Back to Blog
HIPAASaaSHealthcare Compliance

HIPAA Compliance for SaaS: What Developers Need to Know

A developer-focused guide to HIPAA compliance for SaaS applications. Learn what PHI is, when HIPAA applies, and the technical requirements.

December 20, 2025

When Does HIPAA Apply to Your SaaS?

HIPAA — the Health Insurance Portability and Accountability Act — applies to SaaS companies in two scenarios:

You're a Covered Entity

If your SaaS directly provides health plans, healthcare, or healthcare payment processing, you're a covered entity under HIPAA.

You're a Business Associate

More commonly, SaaS companies become "business associates" when they handle Protected Health Information (PHI) on behalf of covered entities. If a hospital, clinic, health insurer, or other covered entity uses your SaaS and your platform processes, stores, or transmits PHI, you're a business associate.

Examples of SaaS products that often need HIPAA compliance:

  • Electronic Health Record (EHR) systems
  • Telehealth platforms
  • Patient scheduling software
  • Medical billing tools
  • Health data analytics platforms
  • Cloud storage used by healthcare providers
  • Email and messaging platforms used for patient communication
  • Any SaaS that healthcare clients might use to process patient data

What Is Protected Health Information (PHI)?

PHI is any individually identifiable health information that relates to:

  • An individual's past, present, or future physical or mental health condition
  • Healthcare provided to an individual
  • Past, present, or future payment for healthcare

PHI includes obvious items like medical records and diagnoses, but also:

  • Patient names, addresses, phone numbers, email addresses
  • Dates (birth, admission, discharge, death)
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Any unique identifying number or code

When PHI is in electronic form, it's called ePHI (electronic Protected Health Information). For SaaS companies, you're almost always dealing with ePHI.

HIPAA's Key Rules for SaaS

The Privacy Rule

Governs how PHI can be used and disclosed. Key requirements:

  • Use PHI only for permitted purposes (treatment, payment, healthcare operations)
  • Implement minimum necessary standards (access only the PHI needed for a specific task)
  • Provide patients with rights to access, amend, and receive an accounting of disclosures
  • Obtain authorization for uses beyond permitted purposes

The Security Rule

Specifies safeguards for ePHI. This is where the technical requirements live:

Administrative Safeguards:

  • Risk analysis and risk management
  • Workforce security training
  • Information access management
  • Contingency planning (backup, disaster recovery)
  • Evaluation and audit procedures

Physical Safeguards:

  • Facility access controls
  • Workstation security
  • Device and media controls

Technical Safeguards:

  • Access controls (unique user IDs, emergency access, automatic logoff, encryption)
  • Audit controls (hardware, software, and procedural mechanisms to record and examine access)
  • Integrity controls (mechanisms to confirm ePHI hasn't been altered or destroyed)
  • Transmission security (encryption for data in transit)

The Breach Notification Rule

If a breach of unsecured PHI occurs, you must:

  • Notify affected individuals within 60 days
  • Notify HHS (the Department of Health and Human Services)
  • Notify the media if the breach affects 500+ individuals
  • Notify the covered entity promptly if you're a business associate

Technical Requirements for SaaS Developers

Encryption

  • In transit: TLS 1.2 or higher for all data transmission
  • At rest: AES-256 encryption for stored ePHI
  • Key management: Secure key storage and rotation procedures

Access Controls

  • Unique user identification: Every user has a unique ID
  • Role-based access: Users access only the ePHI they need
  • Multi-factor authentication: Required for accessing ePHI
  • Automatic session timeout: Inactive sessions terminate automatically
  • Emergency access procedures: Documented process for emergency access

Audit Logging

  • Log all access to ePHI (who, when, what)
  • Log authentication attempts (successful and failed)
  • Log data modifications
  • Retain audit logs for at least six years
  • Regular audit log review procedures

Backup and Recovery

  • Regular automated backups of ePHI
  • Tested disaster recovery procedures
  • Recovery time and recovery point objectives
  • Backup encryption

Infrastructure

  • HIPAA-eligible cloud services (AWS, Google Cloud, and Azure all offer HIPAA-eligible configurations)
  • Network segmentation to isolate ePHI
  • Intrusion detection and prevention
  • Vulnerability scanning and penetration testing

Business Associate Agreements (BAAs)

Before handling PHI, you need a Business Associate Agreement with every covered entity you serve. A BAA:

  • Establishes what PHI you can access and how you can use it
  • Requires you to implement appropriate safeguards
  • Obligates you to report breaches
  • Specifies your responsibilities when the relationship ends

You also need BAAs with your subcontractors who handle PHI (cloud hosting, email services, etc.). Your cloud provider must sign a BAA before you store ePHI on their infrastructure.

Privacy Policies and HIPAA

Your SaaS needs a comprehensive privacy policy that addresses HIPAA requirements alongside general privacy regulations. While HIPAA's Notice of Privacy Practices (NPP) is specific to covered entities, business associates should still maintain clear privacy documentation.

LegalForge can help generate baseline privacy documentation for your SaaS. While HIPAA compliance requires additional, specialized legal documents (BAAs, NPPs), having a solid privacy policy foundation is an important starting point.

HIPAA Penalties

HIPAA violations carry significant penalties:

Civil Penalties (per violation category):

  • Unknowing: $100–$50,000 per violation
  • Reasonable cause: $1,000–$50,000 per violation
  • Willful neglect (corrected): $10,000–$50,000 per violation
  • Willful neglect (not corrected): $50,000 per violation

Annual maximums range from $25,000 to $1.5 million per violation category.

Criminal Penalties:

  • Up to $50,000 and one year in prison for knowing violations
  • Up to $100,000 and five years for violations under false pretenses
  • Up to $250,000 and ten years for violations with intent to sell or use PHI

HIPAA Compliance Checklist for SaaS

  • Determine if HIPAA applies to your SaaS
  • Conduct a risk analysis
  • Implement encryption (transit and rest)
  • Set up access controls and authentication
  • Implement audit logging
  • Establish backup and disaster recovery procedures
  • Prepare BAA templates for customers and subcontractors
  • Sign BAAs with cloud providers and subcontractors
  • Train your workforce on HIPAA requirements
  • Create breach notification procedures
  • Develop and document security policies
  • Generate a privacy policy (start with LegalForge)
  • Conduct regular security assessments
  • Maintain documentation of all compliance efforts

Getting Started

HIPAA compliance is a significant undertaking, but it opens a massive market — healthcare is one of the largest industries in the US. Start by determining whether HIPAA applies to your SaaS, conduct a risk analysis, and build your compliance program step by step.

For your foundational privacy documentation, LegalForge provides a quick starting point. Then work with a HIPAA-specialized compliance consultant or lawyer to address the healthcare-specific requirements that go beyond standard web privacy.

Generate Your Legal Documents in 60 Seconds

LegalForge uses AI to scan your website and create tailored Privacy Policies, Terms of Service, and Cookie Policies.

Try LegalForge Free →