HIPAA9 min read
HIPAA for SaaS Companies
Building a SaaS product for healthcare? This guide covers what you need to know about HIPAA compliance specifically for software-as-a-service companies. From understanding when HIPAA applies to implementing the right technical controls, we cover the practical considerations for SaaS teams entering the healthcare market.
Key Takeaways
| Aspect | Details |
|---|---|
| HIPAA status | Most healthcare SaaS companies are business associates |
| Core requirements | BAAs, risk assessment, security controls, training |
| Technical focus | Encryption, access controls, audit logging, secure APIs |
| Infrastructure | Use HIPAA-eligible cloud services with signed BAAs |
| Timeline | Initial compliance typically 2-4 months |
Quick Answer: If your SaaS handles Protected Health Information (PHI) on behalf of healthcare providers, health plans, or other HIPAA-covered entities, you're a business associate and must comply with HIPAA. This means implementing security controls, signing Business Associate Agreements, conducting risk assessments, and training your team.
Does HIPAA Apply to Your SaaS?
HIPAA Applies If:
Your SaaS is a business associate when you:
- Store PHI for healthcare customers
- Process PHI in your application
- Transmit PHI on behalf of covered entities
- Provide services involving PHI access
Examples of SaaS products requiring HIPAA compliance:
- Electronic Health Records (EHR/EMR)
- Practice management software
- Telehealth platforms
- Patient scheduling systems
- Medical billing software
- Healthcare analytics platforms
- Patient communication tools
- Remote patient monitoring
- Care coordination platforms
HIPAA May NOT Apply If:
- You only handle de-identified data (no 18 identifiers)
- You're a consumer health app with no covered entity relationship
- You provide general-purpose tools without PHI access
- Your healthcare customers configure the product to avoid PHI
Gray areas: Contact legal counsel if you're unsure. The distinction often depends on specific use cases and contractual relationships.
Understanding Your Obligations
As a SaaS business associate, you must:
1. Sign Business Associate Agreements
- Execute BAAs with all healthcare customers (covered entities)
- Obtain BAAs from all subcontractors who access PHI
- Ensure BAAs include all required provisions
See our guide on Business Associate Agreements.
2. Implement Security Safeguards
- Administrative safeguards (policies, training, incident response)
- Physical safeguards (endpoint security, cloud provider controls)
- Technical safeguards (encryption, access controls, audit logs)
See our guide on the HIPAA Security Rule.
3. Conduct Risk Assessments
- Assess risks to ePHI in your environment
- Document threats, vulnerabilities, and current controls
- Implement risk mitigation measures
- Update assessment when changes occur
See our guide on HIPAA Risk Assessment.
4. Train Your Workforce
- Initial HIPAA training for all team members
- Role-specific training for those handling PHI
- Annual refresher training
- Documented training records
5. Respond to Incidents
- Detect and investigate security incidents
- Report breaches to covered entities
- Support breach notification requirements
- Document and learn from incidents
Technical Requirements for SaaS
Infrastructure
Cloud Provider Requirements
| Requirement | Implementation |
|---|---|
| HIPAA-eligible services | Use only services covered by provider's BAA |
| Signed BAA | Execute BAA with cloud provider |
| Proper configuration | Follow provider's HIPAA guidance |
| Geographic controls | Understand data residency requirements |
Major provider BAA availability:
- AWS: BAA available, HIPAA-eligible services defined
- Google Cloud: BAA available, HIPAA-eligible services defined
- Azure: BAA available, HIPAA-eligible services defined
- Heroku: Limited (Heroku Shield required)
Cloud Configuration Essentials
Text
For AWS:
- Enable CloudTrail for audit logging
- Use KMS for encryption key management
- Configure VPC for network isolation
- Enable AWS Config for configuration monitoring
- Use IAM roles with least privilege
For GCP:
- Enable Cloud Audit Logs
- Use Cloud KMS for encryption
- Configure VPC Service Controls
- Enable Security Command Center
- Use IAM with service accounts
For Azure:
- Enable Azure Monitor and Activity Logs
- Use Azure Key Vault for encryption
- Configure Virtual Network isolation
- Enable Azure Security Center
- Use Azure AD with conditional accessEncryption
| Layer | Requirement | Implementation |
|---|---|---|
