HIPAA is the framework founders worry about most and understand least. The Office for Civil Rights (OCR) does not certify anyone, there is no official audit, and yet a breach can cost you up to $1.5M per violation. Here is what actually matters.
You are probably a Business Associate
HIPAA recognizes three party types: Covered Entities (providers, health plans, clearinghouses), Business Associates (anyone handling PHI on behalf of a covered entity), and Subcontractors. If you sell SaaS to hospitals, clinics, or insurers and your platform touches Protected Health Information (PHI), you are a Business Associate. That means you must sign a Business Associate Agreement (BAA) with every covered-entity customer and comply with the HIPAA Security Rule yourself.
The four rules you actually have to follow
| Rule | What it covers | Who it binds |
|---|---|---|
| Privacy Rule | Use and disclosure of PHI | Covered Entities primarily; BAs partially |
| Security Rule | Safeguards for electronic PHI | Both CEs and BAs fully |
| Breach Notification Rule | What to do when PHI is exposed | Both CEs and BAs |
| Enforcement Rule | How OCR investigates and penalizes | OCR uses this against everyone |
For SaaS Business Associates, the Security Rule is the heavyweight. It has three categories of safeguards: Administrative (policies, training, risk analysis), Physical (facility controls, workstation security), and Technical (access controls, audit logs, encryption, transmission security).
The Risk Analysis is the keystone
Every HIPAA enforcement action OCR has published in the last decade cites a failed or missing risk analysis. It is the single most important document in your HIPAA program. A defensible risk analysis must:
- Inventory every system, application, and process that creates, receives, maintains, or transmits ePHI
- Identify reasonably anticipated threats and vulnerabilities
- Assess likelihood and impact of each threat
- Document existing controls and gaps
- Be updated annually and after any material change
OCR enforcement reality
The 2018 Anthem settlement was $16M. The 2023 Banner Health settlement was $1.25M. In every case, the root finding was an inadequate risk analysis. If you do nothing else from this article, run a real risk analysis this quarter.
Technical safeguards: the SaaS-relevant list
Access controls (164.312(a))
Unique user IDs, automatic logoff, emergency access procedures, and encryption of PHI at rest. SSO with MFA satisfies most of this.
Audit controls (164.312(b))
Hardware, software, or procedural mechanisms that record activity on systems containing ePHI. CloudTrail plus a centralized log aggregator with retention covers this for AWS-based platforms.
Integrity controls (164.312(c))
Prove that PHI has not been altered or destroyed in an unauthorized manner. Database write-ahead logs, file integrity monitoring, or cryptographic checksums all qualify.
Transmission security (164.312(e))
TLS 1.2 or higher for all PHI in motion, end-to-end. No exceptions for “internal” traffic.
The BAA: read the fine print
Customers will send you their BAA template. Common landmines:
- Unlimited indemnification. Cap it at the contract value or a multiple thereof.
- Breach notification within 24 hours. HIPAA requires “without unreasonable delay” and no later than 60 days. Push back to 72 hours minimum.
- Subcontractor approval. Customers may want veto power over every subprocessor. Negotiate this to notification plus ability to terminate.
- Audit rights. Limit to your SOC 2 or HITRUST report plus a written questionnaire.
HITRUST: do you need it?
HITRUST CSF is the de-facto compliance certification for HIPAA. It is more rigorous and more expensive than SOC 2, but it is the only HIPAA-aligned cert that hospitals widely recognize. If your TAM is primarily health systems and large payers, HITRUST is worth the $50K-$150K investment. If you sell to clinics and digital health startups, a SOC 2 Type II with HIPAA mapping is usually sufficient.
The minimum viable HIPAA program
- Complete a documented risk analysis (annual)
- Adopt the 18 required Security Rule policies
- Train every employee with PHI access (annual)
- Implement TLS 1.2+, encryption at rest, MFA, unique IDs, audit logs
- Sign BAAs with every customer and every subprocessor
- Establish a breach notification procedure with clear escalation
- Maintain a sanction policy and document any HIPAA-related disciplinary actions
QAE ships a HIPAA control set pre-mapped to all 54 required and addressable Security Rule implementation specifications, plus templates for all 18 required policies and an automated risk-analysis builder. That is the fastest path from “we touched PHI” to “we are defensibly compliant.”
Want to skip the spreadsheet years?
QAE automates evidence collection across 200+ integrations, maps controls across 20+ frameworks, and gets you audit-ready in 11 weeks.
Book a Free Demo →