Health Insurance Portability and Accountability Act
HIP-uh
The US federal law that sets standards for protecting sensitive patient health information from disclosure.
HIPAA is the US law that protects patient health data. If your software touches protected health information (PHI) in any way, you need to comply. There is no opt-out.
The law applies to covered entities (hospitals, insurers, healthcare providers) and their business associates (any vendor that handles PHI on their behalf). If a hospital uses your SaaS product and patient data flows through it, you are a business associate. You need a Business Associate Agreement (BAA) with the hospital and must meet HIPAA's security and privacy policy requirements.
For SaaS companies, HIPAA compliance means encryption at rest and in transit, audit logging, access controls, and regular risk assessments. The penalties for violations range from $100 to $50,000 per incident, with a maximum of $1.5 million per year for each violation category. Most healthcare-focused SaaS companies also need SOC 2 certification. Companies handling patient data across regions must also consider data residency requirements.
Examples
A SaaS company wants to sell to hospitals.
The product stores appointment data that includes patient names and conditions. The company must become HIPAA compliant before signing any healthcare customer. They start with a risk assessment and engage a compliance consultant.
A developer accidentally logs patient data.
A debug log captures a patient's name and diagnosis. The security team treats this as a potential breach. They scrub the logs, assess the exposure, and document the incident per HIPAA's breach notification requirements.
A startup chooses a cloud provider for a health tech product.
The team selects AWS and signs a BAA with Amazon. They use AWS services that are explicitly HIPAA-eligible: S3 with encryption, RDS with audit logging, and CloudTrail for access monitoring.
Frequently asked questions
Does HIPAA apply to all health-related apps?
Not automatically. HIPAA applies to covered entities and their business associates. A fitness tracking app that does not work with healthcare providers may not fall under HIPAA, though other privacy laws still apply.
What is a Business Associate Agreement?
A BAA is a contract between a covered entity and a vendor that handles PHI. It legally obligates the vendor to protect that data according to HIPAA standards. No BAA means no access to patient data.
Related terms
An auditing standard that evaluates whether a company's systems meet trust service criteria for security, availability, and confidentiality.
A contract between a data controller and data processor that defines how personal data will be handled, required under GDPR.
A security standard for any organization that handles credit card data, requiring specific controls to protect cardholder information.
An international standard for information security management systems that provides a framework for managing and protecting sensitive data.
Want the complete playbook?
Picks and Shovels is the definitive guide to developer marketing. Amazon #1 bestseller with practical strategies from 30 years of marketing to developers.