HIPAA for SaaS Startups — What You Actually Need

You're building a SaaS product and a healthcare company wants to use it. Their security team sends you a questionnaire that asks about HIPAA compliance. Now what?

Do You Even Need HIPAA?

HIPAA applies if you create, receive, maintain, or transmit protected health information (PHI) on behalf of a covered entity (hospital, insurer, clinic). If your SaaS product will touch any of the following, you need HIPAA:

• Patient names, dates of birth, medical record numbers
• Diagnosis codes, treatment records, lab results
• Insurance IDs, billing records
• Any data that could identify a patient + relate to their health

If you're a business associate (a vendor that handles PHI for a covered entity), you need:

1. A Business Associate Agreement (BAA) with every covered entity you serve
2. Compliance with the Security Rule (administrative, physical, technical safeguards)
3. Compliance with the Breach Notification Rule (you must notify within 60 days)

What HIPAA Is Not

HIPAA is not a certification. There is no "HIPAA certified" badge. Anyone selling you a HIPAA certification is selling something that doesn't exist.

What you can do:

• Implement the required safeguards (Security Rule, Privacy Rule, Breach Notification Rule)
• Conduct an annual risk assessment
• Get a third-party assessment letter (optional but recommended for enterprise sales)
• Sign BAAs with your customers and your subprocessors (AWS, GCP, etc.)

The Minimum Viable HIPAA Program

For a SaaS startup, here's what we actually implement:

1. BAA Chain

Your customer signs a BAA with you. You sign BAAs with every subprocessor that could touch PHI:

• Cloud provider (AWS, GCP, Azure — all offer BAAs)
• Database hosting (RDS, Cloud SQL — covered by the cloud BAA)
• Email provider (if you're sending PHI via email — most don't)

2. Technical Safeguards

• Encryption at rest: AES-256 on all databases and storage
• Encryption in transit: TLS 1.2+ everywhere
• Access controls: role-based access, MFA for anyone accessing PHI
• Audit logging: who accessed what, when

3. Administrative Safeguards

• Risk assessment: annual, documented
• Policies: Information Security, Acceptable Use, Incident Response, Workforce Training
• Workforce training: annual HIPAA awareness training with sign-off

4. Breach Notification

• Runbook: documented process for detecting, investigating, and reporting breaches
• 60-day clock: notification to affected individuals + HHS within 60 days of discovery
• State laws: some states (CA, TX, NY) have shorter windows or additional requirements

What It Costs

HIPAA is one of the more affordable compliance programs because there's no formal audit:

| Component | Cost | |-----------|------| | FencePencil setup | $7,500 | | Monthly retainer | $1,500/mo | | Third-party assessment (optional) | $5,000–$10,000 | | Internal time (~30 hours) | ~$3,000 | | Year 1 total | $28,500–$38,500 |

No auditor pass-through because HIPAA has no formal audit requirement. The optional third-party assessment produces a letter you can show customers — it's not required but it closes deals faster.

Common Mistakes

1. Thinking "we use AWS so we're HIPAA-compliant" — AWS signs a BAA for their infrastructure, but your application code, access controls, and processes are your responsibility. The shared responsibility model applies.

2. Encrypting data but not logging access — HIPAA requires audit logs for PHI access. Encryption alone is insufficient.

3. Forgetting downstream vendors — if your error-tracking tool (Sentry) or customer-support tool (Intercom) could receive PHI in stack traces or support tickets, you need BAAs with them or you need to filter PHI before it reaches them.

Next Steps

If you're fielding HIPAA questions from healthcare customers, book a scoping call or try our compliance cost calculator to estimate your costs.