News
Do I Need a BAA With My Vendor? A Plain-English Guide to Which Vendors Require a Business Associate Agreement · Business AssociatesYour 'Success Story' Program Just Cost This Rehab Facility $182,000: The Cadia Healthcare HIPAA Settlement · OCR EnforcementAn Accounting Firm Just Paid a HIPAA Fine: BST and Co. CPAs and What It Means for Professional Services Firms · OCR Enforcement15 Million Records, a $10,000 Fine, and a Company That No Longer Exists: The MMG Fusion Story · OCR EnforcementOCR Creates Religious Discrimination Units: What the Restructuring Means for HIPAA Enforcement · Rule UpdateOCR Director: The Cost of Doing Nothing Is Very High · Rule UpdateHIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means · Rule UpdateOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule UpdateDo I Need a BAA With My Vendor? A Plain-English Guide to Which Vendors Require a Business Associate Agreement · Business AssociatesYour 'Success Story' Program Just Cost This Rehab Facility $182,000: The Cadia Healthcare HIPAA Settlement · OCR EnforcementAn Accounting Firm Just Paid a HIPAA Fine: BST and Co. CPAs and What It Means for Professional Services Firms · OCR Enforcement15 Million Records, a $10,000 Fine, and a Company That No Longer Exists: The MMG Fusion Story · OCR EnforcementOCR Creates Religious Discrimination Units: What the Restructuring Means for HIPAA Enforcement · Rule UpdateOCR Director: The Cost of Doing Nothing Is Very High · Rule UpdateHIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means · Rule UpdateOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule Update
Beginnervendor

HIPAA for software companies (the short version)

If your product touches patient data for healthcare customers, here is how to think about BAAs, security, and subprocessors.

TL;DR

Map where PHI lives in your stack, sign BAAs where required, log access, encrypt data in transit and at rest, and contractually pass duties to subprocessors.

Updated 2026-04-21

Product-led teams often discover HIPAA mid-sale when a hospital asks for a BAA. Use this page as a conversation starter with engineering and legal, not a substitute for counsel.

Know your data map

List every database, log store, support tool, and analytics pipeline that could hold identifiers + health context. If you cannot draw it on a whiteboard, you are not ready to sign attestations.

Security basics customers expect

  • Unique accounts and role-based access for your staff.
  • Encryption for data at rest and in transit for PHI systems.
  • Audit logs that prove who touched what.
  • Backups that are encrypted and tested.
  • Incident response runbooks with customer notification timelines from your BAA.

Subprocessors

If AWS, GCP, email, or ticketing vendors touch PHI, they need appropriate agreements and risk review. Customers will ask for your list.

Go deeper

Pair this Basics page with HIPAA for SaaS companies for a longer operational read.

Keep reading

Next in your reading path → What should I do if I think something went wrong?

Not legal advice. Educational overview only; consult qualified counsel for your situation.