HIPAA Compliance:Build Trust withHealthcare Customers
If your product touches protected health information — directly or as a vendor — HIPAA is not optional. Covered entities won't sign a Business Associate Agreement without it. The OCR audits, fines, and publishes the names of those who fail.
Book a call
[01] Why Companies Build a HIPAA Programme
HIPAA opens the US healthcare market, exposes you directly to OCR enforcement as a Business Associate, and forces detection-and-response capability that pays back across every customer relationship you have.
// The Reality
Covered entities — hospitals, payers, providers — won't sign a Business Associate Agreement with a vendor that can't demonstrate a HIPAA programme. No BAA, no contract.
// Business Impact
Direct access to the US healthcare market: hospital systems, payers, providers, and the entire healthtech ecosystem built on top of them.
// Who Asks
- Hospital and health-system procurement
- Payer and provider risk teams
- EHR vendors and integrators
- Healthtech platforms (as their upstream)
// Strategic Advantage
HIPAA readiness opens healthcare to you and unlocks adjacent verticals (life sciences, clinical research, employer health programmes) that adopt HIPAA-grade controls voluntarily.
[02] What HIPAA Actually Is
HIPAA is a stack of rules and a long list of safeguards: the Rules govern the what and the why of PHI handling; the Security Rule safeguards are the specific administrative, physical, and technical controls auditors test.
§164.500–534
Privacy Rule
Governs who can see protected health information (PHI), why, when, and how it must be disclosed to patients. The "who and why" of PHI.
§164.302–318
Security Rule
Technical and operational controls protecting electronic PHI (ePHI). The "how" of protecting digital health data, broken into administrative, physical, and technical safeguards.
§164.400–414
Breach Notification Rule
Required notice to affected individuals, HHS, and (for large breaches) the media when unsecured PHI is disclosed. The clock starts when you discover, not when you confirm.
Part 160, Subparts C–E
Enforcement Rule
How HHS Office for Civil Rights investigates complaints, imposes civil money penalties (up to ~$2M per violation category per year), and resolves matters.
2013 update
Omnibus Rule
Made Business Associates directly liable under HIPAA, tightened breach notification, and updated definitions. Vendors are now first-class HIPAA actors, not just contractually bound.
[03] Understanding the HIPAA Programme
HIPAA isn't a certificate — it's a continuously-operated compliance programme that has to survive an OCR investigation if one ever comes. Build it like the audit is six months away.
[1/7] SCOPE & PHI MAPPING (WEEK 1-2)
Determine whether you are a Covered Entity, Business Associate, or both. Map every flow of PHI in, through, and out of your systems. Identify Business Associates upstream and downstream.
// What Happens
Clear role determination, complete PHI flow map, and a draft inventory of every BAA relationship you have or need.
// Deliverables
- Role determination memo (CE / BA / hybrid)
- PHI flow map across systems and partners
- BAA inventory (existing + needed)
- Scope statement
// Effort
- Timeline: 1-2 weeks
- Your involvement: 8-12 hours
// activities
- Role Determination: Establish CE / BA status per service or product line
- Data Flow Mapping: Every system, integration, and human touchpoint with PHI
- BAA Inventory: Identify every relationship that needs a BAA
- Sub-processor Review: Which vendors touch PHI; are they signed BAAs
[05] A Smarter Security Investment
When platform, service, and execution are considered together, Konfirmity delivers security and compliance with fewer tradeoffs and clearer long-term costs.
DIY Manual
Platform
None
Service
None
Audit
$15K
Year 1 total
$15K
Annual
$5K
Generic Platform
Platform
$25K
Service
None
Audit
$15K
Year 1 total
$40K
Annual
$30K
Traditional Consultant
Platform
None
Service
$50K
Audit
$15K
Year 1 total
$65K
Annual
$25K
Konfirmity
Platform
Included
Service
Included
Audit
$15K
Year 1 total
$50K
Annual
$35K
[05] FAQ's
What HIPAA Actually Involves
Covered Entities are health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically. Business Associates are vendors that process PHI on behalf of a Covered Entity (or another BA). Most B2B SaaS in healthcare is a Business Associate — and under the Omnibus Rule, directly liable to HHS.
Yes. If you share PHI with a subcontractor, you must have a written BAA with them. The Omnibus Rule made subcontractors directly liable too — and your BAA must flow obligations down to them. AWS, Google, and Microsoft all have HIPAA BAAs you can sign for their applicable services.
An impermissible use or disclosure of unsecured PHI is presumed to be a breach unless you can demonstrate (and document) a low probability of compromise based on four factors: nature of PHI involved, who got it, whether it was actually viewed, and whether the risk has been mitigated. The default is: assume breach, prove otherwise.
HIPAA is the federal floor — non-negotiable if you touch PHI. SOC 2 is the procurement layer customers ask for. HITRUST CSF is a certifiable framework that maps HIPAA, NIST, and others into one assessable thing, and is increasingly requested by larger health systems. Most healthcare SaaS lands on HIPAA + SOC 2; the larger ones add HITRUST as a market accelerator.
HIPAA preempts only weaker state laws. Stricter state laws stack on top: California CMIA, NY SHIELD, Texas HB 300, and others. Build to the strictest applicable state — typically California or New York — and you cover the federal floor automatically.
Yes, with a HIPAA BAA from the cloud provider and only the services covered by that BAA. AWS, GCP, Azure, and most managed-data offerings (BigQuery, S3, RDS, etc.) are HIPAA-eligible. The cloud provider is your Business Associate; their BAA defines what you can put where.
[07] get started
Get started in the way that fits you best -- see the platform in action, speak directly with a security expert, or get real proof through a free external scan of your environment.
See the platform in action. We'll show you:
Adaptation to your specific stack
Integration with your existing tools
Custom evidence collection workflows
Dashboard views for stakeholders
Speak directly with one of our security experts:
Security program design for your industry
Compliance roadmap (SOC 2 → ISO)
Risk assessment and treatment planning
Vendor security review guidance
Want proof? We'll scan your surface for free:
Exposed assets and misconfigurations
SSL/TLS vulnerabilities
Vendor risk in your supply chain
Comparison to industry benchmarks