What is HIPAA?
If you're building a healthtech product or any software that handles health information, you've likely encountered HIPAA. This guide explains what HIPAA actually is, when compliance is required, and how to approach it strategically for your business.
HIPAA (Health Insurance Portability and Accountability Act) is a U.S. federal law enacted in 1996 that establishes national standards for protecting sensitive patient health information. For technology companies, the most relevant parts are the Privacy Rule and Security Rule, which govern how Protected Health Information (PHI) must be handled.
Key Takeaways
| Point | Summary |
|---|---|
| What it is | A U.S. federal law requiring protection of health information (not a certification) |
| Who needs it | Covered entities and their business associates who handle PHI |
| Key requirements | Privacy Rule, Security Rule, Breach Notification Rule |
| Enforcement | HHS Office for Civil Rights (OCR), with penalties up to $1.5M+ per violation category |
| Common misconception | "HIPAA certified" doesn't exist; compliance is self-assessed or independently validated |
Quick Answer: HIPAA is a federal law that protects patient health information. If you handle health data for or on behalf of healthcare providers, health plans, or healthcare clearinghouses, you likely need to comply. Unlike SOC 2 or ISO 27001, there's no certification body; compliance is demonstrated through policies, safeguards, and Business Associate Agreements.
Why HIPAA Exists
Before HIPAA, there were no consistent national standards for protecting health information. Patient records could be shared without consent, and security practices varied wildly across healthcare organizations.
HIPAA was originally enacted to:
- Ensure health insurance coverage when changing jobs (portability)
- Reduce healthcare fraud and abuse
- Establish standards for electronic healthcare transactions
- Protect the privacy and security of health information
The privacy and security provisions have become the most significant aspects for technology companies today.
Who Needs HIPAA Compliance?
HIPAA applies to two categories of organizations:
Covered Entities
Organizations that directly handle health information:
- Healthcare providers: Hospitals, doctors, clinics, pharmacies, dentists
- Health plans: Insurance companies, HMOs, employer-sponsored health plans
- Healthcare clearinghouses: Organizations that process health information
Business Associates
Organizations that handle PHI on behalf of covered entities:
- SaaS platforms used by healthcare providers
- Cloud hosting providers storing PHI
- IT service providers with PHI access
- Billing and coding services
- Data analytics companies processing health data
- EHR/EMR system vendors
If you're a SaaS company selling to healthcare organizations and your product touches PHI, you're almost certainly a business associate.
| Entity Type | Examples | HIPAA Requirement |
|---|---|---|
| Covered Entity | Hospital, health insurer | Full HIPAA compliance |
| Business Associate | EHR vendor, cloud hosting | BAA + relevant safeguards |
| Subcontractor | AWS, analytics provider | BAA chain required |
| Not Covered | Consumer health apps (no covered entity relationship) | Generally not subject to HIPAA |
What is Protected Health Information (PHI)?
PHI is individually identifiable health information that is:
- Created or received by a covered entity or business associate
- Relates to past, present, or future physical or mental health
- Relates to healthcare provision or payment
- Identifies or could reasonably identify an individual
The 18 HIPAA Identifiers
HIPAA defines 18 types of identifiers that make health information "identifiable":
- Names
- Geographic data smaller than state
- Dates (except year) related to an individual
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers
- Full-face photographs
- Any other unique identifying number or code
PHI vs ePHI
- PHI: Protected Health Information in any form (paper, verbal, electronic)
- ePHI: Electronic PHI, which is subject to the Security Rule's technical safeguards
Most technology companies deal primarily with ePHI.
The Three HIPAA Rules
HIPAA compliance involves three main rules:
1. Privacy Rule
The Privacy Rule establishes standards for:
- When PHI can be used or disclosed
- Patient rights to access their information
- Minimum necessary standard (only access what's needed)
- Notice of privacy practices
For business associates, the Privacy Rule requires:
- Only using PHI as permitted by the BAA
- Implementing appropriate safeguards
- Reporting unauthorized uses or disclosures
2. Security Rule
The Security Rule establishes safeguards for ePHI:
| Safeguard Type | Examples |
|---|---|
| Administrative | Risk assessments, policies, training, incident response |
| Physical | Facility access controls, workstation security, device disposal |
| Technical | Access controls, encryption, audit logs, integrity controls |
The Security Rule requires organizations to:
- Conduct risk assessments
- Implement safeguards based on risk
- Document policies and procedures
- Train workforce members
- Evaluate and maintain safeguards
3. Breach Notification Rule
The Breach Notification Rule requires:
- Notifying affected individuals within 60 days of breach discovery
- Notifying HHS (immediately for breaches affecting 500+ individuals)
- Notifying media for breaches affecting 500+ individuals in a state
- Documenting all breach investigations
A breach is presumed unless you can demonstrate low probability of compromise based on a risk assessment considering:
- Nature and extent of PHI involved
- Unauthorized person who accessed PHI
- Whether PHI was actually acquired or viewed
- Extent to which risk has been mitigated
HIPAA vs Other Frameworks
| Aspect | HIPAA | SOC 2 | ISO 27001 |
|---|---|---|---|
| Type | Federal law | Audit standard | International standard |
| Focus | Health information | Trust services criteria | Information security management |
| Mandated by | U.S. government | Customers (voluntary) | Customers (voluntary) |
| Validation | Self-assessment, independent audits | CPA attestation | Certification body audit |
| Certification | None (compliance is ongoing) | Report issued | Certificate issued |
| Penalties | Civil/criminal penalties | Lost deals | Lost deals |
Many healthtech companies need multiple frameworks. HIPAA is required by law when handling PHI. SOC 2 and ISO 27001 are often requested by customers and can demonstrate security practices that support HIPAA compliance.
