A practical checklist covering all HIPAA requirements for software companies handling protected health information.
If your SaaS company handles Protected Health Information (PHI) for healthcare clients, HIPAA compliance isn't optional—it's essential. This checklist breaks down every requirement into actionable items.
Understanding HIPAA for SaaS Companies
The Health Insurance Portability and Accountability Act (HIPAA) applies to Covered Entities (healthcare providers, health plans, clearinghouses) and their Business Associates—which includes SaaS companies that handle PHI.
As a Business Associate, you must sign a Business Associate Agreement (BAA) with each healthcare client and comply with HIPAA's Security Rule, Privacy Rule, and Breach Notification Rule.
Administrative Safeguards Checklist
Implement policies and procedures to prevent, detect, contain, and correct security violations. Conduct regular risk assessments.
Designate a security official responsible for developing and implementing security policies.
Implement policies ensuring appropriate access to PHI. Include authorization, supervision, and termination procedures.
Implement policies for authorizing access to PHI. Include role-based access and access modification procedures.
Provide regular security training to all workforce members. Include phishing awareness and password management.
Implement policies for identifying, responding to, and reporting security incidents.
Establish data backup, disaster recovery, and emergency mode operation plans.
Perform periodic technical and non-technical evaluations of security policies and procedures.
Obtain satisfactory assurances from business associates regarding PHI protection.
Physical Safeguards Checklist
Limit physical access to facilities containing PHI. Implement access control procedures.
Implement policies specifying proper workstation use and physical safeguards.
Implement policies for disposal, re-use, and tracking of devices containing PHI.
Technical Safeguards Checklist
Implement unique user identification, emergency access procedures, automatic logoff, and encryption.
Implement hardware, software, and procedural mechanisms to record and examine access to PHI.
Implement policies to protect PHI from improper alteration or destruction.
Implement procedures to verify that persons seeking access to PHI are who they claim to be.
Implement technical measures to guard against unauthorized access during transmission (encryption, integrity controls).
Breach Notification Requirements
In the event of a breach involving unsecured PHI, you must:
- Notify affected individuals within 60 days of discovery
- Notify the HHS Secretary (immediately for breaches affecting 500+ individuals)
- Notify the media for breaches affecting 500+ individuals in a state
- Notify the Covered Entity (your healthcare client) as specified in your BAA
Documentation Requirements
HIPAA requires you to maintain documentation for 6 years. Key documents include:
- Risk assessments and remediation plans
- Security policies and procedures
- Business Associate Agreements
- Training records
- Incident response records
- Audit logs and access records
Common HIPAA Mistakes to Avoid
- ❌ Assuming cloud providers handle compliance: You're still responsible for how you configure and use their services
- ❌ Not having a signed BAA: You cannot handle PHI without one
- ❌ Insufficient access controls: Not everyone needs access to all PHI
- ❌ Skipping encryption: Both at rest and in transit
- ❌ Neglecting training: Human error is a leading cause of breaches
- ❌ No incident response plan: You have 60 days to notify—be prepared
Next Steps
Use this checklist as a starting point for your HIPAA compliance program. Remember that HIPAA compliance is an ongoing process, not a one-time achievement. Regular risk assessments, training updates, and policy reviews are essential.
Need help implementing these requirements? Our team has helped dozens of SaaS companies achieve HIPAA compliance efficiently and cost-effectively.