HIPAA Isn’t Optional if You Touch Health Data
If your SaaS product stores, processes, or transmits protected health information (PHI) on behalf of healthcare organizations, you’re a Business Associate under HIPAA. That’s not a suggestion or a best practice. It’s a legal classification with real obligations and real penalties.
HIPAA penalties range from $100 to $50,000 per violation, with annual maximums up to $2 million per violation category. The Office for Civil Rights (OCR) has imposed penalties exceeding $1 million on organizations of all sizes. And beyond enforcement, a HIPAA breach means mandatory notification to affected individuals, HHS, and potentially the media, which is the kind of publicity no company wants.
Who Qualifies as a Business Associate
A Business Associate is any organization that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity (healthcare providers, health plans, and healthcare clearinghouses). For SaaS companies, this includes:
- EHR and clinical software platforms that store patient records
- Analytics and reporting tools that process health data
- Communication platforms used by healthcare providers
- Cloud infrastructure providers hosting PHI
- Billing and revenue cycle management tools
- Patient engagement and scheduling platforms
- Any SaaS product integrated into a healthcare workflow where PHI flows through your systems
If a healthcare customer asks you to sign a Business Associate Agreement (BAA), that’s your signal. But even without a signed BAA, if PHI flows through your system, HIPAA applies to you.
The Three HIPAA Rules
Privacy Rule
Governs the use and disclosure of PHI. As a Business Associate, you may only use or disclose PHI as permitted by your BAA, as required by law, or for your own management and administration. You cannot use PHI for marketing, sell PHI, or use it for purposes outside the scope of your agreement.
Security Rule
Requires administrative, physical, and technical safeguards to protect electronic PHI (ePHI). This is where most of the implementation work lives for SaaS companies:
Administrative Safeguards: Security management process, assigned security responsibility, workforce security, information access management, security awareness training, security incident procedures, contingency planning, and regular evaluations.
Physical Safeguards: Facility access controls, workstation use and security, and device and media controls. For cloud-native SaaS companies, many physical safeguards are inherited from your cloud provider, but you still need to document this and address what’s in your control.
Technical Safeguards: Access controls, audit controls, integrity controls, person or entity authentication, and transmission security. Encryption, access logging, unique user identification, and automatic session termination all live here.
Breach Notification Rule
If a breach of unsecured PHI occurs, you must notify the affected Covered Entity without unreasonable delay and no later than 60 days after discovery. The Covered Entity then handles notification to individuals and HHS. For breaches affecting 500 or more individuals, HHS and media notification are required.
The Business Associate Agreement
The BAA is the legal document that defines your relationship with Covered Entities. It specifies what PHI you’ll handle, how you’ll protect it, what you’ll do in case of a breach, and your obligations upon termination.
Key provisions every SaaS company should understand:
- Permitted uses and disclosures. What can you do with the PHI? This should be tightly scoped to what’s necessary for your service.
- Safeguards. Your commitment to implement appropriate safeguards. This is where HIPAA’s Security Rule requirements become contractual.
- Breach notification. Your obligation to report breaches and the timeline for doing so.
- Subcontractor requirements. If you use subcontractors (sub-processors) who access PHI, you must have BAAs with them too.
- Return or destruction. What happens to PHI when the relationship ends.
Don’t sign a BAA you can’t comply with. If a customer’s BAA includes requirements beyond what you’ve implemented, either negotiate the terms or build the capabilities first.
Building a HIPAA Compliance Program
1. Conduct a Risk Analysis
HIPAA requires a thorough assessment of potential risks and vulnerabilities to ePHI. This isn’t a one-time exercise. You need to conduct risk analyses regularly and whenever significant changes occur in your environment. Document threats, vulnerabilities, current controls, likelihood, and impact for each risk.
2. Implement the Security Rule Safeguards
Map the Security Rule’s requirements to your environment. For a cloud-native SaaS company, many controls are already in place if you have a mature security program. Focus on gaps: Do you have audit logging that captures all access to ePHI? Is ePHI encrypted at rest and in transit? Do you have automatic session timeouts? Is access restricted to the minimum necessary?
3. Write Your Policies
HIPAA requires documented policies and procedures. At minimum, you need policies covering data access, encryption, incident response, breach notification, workforce training, business associate management, contingency planning, and device management. These should reflect what you actually do, not boilerplate language.
4. Train Your Workforce
Everyone who could potentially access PHI needs HIPAA training. This includes engineering, support, and operations teams. Training should cover what PHI is, how to handle it, what constitutes a breach, and how to report incidents.
5. Manage Your Subcontractors
If any of your subcontractors or sub-processors access PHI, you need BAAs with them. Review their security practices. You’re responsible for ensuring the chain of protection extends to everyone who touches the data.
6. Prepare for Incidents
Have a documented incident response plan that specifically addresses PHI breaches. Include your breach risk assessment methodology (to determine whether notification is required), notification procedures, and escalation paths. Practice it.
Common Pitfalls
Assuming encryption solves everything. Encryption is necessary but not sufficient. HIPAA requires a comprehensive set of safeguards. Encrypted data with open access controls is still a compliance failure.
Ignoring the minimum necessary standard. You should only access, use, or disclose the minimum amount of PHI necessary for the purpose. If your engineers can access full patient records when they only need system logs, that’s a problem.
Treating HIPAA as separate from your security program. HIPAA safeguards overlap significantly with SOC 2 and ISO 27001 controls. Build a unified program rather than maintaining parallel compliance efforts.
No BAA with your cloud provider. AWS, Azure, and GCP all offer BAAs, but you need to actually execute them. And the BAA only covers specific services, so make sure your architecture uses only BAA-eligible services for PHI workloads.
Incomplete breach analysis. Not every security incident involving PHI is a reportable breach. HIPAA has a specific four-factor risk assessment for determining whether notification is required. But you need to document the analysis either way.
HIPAA and Other Frameworks
SOC 2. A SOC 2 Type II report covering the Security Trust Services Criteria addresses many HIPAA Security Rule requirements. Some companies add a HIPAA mapping to their SOC 2 report (SOC 2 + HIPAA) to satisfy both with a single audit.
ISO 27001. ISO 27001 provides the management system framework that HIPAA’s Security Rule implicitly expects. Certified organizations typically have most HIPAA administrative safeguards in place.
HITRUST. The HITRUST CSF was specifically designed to harmonize HIPAA with other frameworks. HITRUST certification is increasingly requested by large healthcare organizations, though it requires significant investment.
At Concerto, we help SaaS companies build HIPAA compliance programs that integrate with their existing security frameworks. Whether you’re signing your first BAA or managing PHI across a complex multi-tenant environment, we can help you build a program that satisfies your healthcare customers and protects your business. Schedule a consultation to get started.
