HIPAA Compliance for SaaS Companies: The Complete 2026 Guide

If your SaaS product touches protected health information — even indirectly — HIPAA applies to you. This surprises a lot of founders who think HIPAA is only for hospitals and insurance companies. It's not.

Are You a Covered Entity or Business Associate?

HIPAA applies to two types of organizations: Covered Entities and Business Associates.

Covered Entities are healthcare providers (hospitals, clinics, physicians), health plans (insurance companies, HMOs), and healthcare clearinghouses. If you're a SaaS company, you're probably not a Covered Entity.

Business Associates are companies that create, receive, maintain, or transmit PHI on behalf of a Covered Entity. This includes: EHR software companies, telehealth platforms, medical billing software, healthcare analytics tools, cloud storage providers used by healthcare organizations, and any SaaS company whose customers are healthcare providers.

What Is Protected Health Information (PHI)?

PHI is any individually identifiable health information. This includes: names, addresses, dates (birth, admission, discharge), phone numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers, device identifiers, URLs, IP addresses, biometric identifiers, full-face photographs, and any other unique identifying number or code.

Notice that IP addresses are on that list. If your application logs IP addresses alongside any health information, that combination is PHI.

The Three HIPAA Rules You Must Comply With

1. The Security Rule

The Security Rule requires administrative, physical, and technical safeguards to protect electronic PHI (ePHI). This is the most technical rule and the one most SaaS companies focus on.

• •Access controls: unique user IDs, automatic logoff, encryption
• •Audit controls: hardware, software, and procedural mechanisms to record and examine activity
• •Integrity controls: mechanisms to authenticate ePHI and detect unauthorized alteration
• •Transmission security: encryption of ePHI in transit

2. The Privacy Rule

The Privacy Rule governs the use and disclosure of PHI. As a Business Associate, your obligations are primarily defined by your Business Associate Agreement (BAA) with your Covered Entity customers.

3. The Breach Notification Rule

If you experience a breach of unsecured PHI, you must notify the affected Covered Entity within 60 days of discovery. The Covered Entity then has obligations to notify patients and HHS.

Business Associate Agreements (BAAs)

Every relationship between a Covered Entity and a Business Associate must be governed by a BAA. If your healthcare customers haven't asked you to sign a BAA, that's a red flag — it means they may not be managing their HIPAA obligations properly.

Your BAA must specify: what PHI you're permitted to use and disclose, that you'll implement appropriate safeguards, that you'll report breaches, that you'll return or destroy PHI at the end of the relationship, and that your subcontractors who handle PHI also sign BAAs.

The Minimum Necessary Standard

HIPAA requires that you only access, use, or disclose the minimum amount of PHI necessary to accomplish the intended purpose. This has practical implications for your product design: don't collect PHI you don't need, don't give employees access to PHI they don't need for their job, and don't retain PHI longer than necessary.

HIPAA Penalties: Why This Matters

HIPAA penalties are tiered based on culpability:

• •Tier 1 (didn't know): $100–$50,000 per violation, max $25,000/year
• •Tier 2 (reasonable cause): $1,000–$50,000 per violation, max $100,000/year
• •Tier 3 (willful neglect, corrected): $10,000–$50,000 per violation, max $250,000/year
• •Tier 4 (willful neglect, not corrected): $50,000 per violation, max $1.9M/year

Criminal penalties can include up to 10 years in prison for knowing misuse of PHI. This is not a compliance exercise — it's a legal obligation with serious consequences.

Getting HIPAA Compliant: The Practical Steps

1. 1.Map your PHI: identify every location where PHI is created, received, stored, or transmitted
2. 2.Conduct a formal risk analysis (required by the Security Rule)
3. 3.Implement required technical safeguards: encryption, access controls, audit logging
4. 4.Write required policies: privacy policy, security policy, breach notification procedure
5. 5.Train your workforce on HIPAA requirements
6. 6.Execute BAAs with all Covered Entity customers and subcontractors who handle PHI
7. 7.Document everything — HIPAA compliance is demonstrated through documentation

HIPAA compliance is not a one-time project. It's an ongoing program that requires annual risk assessments, regular training, and continuous monitoring. That's why we include Dashr.ai monitoring with every HIPAA engagement.