medcomply.ai
Intel
The HIPAA Security Rule — A Complete Guide for 2026 · Security RuleUnderstanding the HIPAA Breach Notification Rule · Data BreachHIPAA breach notification overview · Data BreachHow to respond to a HIPAA breach · Data BreachHIPAA compliance checklist for covered entities · AnalysisOCR audit preparation checklist and evidence map · OCR EnforcementPatient rights under HIPAA: practical guide · Rule UpdateHIPAA staff training requirements and cadence · AnalysisHIPAA for SaaS and technology vendors · SaaS & TechnologyHIPAA Security Rule overview for compliance teams · Security RuleWhat is a Business Associate Agreement (BAA)? · BAAWhat counts as PHI under HIPAA? · Privacy RuleThe HIPAA Security Rule — A Complete Guide for 2026 · Security RuleUnderstanding the HIPAA Breach Notification Rule · Data BreachHIPAA breach notification overview · Data BreachHow to respond to a HIPAA breach · Data BreachHIPAA compliance checklist for covered entities · AnalysisOCR audit preparation checklist and evidence map · OCR EnforcementPatient rights under HIPAA: practical guide · Rule UpdateHIPAA staff training requirements and cadence · AnalysisHIPAA for SaaS and technology vendors · SaaS & TechnologyHIPAA Security Rule overview for compliance teams · Security RuleWhat is a Business Associate Agreement (BAA)? · BAAWhat counts as PHI under HIPAA? · Privacy Rule
Beginnervendorpractice manager

Does HIPAA apply to my software company or service?

A simple decision guide for vendors wondering if they are in HIPAA's world.

TL;DR

If you create, receive, maintain, or transmit identifiable patient information for a healthcare customer, assume HIPAA applies and you need a BAA—unless counsel confirms a narrow exception.

Updated 2026-04-21

HIPAA is not a general "all software" law. It kicks in when your service touches patient information on behalf of a healthcare organization (or another business associate further down the chain).

The plain-English test

Ask your team:

  1. Do we store or process names, clinical values, insurance numbers, or scheduling details tied to care?
  2. Did a clinic or hospital hire us because we touch that data?

If yes, you are probably a business associate for HIPAA purposes.

Examples where HIPAA commonly applies

  • EHR, billing, RCM, and clearinghouse integrations.
  • Cloud hosting where patient databases live.
  • CRM or support tools that pull ticket content with PHI.
  • Analytics pipelines fed with identifiable clinical feeds.

Examples that might not apply (still verify)

  • Generic payroll with no health details.
  • Public website hosting with no access to patient records—until you add a portal feature that does.

Never guess based on marketing copy alone—map actual data flows.

What you should do next

  • Sign BAAs when required.
  • Document subprocessors and flow-down duties.
  • Implement access controls, encryption, and logging proportional to risk.
  • Read our deeper guide: HIPAA for SaaS companies

Keep reading

Next in your reading path → Do we need to sign anything? Business Associate Agreements explained simply

Not legal advice. Educational overview only; consult qualified counsel for your situation.