HIPAA compliancefor software vendors
HIPAA is the US law that protects health information. If your software touches protected health information (PHI) on behalf of a healthcare customer, you are usually a business associate, and you take on the Security Rule safeguards, a business associate agreement, and a documented risk analysis. This guide covers what that means in practice.
What HIPAA is
HIPAA, the Health Insurance Portability and Accountability Act, sets US rules for handling protected health information. Its key parts are the Privacy Rule, which governs how PHI may be used and disclosed, the Security Rule, which protects electronic PHI, and the Breach Notification Rule, which requires notice when PHI is exposed.
It is enforced by the Office for Civil Rights at the US Department of Health and Human Services. There is no official HIPAA certificate; you demonstrate compliance through your programme and evidence.
Covered entities and business associates
HIPAA applies to covered entities (such as healthcare providers and health plans) and to business associates, which are vendors that handle PHI on their behalf. Most software companies in healthcare are business associates.
If you are a business associate, you are directly liable for parts of HIPAA, and you must sign a business associate agreement (BAA) with each covered entity customer, and with any of your own sub-vendors that touch PHI.
The Security Rule safeguards
The Security Rule organises protection of electronic PHI into three groups of safeguards:
- Administrative safeguards: risk analysis, workforce training, access management, and an incident response process.
- Physical safeguards: facility access controls and device and media handling.
- Technical safeguards: access control, audit controls, integrity protection, and transmission security such as encryption.
Risk analysis is the foundation
A documented, current risk analysis is the single most important HIPAA artifact, and the most common thing regulators find missing. It identifies where PHI lives, the threats to it, and the safeguards that reduce the risk, and it drives the remediation you prioritise.
It is not a one-off. Update it when systems, vendors, or risks change, and keep the evidence that the safeguards actually operate.
How to evidence your programme
- 1Map where PHI is stored, processed, and transmitted across your systems and vendors.
- 2Maintain the administrative, physical, and technical safeguards with owners and review dates.
- 3Keep your risk analysis current and track remediation to closure.
- 4Sign and store a BAA with every covered entity customer and every sub-vendor that touches PHI.
- 5Document your breach response so you can meet the notification timelines if you ever need to.
Frequently asked questions
Is there a HIPAA certification?
No. HIPAA has no official certificate or accrediting body. You demonstrate compliance through a documented safeguards programme, a current risk analysis, business associate agreements, and evidence that the safeguards operate. Third-party assessments can help, but they are not an official HIPAA certificate.
What is a business associate agreement (BAA)?
A BAA is the contract HIPAA requires between a covered entity and a business associate (and between a business associate and its sub-vendors) that handle PHI. It sets out each party responsibilities for protecting PHI, reporting breaches, and returning or destroying data.
Does HIPAA apply to my software company?
If your software stores, processes, or transmits protected health information on behalf of a healthcare customer, you are very likely a business associate and HIPAA applies to you directly. If you never touch PHI, it generally does not.
Do this in a fraction of the time
Diligio centralises your approved answers, drafts each response grounded in your sources, and independently verifies it before you review. RFPs, DDQs, and security questionnaires, answered from one knowledge base.