HIPAA Compliance Checklist for Software and SaaS Companies
A practical HIPAA compliance checklist covering PHI definition, administrative/physical/technical safeguards, BAAs, breach notification, and what SaaS companies need to do to become HIPAA-compliant.
HIPAA (Health Insurance Portability and Accountability Act) applies to any software company that handles Protected Health Information (PHI) on behalf of a Covered Entity — which includes healthcare providers, health plans, and healthcare clearinghouses. If a hospital uses your SaaS product to process patient data, you are a Business Associate and HIPAA applies to you.
Non-compliance penalties range from $100 to $50,000 per violation, up to $1.9 million per year per violation category. More immediately, a HIPAA breach can destroy trust and cost you healthcare customers.
What Is PHI?
Protected Health Information (PHI) is individually identifiable health information that relates to:
- Past, present, or future physical or mental health condition
- Provision of healthcare
- Payment for healthcare
PHI includes 18 identifiers:
- Name, geographic data (smaller than state), dates (except year), phone, fax, email
- Social Security Number, Medical Record Number, Health plan beneficiary number
- Account numbers, certificate/license numbers, vehicle identifiers, device identifiers
- Web URLs, IP addresses, biometric identifiers, full-face photographs
- Any other unique identifying number or code
If your system stores a health condition alongside any of these 18 identifiers, that's PHI.
Electronic PHI (ePHI): PHI stored, processed, or transmitted electronically. The HIPAA Security Rule applies specifically to ePHI.
Business Associate Agreements (BAAs)
If you handle PHI on behalf of a Covered Entity, you must have a BAA in place before any PHI is shared with you. The BAA defines:
- What PHI you're permitted to use and how
- Safeguards you'll implement
- Breach notification obligations
- How you'll return or destroy PHI at contract end
- Your sub-BA obligations (passing requirements to your own vendors)
□ BAA templates prepared for customer signatures
□ BAA in place with every customer that sends you PHI
□ BAA in place with all sub-processors that handle PHI:
□ AWS / GCP / Azure (all have HIPAA BAAs available)
□ Database providers
□ Logging and monitoring services (Datadog, Sentry — check availability)
□ Email providers (if sending PHI via email)
□ Support platforms (Zendesk, Intercom — verify BAA availability)
Administrative Safeguards
Administrative safeguards are the policies and procedures that govern how you protect PHI.
□ Security Officer designated (responsible for HIPAA compliance program)
□ Risk Analysis completed and documented (identify threats to PHI)
□ Risk Management Plan implemented (address identified risks)
□ Workforce training: all staff with PHI access trained annually
□ Access management: formal process for granting/revoking PHI access
□ Security incident procedures: documented process for responding to incidents
□ Contingency plan: backup, disaster recovery, emergency mode
□ Business Associate contracts in place with all BAs
□ Evaluation: periodic review of security practices
□ Sanctions policy: consequences for policy violations
Risk Analysis (Required)
The Risk Analysis is the cornerstone of HIPAA compliance and the most commonly cited deficiency in audits. It must:
- Identify where PHI exists in your system (data flow mapping)
- Identify threats to PHI (unauthorized access, ransomware, natural disasters, etc.)
- Identify vulnerabilities (unpatched software, weak passwords, etc.)
- Assess current controls
- Determine likelihood and impact of each threat
- Assign risk levels
- Document the analysis
This must be documented and updated when systems change significantly.
Physical Safeguards
Physical safeguards control physical access to systems containing PHI.
□ Facility access controls for data centers (badge access, visitor logs)
□ Workstation use policy: how devices with PHI access are used
□ Workstation security: screens not visible in public areas, auto-lock
□ Device and media controls:
□ Inventory of hardware storing PHI
□ Secure disposal of hardware (data wiping / destruction)
□ Encryption of laptops and removable media
□ No PHI on personal/unmanaged devices without controls
For cloud-based SaaS: your cloud provider handles the physical datacenter security. Your BAA with AWS/GCP/Azure covers this. Your physical safeguards focus on employee workstations and offices.
Technical Safeguards
Technical safeguards are the technology controls protecting ePHI.
□ Access Control:
□ Unique user IDs for all PHI system access (no shared accounts)
□ Emergency access procedure documented
□ Automatic logoff after period of inactivity (≤15 minutes recommended)
□ Encryption of ePHI at rest and in transit
□ Audit Controls:
□ Audit logs of all PHI access (who, when, what)
□ Log retention: minimum 6 years recommended
□ Logs protected from tampering
□ Regular log review
□ Integrity Controls:
□ Mechanisms to verify ePHI has not been improperly altered
□ Error detection (checksums, hashes) on PHI transmissions
□ Transmission Security:
□ TLS 1.2+ for all ePHI in transit
□ No PHI in unencrypted email
□ VPN or equivalent for any network transmission of PHI
□ End-to-end encryption for highly sensitive PHI
Encryption Requirements
HIPAA is intentionally non-prescriptive about encryption specifics but refers to NIST guidelines. In practice:
- At rest: AES-256 for databases, storage volumes, backups
- In transit: TLS 1.2+ (TLS 1.3 recommended)
- Key management: Keys stored separately from data, rotation policy in place
- Endpoint encryption: Full-disk encryption (FileVault, BitLocker) on all devices
Encryption is an "addressable" implementation specification in the Security Rule, meaning you either implement it or document why it's not reasonable and implement an equivalent alternative. In practice, not encrypting PHI is extremely difficult to justify and regulators expect encryption.
Minimum Necessary Standard
You and your workforce should access only the minimum PHI necessary for the task at hand. Implement this in your product:
□ Role-based access control limits PHI access by job function
□ Audit any access to bulk PHI (full database queries, exports)
□ API responses return only fields necessary for the operation
□ No displaying of unnecessary PHI in UIs (mask SSN, truncate MRN)
□ De-identification available as an option where identification not needed
Breach Notification
If you experience a breach of unsecured PHI:
- Notify Covered Entity: Within 60 days of discovery
- Covered Entity notifies individuals: Within 60 days of discovery
- Notify HHS: Within 60 days (or annually for breaches affecting <500 individuals)
- Notify media: If breach affects >500 individuals in a state
"Unsecured PHI" means PHI not protected through approved methods (typically: not encrypted). Encrypted PHI that is breached is not a notifiable breach under HIPAA.
□ Breach response procedure documented
□ Breach risk assessment process defined (4-factor test)
□ Notification templates prepared
□ Legal counsel identified for breach response
□ HHS notification portal registered (ocrportal.hhs.gov)
HIPAA and Your Technology Stack
| Service | HIPAA BAA Available? |
|---|---|
| AWS | Yes |
| Google Cloud | Yes |
| Microsoft Azure | Yes |
| Stripe | No (don't use for PHI) |
| SendGrid | Yes (via Twilio) |
| Twilio | Yes |
| Salesforce | Yes (Healthcare Cloud) |
| Zendesk | Yes |
| Slack | Yes (Enterprise Grid) |
| Sentry | No — don't log PHI to Sentry |
| Datadog | Yes |
If a service doesn't offer a BAA, don't send PHI to it. This is a common violation.
HITRUST vs HIPAA
HITRUST CSF is a certifiable security framework built on top of HIPAA (and other standards). Many large healthcare organizations require their vendors to be HITRUST certified rather than just "HIPAA compliant."
HITRUST certification is more expensive and time-consuming than a SOC 2 audit but is becoming increasingly required for enterprise healthcare customers. If healthcare is a target market, put HITRUST on your 18–24 month roadmap.