Common Misconceptions
"We're HIPAA certified"
Reality: There is no official HIPAA certification. The U.S. Department of Health and Human Services (HHS) does not certify organizations as HIPAA compliant. You can be HIPAA compliant, but there's no certificate or seal.
Some organizations undergo independent HIPAA assessments, which can be valuable for demonstrating compliance, but these are not official certifications.
"We use AWS/GCP/Azure, so we're HIPAA compliant"
Reality: Major cloud providers offer HIPAA-eligible services and will sign BAAs, but this only covers their infrastructure. You're still responsible for:
- How you configure and use those services
- Your application's security
- Your policies and procedures
- Your workforce training
- Your risk assessments
"HIPAA only applies to healthcare companies"
Reality: HIPAA applies to any organization that handles PHI on behalf of a covered entity. If you're a SaaS company with healthcare customers, you're likely a business associate subject to HIPAA requirements.
"We don't store PHI, so HIPAA doesn't apply"
Reality: HIPAA applies to creating, receiving, maintaining, or transmitting PHI. Even if you don't store data persistently, processing or transmitting PHI triggers HIPAA obligations.
"Our app is consumer-facing, so HIPAA doesn't apply"
Reality: Consumer health apps may or may not be subject to HIPAA depending on their relationship with covered entities. If your app is prescribed by a doctor, used by a health plan, or integrates with covered entities, HIPAA may apply. The FTC Act and state laws may also apply to consumer health apps.
Getting Started with HIPAA Compliance
Step 1: Determine if HIPAA Applies
Answer these questions:
- Do you handle health information?
- Is that information received from or on behalf of a covered entity?
- Could the information identify specific individuals?
If yes to all three, HIPAA likely applies to you.
Step 2: Understand Your Role
- Are you a covered entity or business associate?
- Who are your upstream covered entities or business associates?
- Do you have downstream subcontractors who access PHI?
Step 3: Conduct a Risk Assessment
A risk assessment is the foundation of HIPAA compliance:
- Identify where ePHI is created, received, maintained, and transmitted
- Identify threats and vulnerabilities
- Assess current security measures
- Determine risk levels
- Document and prioritize remediation
Step 4: Implement Safeguards
Based on your risk assessment, implement:
- Administrative safeguards (policies, training, incident response)
- Physical safeguards (facility security, device management)
- Technical safeguards (access controls, encryption, audit logs)
Step 5: Execute Business Associate Agreements
- Obtain BAAs from all vendors who access PHI
- Provide BAAs to covered entities you serve
- Ensure BAAs include required provisions
Step 6: Document Everything
Maintain documentation of:
- Policies and procedures
- Risk assessments and remediation
- Training records
- BAAs
- Incident reports and investigations
The Business Case for HIPAA Compliance
For SaaS companies selling to healthcare:
| Benefit | Impact |
|---|---|
| Market access | Healthcare is a $4+ trillion industry requiring HIPAA compliance |
| Competitive advantage | Many competitors struggle with HIPAA, creating opportunity |
| Reduced risk | Avoid penalties up to $1.5M+ per violation category |
| Trust building | Demonstrate commitment to protecting sensitive data |
| Complementary compliance | HIPAA safeguards overlap with SOC 2 and ISO 27001 |
How Bastion Helps
Bastion helps technology companies achieve HIPAA compliance efficiently:
- Gap assessment: Understand your current state against HIPAA requirements
- Risk assessment: Conduct the required risk analysis with proper documentation
- Policy development: Create policies that reflect your actual operations
- Technical implementation: Guidance on implementing required safeguards
- BAA review: Ensure your agreements include required provisions
- Combined programs: Align HIPAA with SOC 2 and ISO 27001 for efficiency
Ready to discuss your HIPAA compliance needs? Talk to our team
Sources
- HHS HIPAA Home - Official HIPAA information from the U.S. Department of Health and Human Services
- HIPAA Privacy Rule - Privacy Rule requirements and guidance
- HIPAA Security Rule - Security Rule requirements and guidance
- HIPAA Breach Notification Rule - Breach notification requirements