If you work in healthcare technology, digital health, or any SaaS company whose customers touch patient data, HIPAA compliance isn't optional. The Health Insurance Portability and Accountability Act has been federal law since 1996, and the HHS Office for Civil Rights has been issuing fines — sometimes into the millions — for over a decade.
This guide cuts through the jargon. Below you'll find every HIPAA control mapped to whether it's Required or Addressable, a plain-English explanation of what each one means, and a practical path to getting compliant.
Quick stat: In 2024, HHS OCR resolved 37,182 cases and collected over $8 million in penalties. The most common violation categories: lack of a risk analysis, insufficient access controls, and missing business associate agreements — all preventable with the checklist below.
Who Needs to Be HIPAA Compliant?
HIPAA applies to two categories of organizations:
Covered Entities — Healthcare providers (hospitals, clinics, physicians, therapists), health plans (insurers, HMOs, Medicare/Medicaid), and healthcare clearinghouses (companies that process health data between providers and payers).
Business Associates — Any organization that performs functions or activities on behalf of a covered entity that involve creating, receiving, maintaining, or transmitting protected health information (PHI). This is the category that catches most SaaS companies and technology vendors off guard.
Are you a Business Associate? If any of the following apply, yes: You provide cloud storage, hosting, or infrastructure to a healthcare company. You build EHR, billing, or scheduling software. You offer IT support, analytics, or data processing services to healthcare clients. You run a messaging or communication platform used by providers. If any healthcare customer's PHI passes through your systems — even encrypted — you are a Business Associate and HIPAA applies to you.
What Counts as PHI?
Protected Health Information (PHI) is any information that can identify an individual and relates to their past, present, or future physical or mental health, the provision of healthcare, or payment for healthcare. The key word is "identify" — PHI requires both a health component and an identifier.
HIPAA's Safe Harbor de-identification method requires removing 18 specific identifiers. If any of these are present alongside health information, you have PHI:
Direct Identifiers
- Names
- Geographic data (below state level)
- Dates (except year) — birth, admission, discharge
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
Device & Account Identifiers
- Account numbers
- Certificate / license numbers
- Vehicle identifiers & serial numbers
- Device identifiers & serial numbers
- Web URLs
- IP addresses
- Biometric identifiers (fingerprints, voiceprints)
- Full-face photographs
- Any other unique identifying number
ePHI (electronic PHI) is the same data in electronic form — in databases, file systems, email, or any digital medium. The HIPAA Security Rule specifically governs ePHI. The Privacy Rule covers PHI in all forms: electronic, paper, and oral.
The Three HIPAA Rules
HIPAA compliance is not a single standard — it's three distinct rules that together define your obligations.
Security Rule
Governs electronic PHI (ePHI). Requires Administrative, Physical, and Technical Safeguards to protect the confidentiality, integrity, and availability of ePHI. This is the rule most technology organizations focus on.
Privacy Rule
Governs all PHI in any form. Sets limits on how PHI can be used and disclosed, grants patients rights over their own health information, and requires covered entities to have a Notice of Privacy Practices.
Breach Notification Rule
Requires covered entities and business associates to notify affected individuals, HHS, and (for large breaches) the media following a breach of unsecured PHI. Notification must occur within 60 days of discovery.
Required vs. Addressable Controls
Every HIPAA Security Rule control is categorized as either Required or Addressable. This is one of the most misunderstood aspects of HIPAA.
"Addressable" does NOT mean "optional." Addressable controls must be implemented. The only flexibility is how — you can implement the specification as written, implement an equivalent alternative, or document in writing why the control is not reasonable and appropriate for your specific situation. Simply skipping an addressable control is a violation.
Administrative Safeguards Checklist
Administrative safeguards are the policies, procedures, and processes you put in place to manage who has access to ePHI and how it is protected. They represent the largest category — roughly 9 of the 18 Security Rule standards are administrative.
Security Management Process
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI your organization holds. This is the cornerstone of the entire Security Rule — everything else builds on it. Must be updated regularly and whenever operations change significantly.
Implement security measures sufficient to reduce identified risks and vulnerabilities to a reasonable and appropriate level. Document your risk management plan and track remediation.
Apply appropriate sanctions against workforce members who fail to comply with your security policies. Document the sanctions policy and apply it consistently.
Implement procedures to regularly review records of information system activity — audit logs, access reports, and security incident tracking reports.
