Any company that creates, receives, maintains, or transmits protected health information (PHI). This includes healthcare providers, health plans, healthcare clearinghouses (covered entities), and any vendor or partner that handles PHI on their behalf (business associates). Common for healthtech startups, EHR vendors, telehealth platforms, and any SaaS company selling to hospitals or health systems.
HIPAA is a US federal law that sets rules for protecting health information. Passed in 1996, it applies to anyone who handles protected health information (PHI), which includes medical records, billing data, insurance claims, lab results, and anything else that ties a person's identity to their health status.
The law covers two broad groups: covered entities (healthcare providers, health plans, and clearinghouses) and business associates (any vendor or contractor that handles PHI on their behalf). If you're building software that touches patient data, you're almost certainly a business associate. That means HIPAA applies to you directly, not just to your healthcare customers.
One critical thing to understand upfront: there is no HIPAA certification. No government body will stamp your product as "HIPAA compliant." Compliance is a legal obligation you maintain continuously, not a credential you earn once.
HIPAA is actually a collection of rules, each covering different aspects of health data protection.
Privacy Rule. Controls who can access PHI and under what circumstances. Establishes patient rights like accessing their own records and requesting corrections. Applies to all forms of PHI, whether electronic, paper, or verbal. Sets the "minimum necessary" standard: only use the least amount of PHI needed for the task.
Security Rule. Specifically covers electronic PHI (ePHI). Requires three categories of safeguards: administrative (risk assessments, training, security officers), physical (facility access, workstation security, device controls), and technical (access controls, audit logs, encryption, transmission security). This is where the bulk of compliance work lives for tech companies.
Breach Notification Rule. If unsecured PHI is exposed, you must notify affected individuals within 60 days. Breaches affecting 500 or more people also require notifying HHS and local media. HHS publishes all large breaches on its public portal, sometimes called the "Wall of Shame."
Enforcement Rule. Gives the Office for Civil Rights (OCR) authority to investigate complaints, conduct audits, and impose penalties. Criminal violations are handled by the Department of Justice.
PHI is any health information that can be tied to a specific individual. HIPAA defines 18 identifiers that make health data "identifiable":
Names, addresses (anything more specific than state), dates related to the individual (birth, admission, discharge), phone numbers, email addresses, Social Security numbers, medical record numbers, health plan IDs, account numbers, device identifiers, IP addresses, biometric data, photographs, and any other unique identifier.
If you strip all 18 identifiers, the data is considered de-identified and HIPAA no longer applies. But modern re-identification techniques have made this harder than it sounds.
Covered entities: Hospitals, physician practices, dental offices, pharmacies, health insurance companies, Medicare/Medicaid programs, and healthcare clearinghouses. If you bill for healthcare services or process health insurance claims, you're a covered entity.
Business associates: This is the category that catches most tech companies. If you store, process, or transmit PHI on behalf of a covered entity, you're a business associate. Examples: EHR/EMR vendors, cloud hosting providers storing health data, billing services, IT support companies with access to clinical systems, analytics firms processing patient data, even shredding companies that destroy paper records.
Since the 2013 Omnibus Rule, business associates are directly liable for HIPAA compliance. Before that, liability only flowed through contracts. Now OCR can (and does) fine business associates directly.
The Security Rule is where companies spend most of their compliance effort. It's organized into three safeguard categories:
Administrative safeguards (the biggest category):
Physical safeguards:
Technical safeguards:
An important nuance: the Security Rule labels some specs as "required" and others as "addressable." Addressable does NOT mean optional. It means you must either implement the specification or document why an equivalent alternative is appropriate for your environment. OCR has fined organizations for treating "addressable" as "skip."
HIPAA penalties operate on a four-tier system based on the level of negligence:
The annual cap for identical violations is $2,190,294. Criminal penalties can reach $250,000 and 10 years in prison for offenses committed for commercial advantage.
These aren't theoretical numbers. Anthem paid $16 million in 2018 after a breach affecting 78.8 million people. In 2025, Solara Medical Supplies paid $3 million after a phishing attack exposed 114,000 individuals' data. OCR has been ramping up enforcement, with 21 financial penalty actions in 2025 alone.
Since there's no formal certification, "HIPAA compliance costs" really means the cost of building and maintaining the required safeguards:
Many companies also pursue HITRUST CSF certification as a way to demonstrate HIPAA compliance to customers. HITRUST maps directly to HIPAA requirements and provides the formal certification that HIPAA itself lacks. But it adds $40,000-$200,000+ to the cost and takes 6-12 months.
HIPAA's Security Rule requires continuous monitoring, not just periodic assessments. You need to track access controls, review audit logs, verify encryption status, manage employee training, and maintain evidence that all of this is actually happening.
Compliance automation platforms handle this by connecting to your cloud infrastructure, identity providers, and HR systems. They map controls directly to HIPAA requirements, pull evidence automatically, flag when something drifts out of compliance, and help you maintain the documentation that OCR expects to see during an investigation. All 17 tools in our database support HIPAA.
The alternative is spreadsheets, calendar reminders, and manual screenshots. It works at small scale, but it breaks down quickly as your infrastructure grows.
No risk analysis (or a stale one). This is the single most cited deficiency in OCR investigations. OCR launched a dedicated Risk Analysis Initiative in late 2024 and has been aggressively pursuing organizations that either skip the analysis entirely or did one five years ago and never updated it.
Missing Business Associate Agreements. Sharing PHI with a vendor without a signed BAA in place is itself a HIPAA violation. Both parties can be fined. The BAA must include specific provisions defined by HHS, including breach notification requirements, restrictions on PHI use, and obligations to return or destroy PHI at termination.
Unencrypted devices. Lost or stolen laptops and phones containing unencrypted ePHI remain a leading cause of breaches. Encryption is technically "addressable" under the Security Rule, but in practice there's almost never a valid reason not to encrypt.
Employee snooping. Staff accessing records of celebrities, coworkers, or family members without a business reason. The covered entity is liable even when the employee acted alone.
Treating the rules as static. HHS proposed a major Security Rule overhaul in January 2025 that would make MFA mandatory, require encryption everywhere, add penetration testing requirements, and eliminate the "addressable" designation entirely. The final rule timeline is uncertain, but the direction is clear: requirements are tightening.
| Platform | Starting Price | Best For | G2 Rating |
|---|---|---|---|
| Vanta | ~$10,000/yr | Compliance automation | 4.6 |
| Drata | ~$7,500/yr | Compliance automation | 4.8 |
| Secureframe | ~$7,500/yr | Compliance automation | 4.7 |
| Sprinto | ~$6,000/yr | Compliance automation | 4.8 |
| Thoropass | ~$8,700/yr | Compliance automation | 4.7 |
| Hyperproof | ~$12,000/yr | GRC platform | 4.5 |
| AuditBoard (Optro) | ~$30,000/yr | Audit management | 4.6 |
| Strike Graph | ~$9,000/yr | Compliance automation | 4.7 |
| Anecdotes | ~$20,000/yr | GRC platform | 4.8 |
| Tugboat Logic (OneTrust) | Contact sales | Compliance automation | 4.5 |
| Scytale | ~$7,500/yr | Compliance automation | 4.8 |
| Comp AI | ~$2,388/yr | Compliance automation | 4.7 |
| Scrut Automation | ~$15,000/yr | GRC platform | 4.9 |
| Oneleet | ~$12,000/yr | Mixed | 4.9 |
| Cypago | ~$60,000/yr | GRC platform | 4.5 |
| Apptega | ~$9,950/yr | GRC platform | 4.8 |
| Ostendio | ~$2,994/yr | GRC platform | 4.8 |