News
Do I Need a BAA With My Vendor? A Plain-English Guide to Which Vendors Require a Business Associate Agreement · Business AssociatesYour 'Success Story' Program Just Cost This Rehab Facility $182,000: The Cadia Healthcare HIPAA Settlement · OCR EnforcementAn Accounting Firm Just Paid a HIPAA Fine: BST and Co. CPAs and What It Means for Professional Services Firms · OCR Enforcement15 Million Records, a $10,000 Fine, and a Company That No Longer Exists: The MMG Fusion Story · OCR EnforcementOCR Creates Religious Discrimination Units: What the Restructuring Means for HIPAA Enforcement · Rule UpdateOCR Director: The Cost of Doing Nothing Is Very High · Rule UpdateHIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means · Rule UpdateOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule UpdateDo I Need a BAA With My Vendor? A Plain-English Guide to Which Vendors Require a Business Associate Agreement · Business AssociatesYour 'Success Story' Program Just Cost This Rehab Facility $182,000: The Cadia Healthcare HIPAA Settlement · OCR EnforcementAn Accounting Firm Just Paid a HIPAA Fine: BST and Co. CPAs and What It Means for Professional Services Firms · OCR Enforcement15 Million Records, a $10,000 Fine, and a Company That No Longer Exists: The MMG Fusion Story · OCR EnforcementOCR Creates Religious Discrimination Units: What the Restructuring Means for HIPAA Enforcement · Rule UpdateOCR Director: The Cost of Doing Nothing Is Very High · Rule UpdateHIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means · Rule UpdateOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule Update
Beginnervendorpractice manager

Does HIPAA apply to my software company or service?

A simple decision guide for vendors wondering if they are in HIPAA's world.

TL;DR

If you create, receive, maintain, or transmit identifiable patient information for a healthcare customer, assume HIPAA applies and you need a BAA, unless counsel confirms a narrow exception.

Updated 2026-04-21

HIPAA is not a general "all software" law. It kicks in when your service touches patient information on behalf of a healthcare organization (or another business associate further down the chain).

The plain-English test

Ask your team:

  1. Do we store or process names, clinical values, insurance numbers, or scheduling details tied to care?
  2. Did a clinic or hospital hire us because we touch that data?

If yes, you are probably a business associate for HIPAA purposes.

Examples where HIPAA commonly applies

  • EHR, billing, RCM, and clearinghouse integrations.
  • Cloud hosting where patient databases live.
  • CRM or support tools that pull ticket content with PHI.
  • Analytics pipelines fed with identifiable clinical feeds.

Examples that might not apply (still verify)

  • Generic payroll with no health details.
  • Public website hosting with no access to patient records, until you add a portal feature that does.

Never guess based on marketing copy alone, map actual data flows.

What you should do next

  • Sign BAAs when required.
  • Document subprocessors and flow-down duties.
  • Implement access controls, encryption, and logging proportional to risk.
  • Read our deeper guide: HIPAA for SaaS companies

Keep reading

Next in your reading path → Do we need to sign anything? Business Associate Agreements explained simply

Not legal advice. Educational overview only; consult qualified counsel for your situation.