HIPAA Compliance Checklist for SaaS Companies

Introduction to HIPAA Compliance

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive patient data. Any organization that deals with protected health information (PHI) must ensure their physical, network, and process security measures are in place and followed. This includes Covered Entities (hospitals, doctors, insurers) and Business Associates (vendors, software providers like you).

1. The Privacy Rule Checklist

The Privacy Rule addresses the saving, accessing, and sharing of medical and personal information. It focuses on the rights of the patient.

• Notice of Privacy Practices: You must respond to patient requests to access their medical records.
• Authorized Access: Ensure PHI is used only for treatment, payment, and operations (TPO) unless additional authorization is granted.
• Business Associate Agreements (BAAs): You must have a signed BAA with every vendor who touches your PHI.
• Training: Train all employees on what constitutes PHI and how to handle it.

2. The Security Rule Checklist

The Security Rule is the technical backbone of HIPAA. It outlines three types of safeguards: Administrative, Physical, and Technical.

Administrative Safeguards

These are your policies and procedures.

• Security Officer: Designate a dedicated person responsible for security.
• Risk Assessment: Conduct a formal risk analysis annually to identify vulnerabilities.
• Information Access Management: Implement "Least Privilege"—employees should only access data necessary for their role.
• Workforce Training: Regular security awareness training is non-negotiable.

Physical Safeguards

Protection of physical systems and data.

• Facility Access Controls: Lock your server rooms. Restrict office access.
• Workstation Use: Lock screens when away. Do not write passwords on sticky notes.
• Device Media Controls: procedures for disposing of hard drives and tracking inventory.

Technical Safeguards

The "IT" side of compliance, crucial for software companies.

• Access Control: Unique user IDs, strong passwords, and Multi-Factor Authentication (MFA).
• Audit Controls: You must log who accessed what data and when. Keep logs for at least 6 years.
• Integrity: Ensure PHI cannot be improperly modified or destroyed.
• Person or Entity Authentication: Verify the identity of anyone seeking access to PHI.
• Transmission Security: Encrypt ALL data in transit (TLS 1.2+) and at rest (AES-256).

3. The Breach Notification Rule

If things go wrong, you must have a plan.

• Incident Response Plan: A documented process for investigating and responding to security incidents.
• Notification Timeline: You typically have 60 days to report a breach to HHS and affected individuals.
• Media Notice: Breaches affecting >500 residents of a state may require notifying prominent media outlets.

Required vs. Addressable Specifications

HIPAA is unique in that some specifications are "Required" (you MUST do it) and others are "Addressable".

Addressable does not mean optional. It means you must implement it, OR implement an alternative measure that achieves the same result, OR document why it's not reasonable to implement.

Common HIPAA Violations to Avoid

1. Lack of Encryption: Lost laptops with unencrypted drives are a top cause of fines.
2. Snooping: Employees looking at records they don't need to see.
3. Improper Disposal: Throwing paper records in the trash instead of shredding.
4. Missing BAAs: Using a vendor (like a cloud host) without a BAA.

Conclusion

HIPAA compliance is not a one-time project; it is a culture of continuous monitoring and improvement. Use this checklist as a starting point to build a robust compliance program that protects your patients and your business.