Assigned Security Responsibility
Designate a single individual responsible for the development and implementation of your HIPAA security policies and procedures. Document their name and role. For small organizations this is often the CEO or CTO — what matters is that the responsibility is formally assigned and documented.
Workforce Security
Implement procedures for the authorization or supervision of workforce members who work with ePHI or in locations where it might be accessed.
Implement procedures to determine whether access of a workforce member to ePHI is appropriate. Background checks and access justification processes fall here.
Implement procedures for terminating access to ePHI when employment ends or access authorization changes. Offboarding checklists, immediate account deactivation policies.
Information Access Management
If you are a healthcare clearinghouse that is part of a larger organization, implement policies to protect ePHI from unauthorized access by the larger organization. (Applies to clearinghouses only.)
Implement policies and procedures for granting access to ePHI — for example, through access to a workstation, transaction, program, process, or other mechanism. Role-based access control (RBAC) is the standard approach.
Implement policies and procedures that, based on the entity's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process.
Security Awareness and Training
Periodic security updates sent to all workforce members — email reminders, policy updates, awareness bulletins.
Procedures for guarding against, detecting, and reporting malicious software. Endpoint protection, anti-malware tools, and policies on software installation.
Procedures for monitoring log-in attempts and reporting discrepancies. Failed login alerting, anomalous access detection.
Procedures for creating, changing, and safeguarding passwords. Password manager usage, minimum complexity requirements, prohibiting password sharing.
Security Incident Procedures
Implement policies and procedures to address security incidents — identify, respond to, mitigate the effects of, and document security incidents and their outcomes. A documented Incident Response Plan is essential here.
Contingency Plan
Establish and implement procedures to create and maintain retrievable exact copies of ePHI. Automated backups with defined RTO/RPO, tested regularly.
Establish and implement procedures to restore any loss of data following a system emergency.
Establish procedures to enable continuation of critical business processes protecting the security of ePHI while operating in emergency mode.
Implement procedures for periodic testing and revision of contingency plans.
Assess the relative criticality of specific applications and data in support of other contingency plan components.
Evaluation
Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under the Security Rule and subsequently in response to environmental or operational changes, that establishes the extent to which your security policies and procedures meet the requirements. Annual internal HIPAA audits are the standard approach.
Not sure which administrative controls you're missing?
Run a free gap assessment in under 5 minutes — no email required.
Physical Safeguards Checklist
Physical safeguards govern who can physically access your systems and how hardware is managed and disposed of. For cloud-native organizations, many physical safeguards are handled by your infrastructure provider — but you still need to document that arrangement and address workstation security.
Facility Access Controls
Establish procedures that allow facility access in support of restoration of lost data under the disaster recovery plan.
Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control and control of access to software programs for testing and revision.
Implement policies and procedures to document repairs and modifications to the physical components of a facility (hardware, walls, doors, locks).
Workstation Use & Security
Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI.
Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users only. Screen locks, locked rooms, clean-desk policies.
Device and Media Controls
Implement policies and procedures to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored. Secure wiping before disposal, certificate of destruction for physical media.
Implement procedures for removal of ePHI from electronic media before the media is made available for re-use.
Maintain a record of the movements of hardware and electronic media, and any person responsible for them.
Create a retrievable, exact copy of ePHI when needed before movement of equipment.
Technical Safeguards Checklist
Technical safeguards are the technology controls that protect ePHI and control access to it. For most software companies, this is where the most implementation work lives.
Access Controls
Assign a unique name or number for identifying and tracking user identity. No shared logins. Every user who accesses ePHI must have a unique, individual account.
Establish and implement procedures for obtaining necessary ePHI during an emergency. Break-glass access procedures with logging and review.
Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. Session timeouts of 15–30 minutes are typical for healthcare applications.
Implement a mechanism to encrypt and decrypt ePHI at rest. AES-256 encryption for stored data is the industry standard. This is addressable — but in practice, any organization that cannot justify not encrypting data at rest is effectively required to do so.
Audit Controls
Implement hardware, software, or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. Comprehensive audit logging — who accessed what data, when, from where. Logs must be tamper-evident and retained for 6 years.
Integrity Controls
Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner. Checksums, hash verification, and database integrity monitoring.
Transmission Security
Implement a mechanism to encrypt ePHI in transit whenever deemed appropriate. TLS 1.2 or higher for all ePHI in transit is effectively required in any modern implementation — the inability to justify not encrypting ePHI in transit is extremely rare.
Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.
