What is HIPAA compliance for a SaaS?

Short answer

HIPAA applies if you handle Protected Health Information (PHI) on behalf of a healthcare provider. Core requirements: Business Associate Agreement with your customer, encryption at rest + in transit, 6-year audit logs, 60-day breach notification. Expect 8-12 weeks for first compliance posture.

HIPAA has two main rules that affect SaaS:

**Privacy Rule**: how PHI can be used + disclosed. Mostly governed by contract (BAA).

**Security Rule**: technical + administrative + physical safeguards. This is the engineering work.

Core requirements for a SaaS Business Associate:

  • **BAA with your customer** (Covered Entity) + with every sub-processor who touches PHI (AWS, Stripe if handling health billing, Supabase if storing, etc.)
  • **Technical safeguards**
  • Encryption at rest (AES-256)
  • Encryption in transit (TLS 1.2+)
  • Access controls (unique users, auto-logoff)
  • Audit logs with 6-year retention
  • **Administrative safeguards**
  • Annual risk analysis
  • Incident response plan
  • Workforce training
  • Access review
  • **Breach notification**
  • 60 days to affected individuals + HHS
  • In some cases: media

Timeline: 8-12 weeks for first HIPAA-ready posture, assuming you use HIPAA-compliant vendors (AWS, GCP with BAA). HITRUST is an optional certification that enterprise health buyers often prefer.

People also ask

Do I need GDPR compliance?
Yes, if any of your users reside in the EU — regardless of where your company is based. GDPR is extraterritorial. Practi
Do I need SOC 2 as a startup?
You need SOC 2 the moment your first enterprise prospect asks for it. Most startups don't need it to sell to consumers o