certainly a business associate, not a covered entity. Covered entities are providers, health plans, and clearinghouses. A business associate is any vendor that creates, receives, maintains, or transmits protected health information (PHI) on a covered entity's behalf — which describes nearly every health-tech SaaS. Since the 2013 Omnibus Rule, business associates are directly liable under the Security Rule and Breach Notification Rule, so "we're just the vendor" is not a defense. But the obligations that bind you arrive through a specific document: the business associate agreement (BAA).

Second, your scope is narrower. A hospital worries about paper charts, front-desk conversations, and badge readers. Your PHI lives in a database, an object store, application logs, and a handful of third-party services. That makes the Privacy Rule's facility-oriented requirements mostly marginal for you, and the Security Rule's technical safeguards — access control, audit logging, encryption, transmission security — the center of gravity.

Third, your controls are cloud-native. Encryption at rest is a KMS setting, not a locked filing cabinet. Access control is IAM and your application's RBAC. Audit controls are structured logs with retention. The work is real, but it maps onto engineering practices you may already have — especially if you've done SOC 2.

One more thing the hospital content rarely says plainly: there is no official HIPAA certification. No government body certifies compliance, and no audit is required by the law itself. You demonstrate compliance through a documented risk analysis, written policies, implemented safeguards, signed BAAs — and, increasingly, a SOC 2 report or HITRUST certification because enterprise health buyers want third-party proof.

Start here

If you're new to HIPAA — or new to being asked about it by a prospect — start with the free checker, then read the full guide.

Free tool
HIPAA SaaS Readiness Checker
Answer a short set of questions about your product and infrastructure and get an instant gap readout against the HIPAA Security Rule. No signup required — the fastest way to see where you actually stand.
HIPAA Compliance Guide
The full walkthrough: who HIPAA applies to, the three rules, what business associates must do, and how to get compliant.
HIPAA Compliance Checklist
A step-by-step task list — risk analysis, policies, safeguards, training, BAAs — you can work through in order.

The rules

What the regulation actually requires, translated for engineering teams.

What is HIPAA?
The glossary entry: Privacy Rule, Security Rule, Breach Notification Rule, covered entities vs business associates, penalties.
HIPAA Technical Safeguards
The Security Rule's technical requirements mapped to real controls: access control, audit logs, integrity, encryption.
BAAs Explained
What a business associate agreement covers, who signs first, what to negotiate, and the subcontractor chain.

Decisions

The comparisons and cost questions that come up once HIPAA is on your roadmap.

HIPAA vs SOC 2
They answer different questions — one is law, one is attestation. Which to do first and how the controls overlap.
HIPAA vs HITRUST
When the expensive certification is worth it, and when a documented HIPAA program plus SOC 2 is enough.
HIPAA Compliance Cost
What HIPAA actually costs a SaaS company — there's no audit fee, so where does the money go?

Infrastructure

Making your cloud stack HIPAA-eligible — and understanding what the cloud provider's BAA does and doesn't cover.

HIPAA on AWS
The AWS BAA, HIPAA-eligible services, shared responsibility, and the architecture decisions that matter for PHI.

Running the program

The operational controls auditors and OCR actually test — with the documentation each one requires.

HIPAA Risk Assessment
The #1 OCR enforcement finding. A 7-step walkthrough with a worked sample risk register.
Incident Response & Breach Notification
Incident vs breach, the four-factor test, the 60-day clocks, and the ransomware presumption.
HIPAA Training Requirements
Who must be trained, when, on what — and the records that make it count in an audit.
Penetration Testing & HIPAA
HIPAA never says "pen test" — here's what §164.308(a)(8) actually requires and what buyers expect.

By vertical

HIPAA lands differently depending on what you're building. These guides cover the vertical-specific traps.

HIPAA for Telehealth
Video infrastructure BAAs, the end of OCR's COVID-era enforcement discretion, recordings, and SMS reminder pitfalls.
HIPAA for Digital Health Startups
Does HIPAA even apply to your app? The covered-entity test, the FTC trap for consumer health apps, and health AI rules.

HIPAA for SaaS in 60 seconds

You are (probably) a business associate
Any vendor that creates, receives, maintains, or transmits PHI for a covered entity is a business associate — directly liable under the Security and Breach Notification Rules.
The BAA is mandatory
A signed business associate agreement is required before any PHI flows. No BAA, no deal — and you need BAAs with your own subcontractors (cloud, video, messaging) too.
Three safeguard categories
The Security Rule requires administrative safeguards (risk analysis, training, policies), physical safeguards (facility and device controls), and technical safeguards (access control, audit logs, integrity, encryption, transmission security).
No official certification exists
HHS does not certify HIPAA compliance. You prove it with documentation — risk analysis, policies, evidence — and buyers increasingly want SOC 2 or HITRUST as third-party proof.
Breach notification: 60 days max
Covered entities must notify affected individuals without unreasonable delay and no later than 60 days after discovering a breach; business associates must notify the covered entity on the same outer deadline, per the BAA's (usually much shorter) terms.

Common questions

Is there an official HIPAA certification?

No. Neither HHS nor any government body certifies HIPAA compliance. Anyone selling a "HIPAA certificate" is selling an attestation of their own design. What buyers actually accept as proof: a signed BAA, a documented risk analysis, security policies, and increasingly a SOC 2 report or HITRUST certification that covers the HIPAA Security Rule controls.

What is a business associate?

A business associate is any vendor that creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity (a provider, health plan, or clearinghouse). Most health-tech SaaS companies are business associates, not covered entities. Business associates are directly liable under the HIPAA Security and Breach Notification Rules and must sign a business associate agreement (BAA) before handling PHI.

Do I still need HIPAA compliance if I host on AWS?

Yes. AWS will sign a BAA and provides HIPAA-eligible services, but that covers only their side of the shared responsibility model — physical security and infrastructure. You remain responsible for access controls, encryption configuration, audit logging, workforce training, risk analysis, policies, and your own BAAs. Hosting on a HIPAA-eligible cloud is necessary but nowhere near sufficient. Our HIPAA on AWS guide covers the split in detail.

How long does HIPAA compliance take for a SaaS company?

For a small SaaS team starting from a reasonable security baseline, 2–4 months is realistic: risk analysis and gap assessment in the first few weeks, then policies, technical safeguard implementation, workforce training, and BAA management. Teams that already have SOC 2 in place move faster because the control overlap is substantial.

How much does HIPAA compliance cost?

There is no audit or certificate to buy, so the cost is implementation: risk analysis, policies, technical safeguards, training, and tooling. Small SaaS teams doing the work in-house with a compliance platform typically spend a few thousand to low tens of thousands of dollars; adding consultants or pursuing HITRUST on top raises that significantly. See the HIPAA compliance cost guide for a full breakdown.

Last updated: June 11, 2026 · Reviewed by the LukaGRC compliance team

Run your HIPAA program in LukaGRC.

Risk analysis, policies, evidence, and BAA tracking in one platform. 14-day trial. No card.

Start free trial →