Compliance Blog

Does My SaaS Need to Be HIPAA Compliant?

Q: What is the difference between HIPAA compliant and HIPAA certified?

There is no such thing as HIPAA certification. HIPAA compliance is self-attested, not certified by any government body.

If your software handles health data in any way, this is probably one of the first questions you ask. The short answer: if your SaaS stores, processes, or transmits protected health information (PHI) on behalf of a healthcare provider, health plan, or healthcare clearinghouse, then yes, HIPAA applies to you. If your software has nothing to do with health data, HIPAA does not apply. Simple as that.

Check your HIPAA compliance freearrow_forward

What Counts as Protected Health Information?

Protected health information is any data that can identify a person and relates to their health condition, healthcare treatment, or payment for healthcare. This includes things like names combined with diagnoses, medical record numbers, health insurance details, and appointment records.

It does not have to be medical records in the traditional sense. If your SaaS is a scheduling tool used by a dental clinic, and it stores patient names and appointment times, that is likely PHI.

What Is a Business Associate?

If a covered entity (a hospital, clinic, insurance company, etc.) uses your software to handle PHI, your company becomes what HIPAA calls a Business Associate. As a Business Associate, you are directly required to follow HIPAA rules. You also need to sign a Business Associate Agreement (BAA) with each covered entity you work with.

Not signing a BAA when you should have is one of the most common HIPAA violations for SaaS companies.

Examples: Does This SaaS Need HIPAA Compliance?

A telemedicine platform that stores patient records: Yes, HIPAA required.

A general project management tool used by a hospital internally: Probably not, unless the hospital is using it to store patient data.

An HR software used by a healthcare company for employee records: No. Employee records are not PHI.

A billing software that processes health insurance claims: Yes, HIPAA required.

A fitness app that tracks workouts: No, unless it connects to a health plan or provider and transmits clinical data.

The determining factor is always whether PHI flows through your system on behalf of a covered entity.

What Does HIPAA Actually Require from a SaaS Company?

If HIPAA does apply to you, the main requirements are:

Technical safeguards: Encryption of PHI at rest and in transit, access controls, automatic logoff, and audit logs.

Physical safeguards: Controls over physical access to systems that store PHI. For cloud-based SaaS, this mostly comes down to your hosting provider's compliance (AWS, Google Cloud, and Azure all offer HIPAA-eligible services).

Administrative safeguards: Written policies, employee training, a designated privacy officer, and a risk assessment process.

Business Associate Agreements: Signed agreements with every covered entity you work with, and with your own subcontractors that touch PHI.

What Happens If You Are Not Compliant?

Fines range from $100 to $50,000 per violation, with annual caps up to $1.9 million per violation category. The bigger risk for most SaaS companies is losing enterprise healthcare customers who require proof of compliance before signing a contract.

How to Get Started

The first step is doing a proper HIPAA compliance assessment to understand exactly where you stand. Our free HIPAA compliance checklist walks you through every requirement so you can see what you have covered and what still needs work.

Frequently Asked Questions

Is HIPAA only for US companies?

HIPAA is a US law, but it applies to any company that handles PHI of US patients, regardless of where the company is based. If a European SaaS sells to US healthcare providers and processes their patient data, HIPAA applies.

Do I need HIPAA compliance if I only store data for a short time?

Yes. Even temporary storage of PHI triggers HIPAA requirements. There is no minimum retention period before the rules kick in.

Can I become HIPAA compliant on my own, or do I need a third-party audit?

There is no official HIPAA certification or required third-party audit. You self-certify by implementing the required safeguards and documenting them. However, many enterprise customers will ask for a third-party assessment report before signing a contract.

What is the difference between HIPAA compliant and HIPAA certified?

Strictly speaking, there is no such thing as HIPAA certification. The term is used loosely in the industry, but HIPAA compliance is self-attested, not certified by any government body.