The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law enacted in 1996. It establishes national standards for protecting the privacy and security of individuals’ health information. Its core compliance framework rests on three rules. The Privacy Rule governs how Protected Health Information (PHI) may be used and disclosed. The Security Rule mandates administrative, physical, and technical safeguards for electronic PHI (ePHI).

The Breach Notification Rule requires covered entities and business associates to notify affected individuals and HHS when unsecured PHI is compromised. For any SaaS vendor or B2B service company that touches US healthcare data, HIPAA compliance is a legal prerequisite for operating in the healthcare sector.

How it works

HIPAA compliance operates through three interlocking rules:

Privacy Rule. Defines what constitutes PHI and restricts how it may be used and disclosed. It also grants patients rights over their own health information — including access to records, corrections, and accounting of disclosures. Covered entities may use PHI for treatment, payment, and healthcare operations without patient authorization, but most other uses require explicit written consent.

Security Rule. Applies specifically to electronic PHI (ePHI) and requires covered entities and business associates to implement safeguards in three categories:

  • Administrative safeguards: risk analysis and management programs, workforce training, access management policies, incident response procedures.
  • Physical safeguards: facility access controls, workstation and device security policies, media disposal procedures.
  • Technical safeguards: access controls (unique user IDs, automatic log-off), audit controls (activity logs), integrity controls (data alteration detection), and transmission security (encryption of ePHI in transit).

Breach Notification Rule. When a breach of unsecured PHI occurs, the covered entity must notify affected individuals within 60 days. It must also report to HHS. For breaches affecting 500 or more individuals in a state, it must notify prominent media outlets in that state. Business associates must notify the covered entity within 60 days of discovering a breach.

Business Associate Agreements (BAAs). Any vendor that handles ePHI on behalf of a covered entity must sign a BAA, which contractually obligates the vendor to comply with HIPAA’s Privacy and Security Rules, report breaches, and allow audits. SaaS vendors selling into healthcare must be prepared to sign BAAs and demonstrate compliance through documentation, penetration testing reports, and SOC 2 Type II certifications.

Why it matters for B2B

HIPAA compliance is a commercial threshold requirement for any B2B company operating in or adjacent to healthcare.

  • Market access. Hospitals, health systems, payers, and digital health companies will not purchase or integrate software from vendors that cannot sign a BAA and demonstrate HIPAA compliance. Non-compliance is a hard disqualifier in enterprise procurement.
  • Liability management. Business associates are directly liable under HIPAA. A data breach involving a SaaS platform that failed to implement required safeguards can result in OCR investigations, civil penalties, and class-action litigation from affected patients — even if the SaaS company never directly treated a patient.
  • Investor and partner due diligence. Healthcare-focused investors and strategic partners treat HIPAA compliance infrastructure (documented risk assessments, BAA frameworks, encryption standards, access controls) as a baseline signal of organizational maturity.
  • Trust as a differentiator. In a sector where data sensitivity is paramount, SaaS vendors that invest in HIPAA compliance — and can demonstrate it through certifications and audit reports — convert compliance into a competitive advantage, particularly when competing against less-mature alternatives.
  • Multi-framework efficiency. HIPAA’s Security Rule overlaps significantly with SOC 2 Type II and ISO 27001 controls. Organizations that build a compliant security program for HIPAA typically achieve other certifications more efficiently, reducing the overall cost of compliance across frameworks.

Real-world examples

EHR platform: Implements role-based access controls, automatic session timeouts, end-to-end encryption for ePHI, and a formal breach response plan. Signs BAAs with every healthcare provider customer. Publishes an annual HIPAA risk assessment and SOC 2 Type II report available to enterprise prospects.

HR SaaS vendor: Discovers that its US healthcare customers are uploading employee benefits enrollment data containing health information. Engages legal counsel to determine whether the data constitutes PHI and, if so, updates its data processing agreements, implements additional encryption controls, and begins offering BAAs to affected customers.

Healthcare analytics startup: Builds de-identification pipelines that strip the 18 HIPAA identifiers from research datasets before processing, enabling it to work with large-scale patient data under a safe harbor without triggering full PHI handling requirements.

Telehealth company: Selects a video conferencing platform that offers a BAA and HIPAA-compliant architecture over a lower-cost consumer alternative that does not, accepting the price premium as a non-negotiable compliance cost.

  • Encryption — HIPAA’s Security Rule requires encryption of ePHI in transit and strongly recommends it at rest; encryption is the most commonly applied technical safeguard that also constitutes “securing” PHI under the Breach Notification Rule.
  • CDP — Customer Data Platforms used in healthcare contexts must be evaluated for HIPAA compliance before ingesting or processing any patient-linked health data.
  • SaaS — SaaS vendors serving US healthcare customers must build HIPAA compliance into their architecture, sign BAAs, and maintain documented security programs as a baseline commercial requirement.