HIPAA Compliance for SaaS: What Founders and CTOs Must Know

Do You Need to Be HIPAA Compliant?

If your SaaS handles protected health information (PHI) on behalf of a covered entity (healthcare provider, health plan, or clearinghouse), you are a business associate and must comply. PHI includes any individually identifiable health data: names, dates, medical records, billing info, even IP addresses if linked to health data.

If you only store de-identified data (per HIPAA de-identification standard, Safe Harbor or Expert Determination), HIPAA rules do not apply. But most health-tech SaaS will touch PHI at some point.

Key HIPAA Requirements for SaaS

Business Associate Agreement (BAA). You must sign a BAA with each covered entity customer. The BAA defines PHI handling, breach notification, and your security obligations. Without a signed BAA, you cannot legally touch PHI.

Privacy Rule. Limits use and disclosure of PHI to the minimum necessary. Your app should enforce role-based access controls and log access.

Security Rule. Requires administrative, physical, and technical safeguards. For a SaaS, technical safeguards matter most: access control, audit controls, integrity controls, IDS, and transmission security.

Breach Notification Rule. You must notify covered entities of any breach of unsecured PHI within 60 days. Have an incident response plan.

Technical Safeguards You Must Implement

These are the controls HIPAA expects. Not optional.

• Access Control (45 CFR 164.312(a)): Unique user IDs, automatic logoff (e.g., 15 minutes of inactivity), emergency access procedure, and encryption at rest (AES-256) and in transit (TLS 1.2+).
• Audit Controls: Log all access to PHI: who, what, when, from where. Store logs for at least 6 years (check your BAA). Use tools like AWS CloudTrail or database audit logs.
• Integrity Controls: Ensure PHI is not altered or destroyed improperly. Use checksums, versioning, or database transaction logs.
• Transmission Security: Encrypt all PHI over open networks. Use HTTPS with HSTS, VPN for internal traffic, and disable weak ciphers.
• Person or Entity Authentication: Require MFA for all users accessing PHI, especially admins.

Administrative Safeguards: Policies and Risk Analysis

HIPAA requires documented policies and a risk analysis. You must:

• Conduct a risk assessment identifying threats to PHI (e.g., using NIST SP 800-30).
• Implement a security awareness training program for all employees.
• Assign a security officer (can be the CTO or a part-time role).
• Have a contingency plan (backup, disaster recovery, emergency mode operation).
• Review and update policies annually or after a change.

The risk analysis is the foundation. Without it, you cannot justify your security choices during an audit.

Common Mistakes Startups Make

Assuming encryption alone makes you compliant. Encryption is necessary but not sufficient. You need access controls, audit logs, and policies.

Sharing a single database for PHI and non-PHI. Separate PHI into a dedicated database or schema with stricter access controls.

Not logging access. Without logs, you cannot detect or investigate breaches. Use centralized logging.

Ignoring subcontractors. If you use AWS, Datadog, or any third party that touches PHI, they must also sign a BAA with you.

No incident response plan. You must know how to respond to a breach within the required timeframe.

How to Get Started: A Practical Roadmap

1. Determine scope. Identify where PHI enters, is stored, processed, or transmitted. Map data flows.

2. Conduct a risk assessment. Use a framework like NIST 800-66 or HHS Security Risk Assessment Tool.

3. Implement technical safeguards. Encrypt data, enforce MFA, enable audit logging, set up intrusion detection.

4. Draft policies. Write an Information Security Policy, Incident Response Plan, and Breach Notification Procedure.

5. Get BAAs signed. With customers and with any vendors that touch PHI (AWS, database providers, email services).

6. Train your team. Annual HIPAA training for all staff.

7. Test your security. Run penetration tests regularly. See our SaaS security checklist for more details.

Continuous Validation: Don't Rely on a Single Audit

HIPAA is not a one-time certification. You must continuously monitor and update controls. New deployments, code changes, or vendor updates can introduce risks. Automated security testing helps catch issues early. Kyro is an AI penetration tester for SaaS. You point it at your app URL, it continuously hunts for real, reproducible vulnerabilities (broken access control, injection, auth bypass, SSRF, race conditions), reproduces each finding before alerting, and emails you. Pay as you go, free credits to start. Start a free scan.