| At rest | Encrypt stored PHI | Database encryption, file storage encryption |
| In transit | Encrypt transmitted PHI | TLS 1.2+, HTTPS everywhere |
| Key management | Secure key handling | Cloud KMS, HSM, key rotation |
| Backups | Encrypt backup data | Encrypted backup storage |
Technical implementation:
- Database: Enable encryption (RDS encryption, Cloud SQL encryption)
- Application: Use secure connections to all services
- APIs: Require HTTPS, reject HTTP connections
- File storage: Use encrypted S3 buckets, Cloud Storage
Access Controls
Authentication Requirements
- Unique user identification: No shared accounts
- Multi-factor authentication: Required for PHI access
- Strong passwords: Enforce complexity requirements
- Session management: Timeout after inactivity
Implementation approaches:
- Use identity providers (Auth0, Okta, AWS Cognito)
- Implement MFA with authenticator apps or hardware keys
- Configure session timeouts (15-30 minutes recommended)
- Log authentication events
Authorization Requirements
- Role-based access control (RBAC): Access based on job function
- Least privilege: Minimum access necessary
- Access reviews: Regular verification of access rights
- Segregation of duties: Separate sensitive functions
Implementation approaches:
- Define roles matching job functions
- Map permissions to roles
- Implement access request workflow
- Conduct quarterly access reviews
Audit Logging
What to Log
| Event Type | Examples |
|---|---|
| Authentication | Logins, logouts, failed attempts |
| Authorization | Access grants, denials, changes |
| Data access | PHI views, queries, exports |
| Data modification | Creates, updates, deletes |
| Administrative | Config changes, user management |
| Security events | Alerts, incidents, policy changes |
Log Requirements
- Retention: 6 years (regulatory) or per customer requirements
- Integrity: Prevent log tampering
- Accessibility: Available for investigation and audit
- Monitoring: Alert on suspicious activity
Implementation approaches:
- Centralized logging (CloudWatch, Stackdriver, Azure Monitor)
- Log aggregation (Datadog, Splunk, ELK)
- Automated alerting for security events
- Immutable log storage
API Security
For SaaS products with APIs:
| Requirement | Implementation |
|---|---|
| Authentication | API keys, OAuth 2.0, JWT |
| Authorization | Scope-based permissions |
| Rate limiting | Prevent abuse |
| Input validation | Prevent injection attacks |
| Audit logging | Log all API calls |
| Encryption | HTTPS required |
Secure Development
- Security in SDLC: Integrate security into development process
- Code review: Review for security issues
- Dependency management: Track and update dependencies
- Vulnerability scanning: Regular automated scanning
- Penetration testing: Annual third-party testing
Multi-Tenant Considerations
Most SaaS products are multi-tenant. HIPAA-relevant considerations:
Data Isolation
- Logical isolation: Separate data by tenant at application level
- Database isolation: Consider separate schemas or databases
- Access controls: Ensure one customer can't access another's PHI
- Testing: Verify isolation in testing and production
Tenant Configuration
- Audit logging: Per-tenant audit logs
- Access controls: Customer-manageable access settings
- Data export: Support customer data requests
- Data deletion: Support customer offboarding
Breach Scope
If a breach occurs:
- Determine affected tenants
- Notify each affected covered entity
- Support individual breach assessments
- Isolate impact where possible
Organizational Requirements
Policies and Procedures
Core policies for SaaS companies:
- Information Security Policy
- Acceptable Use Policy
- Access Control Policy
- Encryption Policy
- Incident Response Policy
- Business Continuity Policy
- Vendor Management Policy
- Change Management Policy
- Data Retention Policy
Workforce Training
- All employees: HIPAA basics, security awareness
- Engineering: Secure development, PHI handling
- Support: Customer data handling, incident reporting
- Leadership: Compliance obligations, risk management
Vendor Management
Your vendors who access PHI:
| Vendor Type | BAA Required | Examples |
|---|---|---|
| Cloud providers | Yes | AWS, GCP, Azure |
| SaaS tools | If PHI access | Analytics, support tools |
| Professional services | If PHI access | Legal, accounting, consulting |
| Contractors | If PHI access | Developers, support |
Common SaaS HIPAA Challenges
Challenge 1: Third-Party Integrations
Problem: Healthcare customers want integrations with other systems that handle PHI.