Business Associate Agreements (BAAs)
A Business Associate Agreement is a legally required written contract between a covered entity and a business associate. If you are a covered entity, you cannot share PHI with any vendor until a signed BAA is in place. If you are a business associate, you cannot accept PHI without one. Operating without a BAA is itself a HIPAA violation — regardless of whether a breach ever occurs.
Your BAA must include:
- What the business associate is permitted to do with PHI
- That the business associate will not use or disclose PHI other than as permitted
- Safeguards the business associate will implement to prevent unauthorized use
- Obligations to report breaches or security incidents to the covered entity
- That the business associate will ensure any subcontractors handling PHI also execute BAAs
- Return or destruction of PHI upon termination of the contract
Cloud providers and BAAs: AWS, Microsoft Azure, and Google Cloud all offer HIPAA BAAs as part of their enterprise agreements. You must execute the BAA and configure only HIPAA-eligible services. Using a non-BAA-covered AWS service to store ePHI (even temporarily) is a violation — review the list of HIPAA-eligible services for each provider before deployment.
HIPAA Violation Penalties
HHS OCR enforces HIPAA through civil penalties and, in cases of criminal conduct, refers to the Department of Justice for prosecution. Penalties are tiered by culpability:
| Violation Category | Per Violation | Annual Maximum (same violation type) |
|---|---|---|
| Tier 1: Unknowing Did not know and could not have known |
$137 – $68,928 | $34,464 – $1,919,173 |
| Tier 2: Reasonable Cause Should have known but didn't act with willful neglect |
$1,379 – $68,928 | $34,464 – $1,919,173 |
| Tier 3: Willful Neglect (Corrected) Willful neglect but violation corrected within 30 days |
$13,785 – $68,928 | $344,638 – $1,919,173 |
| Tier 4: Willful Neglect (Uncorrected) Willful neglect, not corrected |
$68,928 – $1,919,173 | $344,638 – $1,919,173 |
| Criminal penalties (knowing misuse of PHI) | Up to 10 years imprisonment | |
Notable recent enforcement: In 2024, a large pediatric dental practice was fined $4.75M for failing to conduct a risk analysis and having inadequate access controls. A health plan paid $1.19M for a breach affecting 2.43 million individuals due to unencrypted PHI. The most common root causes in enforcement actions: no risk analysis, missing BAAs, and inadequate access controls — all items on the checklist above.
7-Step Path to HIPAA Compliance
Unlike SOC 2, HIPAA has no formal audit or certification. You self-attest to compliance — but the OCR can audit you at any time. Here's the practical sequence most organizations follow:
Determine if HIPAA applies and in what capacity
Confirm whether you are a covered entity, a business associate, or both. Review all customer contracts for any that involve healthcare data. If in doubt, consult a healthcare attorney — the definition of "business associate" is broad and has caught many companies off guard.
Run a HIPAA risk assessment (not optional)
Map all ePHI your organization creates, receives, maintains, or transmits. Identify all systems, databases, APIs, and integrations that touch it. Assess threats and vulnerabilities to each. Document the assessment in full — this document is the first thing OCR will ask for in an audit. A free gap assessment is a practical starting point.
Appoint a HIPAA Security Officer
Formally designate a named individual responsible for HIPAA compliance. Document this in your policies. For small companies this is typically the CEO, CTO, or a senior engineer. This person should own the risk assessment, policy documentation, and workforce training.
Implement and document required controls
Work through the checklist above systematically — Administrative, then Physical, then Technical. For each addressable control you choose not to implement, document the specific reason in writing. Implement an Incident Response Plan, Contingency Plan, and workforce Security Awareness Training.
Execute BAAs with all relevant vendors
Identify every vendor, subcontractor, and service provider that touches PHI. Execute a signed BAA before any PHI is shared. Prioritize cloud infrastructure (AWS/Azure/GCP), EHR integrations, analytics tools, ticketing/support systems, and email providers.
Train your workforce
Provide HIPAA training to all workforce members who interact with PHI or ePHI systems. Document completion — OCR will ask for training records. Annual re-training is standard. Training must cover the Privacy Rule, Security Rule, breach recognition, and your organization's specific policies.
Maintain documentation and conduct annual reviews
HIPAA requires retaining all documentation of policies, procedures, and activities for a minimum of 6 years. Conduct an annual risk assessment and policy review. Update your risk analysis and controls whenever you make significant changes to your systems, operations, or the nature of PHI you handle.
