What is HIPAA compliance and when does a SaaS company need it?

When Does a SaaS Company Need HIPAA?

You need HIPAA if your software handles Protected Health Information (PHI). Specifically:

Your Customer	Data You Handle	HIPAA Required?
Hospital or clinic	Patient records, appointment data	Yes
Health insurance company	Claims data, member information	Yes
Healthcare software vendor	PHI passed through your system	Yes (business associate)
Wellness app (no PHI)	Step counts, general health tips	No
Non-healthcare company	Employee data (not PHI)	No

What HIPAA Requires

Requirement	What It Means
Business Associate Agreement (BAA)	Legal contract with healthcare customers defining your PHI responsibilities
Administrative safeguards	Policies, training, risk assessment for PHI handling
Physical safeguards	Physical access controls for systems with PHI
Technical safeguards	Encryption, access controls, audit logging for PHI
Breach notification	60-day notification requirement for PHI breaches

HIPAA vs. SOC 2

Aspect	SOC 2	HIPAA
Applies to	Any company (voluntary)	Companies handling PHI (mandatory)
Certification	Audit report	Self-attestation + BAA
Penalty for non-compliance	None (it's voluntary)	Fines up to $1.5M per violation
Framework	Trust Services Criteria	HIPAA Security Rule + Privacy Rule
Auditor	CPA firm	Self-attestation (no formal audit required, but recommended)

SOC 2 + HIPAA

Many healthcare SaaS companies pursue both. SOC 2 provides the independent audit report that healthcare buyers want to see, while HIPAA compliance is the legal requirement for handling PHI. About 60% of SOC 2 controls satisfy HIPAA requirements — so doing both is more manageable than doing them separately.

Getting Started

1. Determine if you actually handle PHI (many SaaS companies don't)
2. If yes, start with SOC 2 to build your control foundation
3. Layer HIPAA-specific controls on top (BAA process, PHI data mapping, breach notification)
4. Have a lawyer draft your BAA template