What is HIPAA Compliance?
HIPAA is the US law that governs how patient health information is collected, stored, used, and disclosed, applying both to the healthcare organizations that originally generate the data and to the software vendors and contractors who handle it on their behalf.
The three rules that matter
The Privacy Rule defines how PHI may be used and disclosed — patients have rights to access their records, see who else has accessed them, and request restrictions. The Security Rule covers the technical and administrative safeguards required for electronic PHI — access controls, audit logs, transmission security, contingency planning. The Breach Notification Rule sets out what to do when something goes wrong — notify affected individuals, sometimes the HHS Office for Civil Rights, sometimes the media if the breach affects more than 500 people in a state.
PHI is broader than you think
Protected Health Information is any health data linked to one of 18 identifiers — name, address, dates, phone, email, SSN, medical record number, account number, license number, vehicle ID, biometric, photo, or any other unique identifier. The bar is low. An appointment reminder email referencing a doctor's name is PHI. A spreadsheet of patient first names with their medications is PHI. Treating any of it casually is the fast path to a costly OCR investigation.
Penalties — what enforcement actually looks like
HIPAA penalties are tiered by culpability. Tier one (the entity did not know and could not reasonably have known): up to $69K per violation. Tier two (reasonable cause, not willful neglect): higher. Tier three (willful neglect, corrected within 30 days) and tier four (willful neglect, not corrected) escalate to the annual cap, currently over $2 million per violation category per year. The Office for Civil Rights also imposes corrective action plans that often outlast any fine. The lesson: HIPAA is not a fine-only regime, it is a regulator-on-your-back regime.
Business Associate Agreements
If your software handles PHI on behalf of a covered entity, you are a business associate and you must sign a BAA with that customer. You must also have BAAs with every vendor below you that touches PHI — your cloud provider, your email sender, your error monitoring service, your database backup vendor. Skipping any of those is a HIPAA violation regardless of whether anything bad has happened yet.
At QUANT LAB
Healthcare software is a serious slice of our industry work — telehealth platforms, EHR-adjacent tooling, scheduling and billing systems. Every HIPAA-bound build we ship runs on AWS or Azure under a BAA, encrypts PHI at rest and in transit, ships full audit logging of every PHI access, and uses tenant-isolated Postgres for storage. Our penetration tests on healthcare systems are scoped against both HIPAA's technical safeguards and the OWASP Top 10. We sign mutual BAAs with every client where PHI is in play.
HIPAA does not preempt state privacy laws
HIPAA is a floor, not a ceiling. State laws — California's CMIA, New York's SHIELD Act, Texas's HB 300, Washington's My Health My Data Act — add requirements on top, sometimes substantially. Patient consent, breach reporting timelines, and the definition of health information vary across states. Building a national telehealth product means designing to the strictest applicable rule, not just HIPAA. The same applies to international expansion, where GDPR and equivalents take over for European users.
Long-form deep-dives that use this term
All postsCybersecurity Services for SaaS Startups (2026)
What security work a SaaS founder actually needs in years 1-3.
Read postHIPAA-Compliant SaaS Architecture
BAA-eligible cloud, encrypted PHI flows, and audit-friendly logging patterns.
Read postPCI-DSS Compliance for SaaS Checklist
What PCI scope reduction looks like when you route payments through Stripe.
Read post
Related terms
Building HIPAA-bound software?
We design HIPAA-aware platforms from the first commit so retrofits do not eat your roadmap. Book a 30-minute call.