HIPAA Compliance Checklist for HealthTech Startups
A HIPAA (Health Insurance Portability and Accountability Act) compliance checklist for a HealthTech startup looks very different from the 100-item lists aimed at hospitals. You do not need every HIPAA policy a 2,000-bed health system needs. You need the controls a covered entity's vendor risk team will actually test — and the ones HHS audits first when a breach happens. This brief covers both.
Written for founders and engineering leads at SaaS platforms serving covered entities. If a hospital, health plan, or clearinghouse is a customer, you are a Business Associate and this list applies.
What HIPAA Actually Requires of a SaaS Vendor
HIPAA applies to covered entities — providers, health plans, clearinghouses — and to their Business Associates. A Business Associate is any vendor that creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a covered entity.
If you handle PHI, you are bound by:
- The HIPAA Privacy Rule — limits on how PHI is used and disclosed
- The HIPAA Security Rule — safeguards for electronic PHI
- The HIPAA Breach Notification Rule — 60-day notification obligations after a breach
The authoritative source is the HHS Office for Civil Rights HIPAA guidance. Business Associates are directly liable for Security Rule violations since the 2013 Omnibus Rule.
A Business Associate Agreement (BAA) — a signed contract between you and the covered entity — is the document that formalizes your obligations. No BAA, no PHI. Customer contracts rarely substitute.
The Checklist — Organized by HIPAA Safeguard Category
The Security Rule organizes controls into three safeguard categories: administrative, physical, and technical. This checklist follows that structure plus a fourth section for documentation and breach response.
Administrative Safeguards
1. Named Security Official
One person designated in writing as the security official responsible for the HIPAA program. For startups, this is typically the CTO, head of security, or a vCISO.
Common gap: Responsibility spread across three people with no formal designation.
2. Workforce Training and Sanctions
Every workforce member with access to PHI completes HIPAA training during onboarding and annually thereafter. A sanctions policy defines consequences for violations. Completion records retained.
Common gap: Training happens at onboarding only, never repeats. No sanctions policy on file.
3. Risk Analysis and Risk Management
A documented risk analysis covering every system that stores, processes, or transmits PHI. Identified risks tracked to remediation in a risk register. The risk analysis is refreshed at least annually and after significant system changes.
Common gap: One-time risk analysis from 24 months ago, no refresh, no register.
4. Access Authorization and Review
PHI access granted only by formal request with documented approval. Access reviewed at least quarterly. Termination triggers same-day revocation.
Common gap: Engineers with broad production access to PHI environments, no review cadence.
5. Business Associate Agreements
A signed BAA with every upstream covered entity customer. A signed BAA with every downstream subcontractor that touches PHI (AWS, Twilio, analytics vendors). Track BAAs in a register with renewal dates.
Common gap: BAA signed with the customer but no BAA with the cloud provider or email service handling PHI.
Physical Safeguards
6. Facility Access Controls
For cloud-hosted platforms, most physical safeguards inherit from the cloud provider's own HIPAA-eligible services (AWS, GCP, Azure all publish BAAs). Document the inheritance and retain the cloud provider's BAA.
Common gap: No documented reliance statement. Auditors cannot tell which controls are inherited.
7. Workstation Security
Every workstation with access to PHI uses full-disk encryption, automatic screen lock, managed endpoint protection, and MDM enrollment. Personal devices barred from PHI access, or brought under MDM.
Common gap: BYOD laptops with PHI access, no MDM, no disk encryption check.
8. Device and Media Disposal
Documented procedure for wiping drives and destroying media before disposal or reassignment. Evidence retained.
Common gap: Offboarded laptops reassigned without documented wipe.
Technical Safeguards
9. Unique User Identification
Every individual accessing PHI has a unique account. No shared logins, no generic service accounts used by humans.
Common gap: Shared admin account for on-call rotation.
10. Automatic Logoff and Session Timeout
Session timeout on systems handling PHI. Configurable per risk, 15–30 minutes is typical.
Common gap: No session timeout on internal admin tools.
11. Encryption of PHI
PHI encrypted at rest and in transit. TLS 1.2 minimum in transit. Documented key management. Encryption is not strictly required by the Security Rule — but unencrypted PHI is the primary breach-notification trigger and enforcement focus.
Common gap: Database encryption verified; backup snapshots and log exports unchecked.
12. Audit Logging
Every access to PHI logged. Logs retained 6 years minimum (HIPAA's general record retention rule). Review procedures defined.
Common gap: Logs generated, retention set to 30 days, no review cadence.
13. Transmission Security
PHI only transmitted over encrypted channels. No PHI in unencrypted email, no PHI in Slack messages, no PHI in analytics payloads.
Common gap: Customer support reps paste PHI into ticketing comments that sync to third-party analytics.
Documentation and Breach Response
14. Written Policies and Procedures
Every administrative, physical, and technical safeguard backed by a written policy. Policies retained 6 years from the date of creation or last effective date.
Common gap: Technical controls implemented, written policies never drafted.
15. Incident Response and Breach Notification
An incident response plan that addresses HIPAA breach notification timing — 60 days to notify affected individuals, HHS, and in some cases the media. Tested annually. Evidence that actual incidents were handled per the plan.
Common gap: Generic incident response plan with no HIPAA-specific notification language.
16. Contingency Planning
A data backup plan, disaster recovery plan, and emergency mode operation plan for systems handling PHI. Tested annually with documented results.
Common gap: Backup strategy exists; DR plan does not, or has never been tested.
How This Intersects With SOC 2
HIPAA and SOC 2 share roughly 60–70% of their control surface. A well-run SOC 2 program covers most of the Security Rule already. The HIPAA-specific additions are the BAAs, the 6-year retention requirement, the PHI-specific risk analysis, and the breach notification procedure. Running both in parallel is the efficient path for HealthTech startups with enterprise hospital or payer customers.
For the SOC 2 side of the program, see our SOC 2 compliance checklist.
How Long Does HIPAA Readiness Take?
For a HealthTech SaaS starting from reasonable baseline hygiene: 8–14 weeks. The front-loaded work is the PHI data map, the BAA paperwork across all subprocessors, and the written policy set. Once those exist, day-to-day operation is continuous evidence capture — the same discipline SOC 2 demands.
Frequently Asked Questions
What is HIPAA compliance? HIPAA compliance means meeting the Privacy, Security, and Breach Notification Rules that govern Protected Health Information in the United States. For SaaS vendors, it means implementing the Security Rule safeguards, signing Business Associate Agreements, and documenting policies and evidence that HHS auditors can inspect after a breach.
Who needs HIPAA compliance? Covered entities — healthcare providers, health plans, and clearinghouses — plus their Business Associates. A Business Associate is any vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity. A HealthTech SaaS whose customers include hospitals, clinics, or health plans is almost always a Business Associate.
How do you become HIPAA compliant? HIPAA has no certification and no government registry. Compliance means implementing the required safeguards, signing BAAs with every upstream and downstream party that touches PHI, documenting policies, and maintaining evidence. Many HealthTech SaaS companies pair HIPAA readiness with a SOC 2 Type II report to satisfy enterprise buyer vendor risk reviews.
Ready to Start?
ShieldKey runs managed HIPAA readiness programs for HealthTech SaaS and AI companies selling into covered entities. For scope, pricing, and delivery model, see our HIPAA compliance service.