Cyber Horizon
Back to Blog
HIPAAHealthcarePrivacy

HIPAA Compliance for Health-Tech Companies: A Practical Guide

5 June 2026·9 min read·Cyber Horizon Team

If your product touches US health data, HIPAA is unavoidable — and misunderstood. The biggest myth is that you can become “HIPAA certified.” You cannot: there is no official HIPAA certification. What you can do is build and evidence a compliant programme, which is exactly what your healthcare customers will require before they sign.

Practical guidance, not legal advice — confirm specifics with qualified counsel.

Are you a business associate?

HIPAA distinguishes covered entities (providers, health plans, clearinghouses) from business associates — vendors that handle protected health information (PHI) on their behalf. Most health-tech and SaaS companies are business associates. That status triggers direct obligations under the Security Rule and the requirement to sign a Business Associate Agreement (BAA) with every customer and downstream sub-processor that touches PHI.

The three rules that matter

Privacy Rule: Governs how PHI may be used and disclosed, including the minimum-necessary principle.
Security Rule: Requires administrative, physical and technical safeguards for electronic PHI (ePHI).
Breach Notification Rule: Sets out who you must notify, and how quickly, after a breach of unsecured PHI.

The Security Rule safeguards

The Security Rule organises requirements into three categories. Administrative safeguards include your risk analysis, workforce training, and access management. Physical safeguards cover facility and device controls. Technical safeguards include access controls, audit logging, integrity protection, and transmission security. Some requirements are “required” and some “addressable” — addressable does not mean optional; it means you implement it or document a reasoned alternative.

The risk analysis is non-negotiable

A documented, organisation-wide risk analysis of how you create, receive, maintain and transmit ePHI is the cornerstone of the Security Rule — and the most commonly cited gap in enforcement actions. It is not a one-off; it must be reviewed and updated as your systems change. If you have read our guide to building a risk register, this is that discipline applied specifically to PHI.

A starting checklist for health-tech

Confirm your role (almost always a business associate) and sign BAAs both ways.
Complete and document a thorough ePHI risk analysis.
Encrypt ePHI in transit and at rest, and enable audit logging.
Lock down access on a least-privilege, role-based basis with MFA.
Train your workforce and keep records of it.
Write and test a breach-response plan with defined notification timelines.

HIPAA’s safeguards overlap heavily with SOC 2 and ISO 27001, so many health-tech firms pursue SOC 2 as well to give customers a recognisable report alongside their HIPAA programme — see our SOC 2 guide. Collect the evidence once and it serves all three.

Run your HIPAA programme in Cyber Horizon

Map the Security Rule safeguards, maintain your ePHI risk analysis, track BAAs and evidence — alongside SOC 2, ISO 27001 and 36 more frameworks from one control set.

Book a Demo