HIPAA vs. SOC 2: Do You Need Both?
This is one of the most common questions for digital health and healthcare SaaS companies. The short answer: they serve different purposes, and many healthcare technology companies need both.
SOC 2 is a voluntary security attestation report issued by a licensed CPA firm. It signals to enterprise B2B customers broadly that your security posture has been independently audited. It does not satisfy HIPAA, and a SOC 2 auditor does not verify HIPAA compliance.
HIPAA compliance is a legal requirement whenever you handle PHI. There is no report to show — you self-attest. But your healthcare customers will likely send you security questionnaires asking for proof of compliance, and having SOC 2 greatly reduces the friction of those reviews.
The good news: there is significant overlap. Roughly 60–70% of the HIPAA Security Rule requirements map to controls you would implement for SOC 2 Security TSC anyway — encryption, access controls, audit logging, incident response, vulnerability management. If you pursue SOC 2 first, your HIPAA gap will be substantially smaller.
Recommended sequencing for most healthcare SaaS companies: Start with HIPAA if you already have healthcare customers or have contractual PHI obligations. Start with SOC 2 first if you are pre-revenue or primarily selling to non-healthcare enterprise customers and healthcare is a future expansion. If you are doing both, pursuing them in parallel with a shared evidence base reduces total work by 30–40%.
For a detailed comparison, see our post: SOC 2 vs. HIPAA: Do I Need Both?
Find your HIPAA gaps in minutes
Our free tool maps your current controls against all three HIPAA rules and shows you exactly what's missing.
Frequently Asked Questions
Who needs to be HIPAA compliant?
HIPAA applies to covered entities (healthcare providers, health plans, and healthcare clearinghouses) and business associates (any vendor or service provider that creates, receives, maintains, or transmits PHI on behalf of a covered entity). If you build software, provide cloud infrastructure, or offer any service to healthcare organizations where PHI is involved, you are almost certainly a business associate. See our full FAQ for more details on scope.
Does SOC 2 satisfy HIPAA?
No. SOC 2 and HIPAA are separate frameworks addressing different requirements. A SOC 2 report does not constitute HIPAA compliance, and your healthcare customers cannot rely on your SOC 2 report to satisfy their HIPAA obligations for vendor due diligence. That said, SOC 2 Security TSC overlaps substantially with the HIPAA Security Rule — if you have SOC 2 Type II, your HIPAA gap will be significantly smaller than starting from scratch.
What is the difference between required and addressable controls?
Required controls must be implemented exactly as specified with no exceptions. Addressable controls must also be implemented, but you have flexibility in the approach — you can implement the spec as written, implement an equivalent alternative, or document why it is not reasonable for your organization. Addressable does not mean optional. Failing to implement an addressable control without documented justification is a HIPAA violation.
How long does HIPAA compliance take?
For most SaaS companies and business associates starting from a reasonable security baseline, 3 to 6 months is realistic: 2 to 4 weeks for a risk assessment and gap analysis, 1 to 3 months for implementing controls and writing policies, and 2 to 4 weeks for workforce training and documentation finalization. Unlike SOC 2, there is no mandatory observation period — once your controls are implemented and documented, you are compliant.
What are the HIPAA penalties for violations?
Civil penalties range from $137 per violation (unknowing, no culpability) up to $1,919,173 per violation category per year (willful neglect, uncorrected). Criminal penalties for intentional misuse of PHI can reach 10 years imprisonment. The OCR is actively investigating and has collected over $8 million in fines in 2024 alone. The most common enforcement triggers: missing risk analysis, inadequate access controls, and absent business associate agreements.
Do I need a BAA with AWS, Azure, or Google Cloud?
Yes — if you store or process ePHI on any of these platforms, you must execute a HIPAA BAA with the provider before doing so. All three major cloud providers offer standard HIPAA BAAs. Importantly, the BAA only covers designated HIPAA-eligible services — you must verify that the specific services you use are covered by the BAA. Storing ePHI in a non-covered service (even temporarily in a log) constitutes a violation.
Do I need HIPAA if I store de-identified data?
If data is properly de-identified under HIPAA's expert determination or safe harbor methods, it is no longer PHI and HIPAA does not apply to that data. However, HIPAA's safe harbor standard requires removing 18 specific identifiers including names, geographic data smaller than state, all dates except year, phone numbers, email addresses, and IP addresses. Many companies believe they have de-identified data when they have not. When in doubt, treat the data as PHI or obtain a formal legal opinion.