Solution:
- Ensure integrated systems have BAAs
- Implement secure data exchange (encrypted, authenticated)
- Document data flows
- Consider integration security in risk assessment
Challenge 2: Customer Support Access
Problem: Support team needs access to troubleshoot, which may involve PHI.
Solution:
- Minimize PHI access (use non-PHI test accounts when possible)
- Role-based access for support
- Audit logging of support access
- Training on PHI handling
- Customer consent for PHI access when needed
Challenge 3: Development/Testing Data
Problem: Engineers need realistic data for development and testing.
Solution:
- Use de-identified data (remove 18 identifiers)
- Use synthetic data generators
- If PHI is necessary, treat dev/test as production
- Implement data masking for non-production environments
Challenge 4: Customer Audit Requests
Problem: Healthcare customers want to audit your security.
Solution:
- Obtain SOC 2 Type II report
- Provide security documentation
- Complete security questionnaires (HECVAT, SIG)
- Offer penetration test summaries
- Consider HITRUST for large enterprises
Challenge 5: Breach Response
Problem: Need to detect, investigate, and report breaches quickly.
Solution:
- Implement monitoring and alerting
- Document incident response procedures
- Know notification requirements (60 days to covered entity)
- Have legal counsel identified
- Consider breach response services in insurance
Getting HIPAA-Ready: Roadmap
Phase 1: Foundation (Weeks 1-2)
- Designate HIPAA Security Officer
- Conduct initial risk assessment
- Inventory systems handling PHI
- Review current security controls
Phase 2: Infrastructure (Weeks 2-4)
- Ensure cloud provider BAAs in place
- Implement encryption at rest and in transit
- Configure access controls and MFA
- Enable audit logging
Phase 3: Policies and Procedures (Weeks 3-5)
- Develop required policies
- Create incident response procedures
- Document access management procedures
- Establish vendor management process
Phase 4: Training (Weeks 4-6)
- Conduct HIPAA training for all employees
- Provide role-specific training
- Document training completion
- Establish ongoing training program
Phase 5: BAA Readiness (Weeks 5-6)
- Develop BAA template
- Review vendor BAAs
- Establish BAA execution process
- Be ready for customer BAA requests
Phase 6: Validation (Weeks 6-8)
- Conduct gap assessment
- Address identified gaps
- Document compliance status
- Consider third-party validation
Customer-Facing Considerations
What Healthcare Customers Ask
Security questionnaires: Be prepared for HECVAT, SIG, custom questionnaires.
SOC 2 reports: Many customers request these as third-party validation.
Penetration testing: Executive summaries or attestation letters.
Architecture documentation: Security architecture overview.
BAA execution: Customers will require signed BAAs.
Building Trust
- Create a trust/security page on your website
- Document your security practices
- Obtain SOC 2 Type II report
- Be transparent about your compliance status
- Respond quickly to security inquiries
How Bastion Helps
Bastion helps SaaS companies achieve HIPAA compliance efficiently:
- Gap assessment: Evaluate your current state against HIPAA requirements
- Risk assessment: Conduct the required analysis with proper documentation
- Technical guidance: Implement controls for your specific architecture
- Policy development: Create policies tailored to SaaS operations
- SOC 2 preparation: Combine HIPAA and SOC 2 for efficiency
- Ongoing compliance: Maintain compliance as you grow
Ready to make your SaaS HIPAA-compliant? Talk to our team
Sources
- HHS Guidance on Cloud Computing - Official guidance on HIPAA and cloud services
- HIPAA Security Rule - Technical safeguard requirements
- Business Associates - Business associate obligations