Governance Risk and Compliance

HIPAA (Health Insurance Portability and Accountability Act)

HIPAA is a U.S. federal law that establishes national standards for protecting the privacy and security of individually identifiable health information. For technology companies, HIPAA's Security Rule and Privacy Rule define how protected health information (PHI) must be handled, requiring specific administrative, physical, and technical safeguards whenever a company creates, receives, maintains, or transmits health data.

What is HIPAA?

HIPAA is the U.S. law governing the protection of health information. Enacted in 1996 and significantly expanded by the HITECH Act in 2009, HIPAA sets the rules for how protected health information (PHI) is stored, transmitted, and accessed.

HIPAA has two primary rules relevant to startups:

  • The Privacy Rule establishes standards for when and how PHI can be used and disclosed. It gives patients rights over their health information, including the right to access their records and request corrections.
  • The Security Rule requires specific safeguards to protect electronic PHI (ePHI). This is where HIPAA directly intersects with your security program: it mandates administrative safeguards (risk assessments, workforce training, access management policies), physical safeguards (facility access controls, workstation security), and technical safeguards (access controls, audit controls, transmission security, encryption).

Protected health information includes any individually identifiable health information: medical records, lab results, insurance information, and any data that links an individual to a health condition, treatment, or payment for healthcare.

Who does HIPAA apply to?

HIPAA applies to two categories of organizations:

  1. Covered entities. Healthcare providers, health plans, and healthcare clearinghouses that electronically transmit health information.
  2. Business associates. Any organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity. This is where startups enter the picture.

If your software processes, stores, or transmits health data for a healthcare provider or health plan, you're likely a business associate. This includes healthtech platforms, EHR integrations, telehealth tools, healthcare analytics products, patient engagement apps, and even general-purpose SaaS tools (project management, communication) if a healthcare client uses them to handle PHI.

Business associates must sign a Business Associate Agreement (BAA) with covered entities, which contractually obligates you to comply with HIPAA's security and privacy requirements.

Why HIPAA matters for startups

  1. Penalties are severe. HIPAA violations carry fines from $100 to $50,000 per violation, with annual maximums up to $1.5 million per violation category. The HHS Office for Civil Rights (OCR) has increased enforcement activity, and breach penalties apply regardless of company size. Criminal penalties can also apply for knowing violations.
  2. It unlocks the healthcare market. Healthcare is a massive market, and HIPAA compliance is the entry ticket. Healthcare organizations will not work with vendors who can't demonstrate HIPAA compliance and sign a BAA. For healthtech startups, HIPAA readiness directly correlates with revenue opportunity.
  3. Breach notification is strict. HIPAA requires notification of affected individuals, HHS, and in some cases the media within 60 days of discovering a breach affecting 500 or more individuals. Smaller breaches must be reported annually. This tight timeline requires a prepared incident response process.
  4. The Security Rule is prescriptive. Unlike SOC 2 (which is principle-based), HIPAA's Security Rule specifies required and addressable safeguards. Required safeguards must be implemented. Addressable safeguards must either be implemented or documented with an explanation of why an alternative control is equivalent. This specificity makes compliance more straightforward to plan but less flexible.

HIPAA security requirements for startups

The Security Rule's technical safeguards that most affect startups include:

  • Access controls. Unique user identification, emergency access procedures, automatic logoff, and encryption of ePHI.
  • Audit controls. Mechanisms to record and examine activity in systems that contain or use ePHI. Centralized logging (SIEM or equivalent) satisfies this requirement.
  • Integrity controls. Mechanisms to ensure ePHI is not improperly altered or destroyed.
  • Transmission security. Encryption of ePHI during electronic transmission (TLS, encrypted email).
  • Risk analysis and management. Regular, documented risk assessments identifying threats to ePHI and implementation of security measures to reduce risk to reasonable and appropriate levels.

Frequently asked questions

How do I know if my startup needs HIPAA compliance?

Ask this question: does your product or service create, receive, maintain, or transmit protected health information on behalf of a healthcare provider, health plan, or healthcare clearinghouse? If yes, you're a business associate and HIPAA applies. Common triggers include: your app stores patient data, your platform integrates with electronic health records, your analytics tool processes health-related data, or a healthcare customer wants to use your general-purpose SaaS tool with PHI. If a healthcare customer asks you to sign a BAA, that's a definitive signal that HIPAA compliance is required.

Toggle answer

What's the difference between HIPAA and SOC 2?

HIPAA is a federal law with specific requirements for protecting health information. Non-compliance carries legal penalties including fines and criminal charges. SOC 2 is a voluntary audit framework for demonstrating security controls. There's significant overlap in the security controls they require (access management, logging, encryption, incident response), and many startups pursue both: SOC 2 for broad enterprise sales credibility and HIPAA compliance for healthcare-specific market access. SOC 2 doesn't satisfy HIPAA by itself (they have different scoping and requirements), but the security practices overlap substantially.

Toggle answer

Does HIPAA require encryption of all protected health information?

HIPAA's Security Rule classifies encryption as an "addressable" safeguard, not a "required" one. However, "addressable" doesn't mean "optional." It means you must either implement encryption or document why an equivalent alternative control provides the same level of protection. In practice, encryption of ePHI at rest and in transit is considered the standard of care, and not encrypting is extremely difficult to justify. Additionally, unencrypted PHI that is breached triggers notification requirements, while properly encrypted PHI that is lost or stolen may qualify for a safe harbor exemption from breach notification.

Toggle answer

Related terms

Governance Risk and Compliance

GDPR (General Data Protection Regulation)

Governance Risk and Compliance

SOC 2 Type 2

Governance Risk and Compliance

Compliance mandates

Cybersecurity Terms

Incident Response

Governance Risk and Compliance

GRC Tools

Secure your startup’s momentum

Get started

Follow us

Product

Vulnerability Scanning & ManagementSecurity MonitoringSecret ScanningCode ScanningDynamic Application Security Testing (DAST)Software Composition Analysis (SCA)Compliance & Risk ManagementIdentity & AccessIntegrations

Solutions

Resources

About us

© 2026 Fencer All rights reserved.
Terms of Service
 | 
Responsible Disclosure
 | 
Privacy Policy