medcomply.ai
Intel
The HIPAA Security Rule — A Complete Guide for 2026 · Security RuleUnderstanding the HIPAA Breach Notification Rule · Data BreachHIPAA breach notification overview · Data BreachHow to respond to a HIPAA breach · Data BreachHIPAA compliance checklist for covered entities · AnalysisOCR audit preparation checklist and evidence map · OCR EnforcementPatient rights under HIPAA: practical guide · Rule UpdateHIPAA staff training requirements and cadence · AnalysisHIPAA for SaaS and technology vendors · SaaS & TechnologyHIPAA Security Rule overview for compliance teams · Security RuleWhat is a Business Associate Agreement (BAA)? · BAAWhat counts as PHI under HIPAA? · Privacy RuleThe HIPAA Security Rule — A Complete Guide for 2026 · Security RuleUnderstanding the HIPAA Breach Notification Rule · Data BreachHIPAA breach notification overview · Data BreachHow to respond to a HIPAA breach · Data BreachHIPAA compliance checklist for covered entities · AnalysisOCR audit preparation checklist and evidence map · OCR EnforcementPatient rights under HIPAA: practical guide · Rule UpdateHIPAA staff training requirements and cadence · AnalysisHIPAA for SaaS and technology vendors · SaaS & TechnologyHIPAA Security Rule overview for compliance teams · Security RuleWhat is a Business Associate Agreement (BAA)? · BAAWhat counts as PHI under HIPAA? · Privacy Rule
Beginnervendor

HIPAA for software companies (the short version)

If your product touches patient data for healthcare customers, here is how to think about BAAs, security, and subprocessors.

TL;DR

Map where PHI lives in your stack, sign BAAs where required, log access, encrypt data in transit and at rest, and contractually pass duties to subprocessors.

Updated 2026-04-21

Product-led teams often discover HIPAA mid-sale when a hospital asks for a BAA. Use this page as a conversation starter with engineering and legal—not a substitute for counsel.

Know your data map

List every database, log store, support tool, and analytics pipeline that could hold identifiers + health context. If you cannot draw it on a whiteboard, you are not ready to sign attestations.

Security basics customers expect

  • Unique accounts and role-based access for your staff.
  • Encryption for data at rest and in transit for PHI systems.
  • Audit logs that prove who touched what.
  • Backups that are encrypted and tested.
  • Incident response runbooks with customer notification timelines from your BAA.

Subprocessors

If AWS, GCP, email, or ticketing vendors touch PHI, they need appropriate agreements and risk review. Customers will ask for your list.

Go deeper

Pair this Basics page with HIPAA for SaaS companies for a longer operational read.

Keep reading

Next in your reading path → What should I do if I think something went wrong?

Not legal advice. Educational overview only; consult qualified counsel for your situation.