← All guides
HIPAA7 min read5 May 2026

HIPAA for SaaS Founders: Do You Actually Need to Comply?

Most SaaS founders panic at the word HIPAA. Here's a practical breakdown of who actually needs to comply, what it costs, and what you need to do first.

The HIPAA panic most founders don't need

You're building a SaaS product. Someone mentions it might touch health data. Suddenly you're reading about $1.9M fines and wondering if you need to redesign your entire architecture. Most of the time, you don't. Here's how to figure out where you actually stand.

Who does HIPAA actually apply to?

HIPAA — the Health Insurance Portability and Accountability Act — applies to two categories of entities:

  • Covered Entities (CEs): healthcare providers, health plans, and healthcare clearinghouses that conduct standard electronic transactions
  • Business Associates (BAs): vendors and subcontractors who create, receive, maintain, or transmit Protected Health Information (PHI) on behalf of a Covered Entity

If you're neither of these, HIPAA doesn't directly apply to you. Full stop.

What is PHI?

Protected Health Information is individually identifiable health information. It's PHI when both conditions are true:

  1. It relates to a person's health condition, healthcare provision, or payment for healthcare
  2. It can be linked to a specific individual (via name, email, IP address, account number, device ID, or any of the 18 HIPAA identifiers)

De-identified data — where all 18 identifiers are removed using Safe Harbor or Expert Determination methods — is not PHI and falls outside HIPAA's scope.

The three scenarios for SaaS founders

Scenario 1: You sell to healthcare providers and handle their patient data

This is classic Business Associate territory. If a hospital or clinic uses your platform and their patients' data lives in your system, you're a BA. What you need:

  • A signed Business Associate Agreement (BAA) with every Covered Entity customer
  • HIPAA-compliant infrastructure (encryption at rest + in transit, audit logs, access controls)
  • A documented Security Rule compliance program (risk analysis, policies, training)
  • A Breach Notification procedure (72-hour notice to CEs, 60-day notice to HHS)

Timeline to get compliant from scratch: 3-6 months if you're doing it properly. Cost: varies widely, but expect $15K–$50K+ in consultant/legal fees for a first HIPAA program.

Scenario 2: You sell a wellness or consumer health app directly to individuals

If you collect health data but you're not a Covered Entity and you're not acting as a BA, HIPAA may not apply. A fitness app that users buy directly is generally outside HIPAA scope. But:

  • You're still subject to the FTC's Health Breach Notification Rule if you handle personal health records
  • GDPR applies if you have EU users (health data = special category data under Art. 9)
  • State laws may apply: California CMIA, New York SHIELD Act, etc.

Don't confuse "we collect health info" with HIPAA. The question is whether you're processing PHI on behalf of a Covered Entity.

Scenario 3: You're building general B2B SaaS (HR, productivity, finance)

If health data might appear incidentally (e.g., an HR tool where an employee mentions a sick day), that's not enough to trigger HIPAA. The data has to be maintained as part of a health record and you have to be acting as a BA.

The Business Associate Agreement (BAA) — what it does

A BAA is a contract between a Covered Entity and a Business Associate that:

  • Defines how PHI can be used and disclosed
  • Requires the BA to implement appropriate safeguards
  • Requires breach notification
  • Establishes liability allocation

Without a BAA, neither party should be transmitting PHI. If a hospital asks to use your SaaS and you don't have a BAA in place, you're both in violation.

Practical note: Large cloud providers (AWS, Google Cloud, Azure) offer BAAs to customers as standard. If you're on one of these, that's your infrastructure covered — but you still need a BAA from your own customers if you're the BA in that relationship.

The four HIPAA rules you actually need to know

  • Privacy Rule: Governs who can access and use PHI, patients' rights (access, amendment, accounting of disclosures)
  • Security Rule: Technical, physical, and administrative safeguards for electronic PHI (ePHI). Risk analysis is the cornerstone.
  • Breach Notification Rule: Covered Entities must notify affected individuals (60 days), HHS (60 days, or annual if under 500 individuals), and media (60 days, if 500+ in a state)
  • Enforcement Rule: Civil money penalties: $100–$50,000 per violation, up to $1.9M per category per year

The minimum viable HIPAA program for an early-stage BA

If you've determined you need HIPAA compliance, here's the minimum before you can sign BAAs:

  1. Risk Analysis: Document where ePHI flows, identify threats, assess existing controls
  2. Policies & Procedures: Written policies covering access control, audit logging, incident response, workforce training
  3. Technical Safeguards: Encryption at rest and in transit, unique user IDs, automatic logoff, audit controls
  4. Workforce Training: All employees with PHI access must be trained annually
  5. BAA Template: Have legal counsel draft your standard BAA

Bottom line for most SaaS founders

Ask yourself: Are you creating, receiving, maintaining, or transmitting PHI on behalf of a Covered Entity? If yes — get legal counsel, start your risk analysis, and don't sign any healthcare customer contracts until you have a BAA in place. If no — relax, but stay alert to GDPR (if you have EU users) and FTC rules (for consumer health apps).

The goal isn't to be scared of healthcare customers. It's to be informed about what serving them requires.

Generate your SaaS legal documents

While HIPAA BAA templates require specialist legal review, ComplyKit can generate your Privacy Policy, Terms of Service, Cookie Policy, and Refund Policy instantly — all GDPR-aware and free.

Generate your SaaS Privacy Policy free

Free, no signup required. Generated in under 5 minutes.

Generate Privacy Policy →

More guides