HIPAA for B2B SaaS: What You Actually Need
A hospital just asked if you're HIPAA compliant. You have no idea. Here's the short version: what HIPAA actually requires of you, and what the marketing loves to over-promise.
HIPAA has two kinds of people talking about it: lawyers who over-complicate it, and vendors who over-simplify it. The truth is in between. If you're a B2B SaaS that handles protected health information (PHI) on behalf of covered entities, here's what actually matters.
Covered Entity vs Business Associate
A hospital, clinic, or insurer is a Covered Entity. If your SaaS handles PHI for them, you're a Business Associate. As a Business Associate, you're directly liable under HIPAA — you don't get to hide behind the Covered Entity.
The BAA is the starting point
A Business Associate Agreement is the contract between you and the Covered Entity. It's required by HIPAA. No BAA, no handling PHI. Period. Most Covered Entities have their own BAA template; review it with counsel, but don't refuse to sign without a specific reason.
Your own sub-processors that handle PHI (AWS, your database provider, your email provider) also need BAAs with you. AWS, GCP, and Azure all offer BAAs — make sure you're under it.
What HIPAA actually requires (technically)
HIPAA's Security Rule defines three categories of safeguards:
Administrative
Risk analysis, security officer appointment, workforce training, access management, contingency planning. Mostly policies and processes.
Physical
Facility access controls, workstation security, device and media controls. For most cloud-native SaaS, your cloud provider's BAA handles this — but you're still responsible for employee workstation security.
Technical
Access control, audit controls, integrity controls, transmission security. The ones that matter most to implement:
- Unique user identification
- Automatic logoff
- Encryption at rest and in transit
- Audit logging of all PHI access
What HIPAA doesn't have
HIPAA doesn't have a "certification." Anyone who sells you a "HIPAA certification" is lying or confused. You can have a HIPAA attestation from an auditor, and you can claim HIPAA compliance — but there's no certificate you get framed and hung on the wall. SOC 2 + HIPAA attestation is the common combo for B2B SaaS serving healthcare.
What buyers actually want to see
Most healthcare buyers want: signed BAA, description of your technical safeguards, evidence of a HIPAA risk assessment, evidence of employee training, and ideally a SOC 2 Type II report that includes HIPAA in scope. If you can produce those, most procurement processes move quickly.
What they don't want: marketing language saying "HIPAA certified" with no backing documentation. The fastest way to lose a healthcare deal is to over-claim compliance and get caught during security review.
Stop managing compliance in spreadsheets.
Simpra is the AI-native platform that turns policies, controls, evidence, and risk into one live system of record.