HIPAA Compliance for SaaS Startups: The 2026 Practical Guide

If your SaaS product touches healthcare data — even indirectly — HIPAA applies to you. And unlike SOC 2, HIPAA violations come with real teeth: fines range from $100 to $50,000 per violation, up to $1.5 million per year for each category.

This guide walks you through everything your startup needs to do to become HIPAA compliant, without hiring a $200/hour consultant.

Does HIPAA Actually Apply to You?

HIPAA applies if your software processes, stores, or transmits Protected Health Information (PHI). You're a "Business Associate" if you handle PHI on behalf of a healthcare provider, health plan, or another business associate.

You need HIPAA compliance if:

• Your customers are hospitals, clinics, or health systems
• You integrate with EHR/EMR systems (Epic, Cerner, Allscripts)
• You process insurance claims or benefits data
• You store patient names alongside medical information
• You build analytics on health data

You probably don't need HIPAA if:

• You only handle de-identified data (per HIPAA's Safe Harbor method)
• Your product is consumer wellness (non-clinical fitness tracking)
• You never touch data that links identities to health conditions

The Three Pillars of HIPAA Compliance

HIPAA has three sets of rules you need to address:

1. The Privacy Rule

Controls who can access PHI and how it can be used.

What you need:

• A designated Privacy Officer
• A Notice of Privacy Practices (NPP)
• Policies for minimum necessary access
• Patient rights procedures (access, amendment, accounting of disclosures)
• Business Associate Agreements (BAAs) with all subprocessors

2. The Security Rule

Defines technical, physical, and administrative safeguards for electronic PHI (ePHI).

Administrative safeguards:

• Risk analysis and risk management
• Workforce training
• Contingency planning (backup, disaster recovery, emergency mode)
• Information access management

Physical safeguards:

• Facility access controls
• Workstation security
• Device and media controls

Technical safeguards:

• Access controls (unique user IDs, emergency access, auto logoff)
• Audit controls (logging all ePHI access)
• Integrity controls (mechanisms to confirm ePHI hasn't been altered)
• Transmission security (encryption in transit)

3. The Breach Notification Rule

Requires you to notify affected individuals, HHS, and sometimes the media when a breach occurs.

• Under 500 individuals: Notify individuals within 60 days, report to HHS annually
• 500+ individuals: Notify individuals within 60 days, report to HHS within 60 days, notify prominent media outlet

Technical Controls Checklist

Here's the concrete technical implementation your engineering team needs to build:

Encryption

# At rest: AES-256 encryption
# AWS RDS: Enable encryption at instance creation
aws rds create-db-instance \
  --db-instance-identifier hipaa-db \
  --storage-encrypted \
  --kms-key-id alias/hipaa-key

# In transit: TLS 1.2+ everywhere
# Enforce in your application config

HIPAA doesn't technically mandate encryption — but the alternative is documenting why encryption is "not reasonable and appropriate," which is a difficult argument to make and one no auditor will accept.

Access Controls

• Unique user identification: Every user gets their own credentials. No shared accounts, ever.
• Role-based access control (RBAC): Implement least-privilege access. Developers shouldn't access production PHI unless debugging.
• Automatic logoff: Sessions must expire. 15 minutes for web apps, 5 minutes for mobile.
• Emergency access procedure: Document how to access PHI during an emergency when normal access is unavailable.

Audit Logging

Every access to ePHI must be logged. Your audit logs need to capture:

• Who accessed the data (user ID)
• What data was accessed (patient record, specific fields)
• When the access occurred (timestamp with timezone)
• Where the access came from (IP address, device)
• Why (purpose of access, if available)

# Example audit log entry
{
    "timestamp": "2026-02-18T14:30:00Z",
    "user_id": "usr_abc123",
    "action": "view_patient_record",
    "resource": "patient/12345",
    "fields_accessed": ["name", "diagnosis", "medications"],
    "ip_address": "10.0.1.50",
    "session_id": "sess_xyz789",
    "result": "success"
}

Retain audit logs for a minimum of 6 years (HIPAA's retention requirement).

Backup and Disaster Recovery

• Data backups: Encrypted backups that can be restored and verified
• Recovery time objective (RTO): Document how quickly you can restore ePHI access
• Recovery point objective (RPO): How much data loss is acceptable
• Testing: Test your disaster recovery plan at least annually

Business Associate Agreements (BAAs)

A BAA is a legal contract between you and every vendor that touches PHI. Without one, you're automatically in violation.

Vendors you need BAAs with:

• Cloud providers (AWS, GCP, Azure — they all offer BAAs)
• Database hosting providers
• Email services (if sending PHI via email)
• Analytics tools (if they process PHI)
• Backup providers
• Communication tools (Slack, if PHI is discussed)

What a BAA must include:

• Permitted uses of PHI
• Requirement to implement safeguards
• Breach notification obligations
• Return or destruction of PHI on termination
• Right to audit

Pro tip: AWS, Google Cloud, and Microsoft Azure all offer BAAs at no extra cost, but you have to actually sign them. An AWS BAA doesn't automatically apply — you need to enable it through AWS Artifact.

Common HIPAA Violations We Find in Scans

When we run security scans against healthcare SaaS products, these are the most frequent violations:

1. Unencrypted database connections — ePHI transmitted in plaintext between app and database
2. Missing audit logs — No record of who accessed what patient data
3. PHI in log files — Application logs containing patient names, SSNs, or diagnoses
4. No backup encryption — Database backups sitting unencrypted in S3
5. Shared credentials — Teams using a single admin login for production systems
6. Missing BAAs — Using services like SendGrid or Twilio without signed agreements
7. No access expiration — Former employees still having active credentials weeks after departure

Proveably's continuous scanning automatically checks for all of these and maps findings directly to HIPAA requirements — so you know exactly what to fix.

HIPAA vs SOC 2: Do You Need Both?

Many healthcare SaaS companies wonder whether SOC 2 covers HIPAA requirements. The short answer: there's significant overlap, but they're not interchangeable.

Our recommendation: If you sell to healthcare AND technology companies, implement both. The overlap is roughly 70%, so the marginal effort for the second framework is much lower than starting from scratch.

With Proveably, a single scan maps findings to both HIPAA and SOC 2 simultaneously — no duplicate work.

Getting Started with HIPAA Compliance

Week 1: Risk Assessment

Run a comprehensive security scan with Proveably. Our automated evidence collection pulls data from your AWS/GCP infrastructure and maps it directly to HIPAA's Security Rule requirements.

Week 2-3: Gap Remediation

Fix the critical findings from your risk assessment. Focus on encryption, access controls, and audit logging first.

Week 4: Policies and Procedures

Draft your HIPAA policies. You need at least:

• Information Security Policy
• Access Control Policy
• Incident Response Plan
• Breach Notification Procedure
• Business Continuity / Disaster Recovery Plan
• Workforce Training Policy

Week 5-6: BAAs and Vendor Review

Sign BAAs with all vendors that handle PHI. Review each vendor's security posture.

Ongoing: Continuous Monitoring

HIPAA isn't a one-time project. You need continuous monitoring of your security controls, regular risk assessments, and annual training for your workforce.

Ready to start your HIPAA compliance journey? Try Proveably free and get a complete HIPAA gap assessment in under 30 minutes. Our platform maps every finding to specific HIPAA requirements so you know exactly where you stand.