What HIPAA Applies to in SaaS

Not all SaaS companies need to worry about HIPAA. But if your platform deals with PHI on behalf of a Covered Entity (like a hospital, clinic, or insurance provider), then you’re likely a Business Associate, and HIPAA applies.

HIPAA doesn’t care how cool your tech stack is. If your system touches PHI, you’re on the hook.

Examples of PHI:

• Names + health data
• Email + appointment info
• IP address + medical record number

What counts as PHI in SaaS:

• Health data input by users
• Data stored in your cloud database
• Support tickets referencing medical conditions

Bottom line: If there’s a way to tie the data you collect to a person and it includes health-related info, treat it like PHI.

PHI, BAAs, and Risk Assessments

1. Protected Health Information (PHI)

Make sure your team knows what PHI looks like and how it’s handled in your system. This means clearly labeling sensitive data fields and treating them with appropriate controls (more on those below).

2. Business Associate Agreements (BAAs)

If you’re a Business Associate, you must have a signed BAA with any Covered Entity client—and with any sub-processors (like your cloud provider) who also touch PHI.

Tip: AWS, Azure, GCP all offer HIPAA-eligible services only if you sign their BAA.

3. Security Risk Assessment (SRA)

HIPAA requires periodic risk assessments to identify and address vulnerabilities. This isn’t optional. It also isn’t just scanning for CVEs—it includes policies, training, and processes too.

Use NIST SP 800-30 or similar frameworks as your guide.

Policies You Need (and Why)

HIPAA wants to see that you’re not just winging it. These policies show you’ve thought through how to protect PHI.

Here are the must-haves:

✅ Information Security Policy: Outlines your company’s approach to protecting sensitive data.

✅ Access Control Policy: Defines how users (internal and external) get access, what they can see, and how permissions are managed.

✅ Incident Response Plan: Explains what happens if something goes wrong—how you detect, contain, and report breaches.

✅ Data Retention & Disposal Policy: Covers how long PHI is kept and how it’s securely deleted when it’s no longer needed.

✅ Workforce Security Policy: Covers onboarding, offboarding, and training for employees who may access PHI.

Pro Tip: These policies only matter if they reflect reality. Don’t copy templates. Start with how your system actually works, then document it.

Common Gaps to Fix

Even well-meaning SaaS teams trip up on HIPAA. Here are the most common gaps we fix during HIPAA gap assessments:

❌ Missing or outdated BAAs: You can’t claim compliance if your BAA is sitting in someone’s inbox unsigned. Ditto for your sub-processors.

❌ Over-permissive access controls: Does your whole engineering team have production database access? That’s a HIPAA problem.

❌ No logging or audit trails: HIPAA requires tracking access to PHI. If you don’t log who did what and when, you’re not compliant.

❌ No formal incident response plan: Your devs may know what to do in a breach, but HIPAA wants to see it written down and tested.

❌ PHI stored in unencrypted backups: This one hurts because it’s so preventable. All backups with PHI should be encrypted at rest and in transit.

❌ Relying on your cloud provider to “handle HIPAA”: AWS, GCP, Azure provide tools—but you are responsible for using them correctly. Their compliance doesn’t make you compliant.

Need a sanity check on your HIPAA compliance?

Book a free call and get expert eyes on your biggest risks—before a regulator does.

Because in the world of healthcare data, “we didn’t know” isn’t a defense.