All Things AppSec

Share this post

All Things AppSec
All Things AppSec
All you need to prep for your SaaS HIPAA compliance
Copy link
Facebook
Email
Notes
More

All you need to prep for your SaaS HIPAA compliance

Rejah Rehim
and
Abey Koshy Itty
Mar 10, 2023
2

Share this post

All Things AppSec
All Things AppSec
All you need to prep for your SaaS HIPAA compliance
Copy link
Facebook
Email
Notes
More
Share

When you are a SaaS provider operating in the healthcare space, you are dealing with a lot of sensitive data that needs to be handled in a secure way. 

With healthcare providers increasingly adopting electronic health records (EHRs) and telemedicine services, there are a lot of SaaS vendors that are becoming the go-to option for managing, storing, and transmitting sensitive health data.  

Thanks for reading All Things AppSec! Subscribe for free to receive new posts and support my work.

However, a heightened responsibility transcends this opportunity - to ensure that your SaaS complies with Health Insurance Portability and Accountability Act (HIPAA) regulations.  

HIPAA is a federal law that sets the standard for protecting sensitive patient information, and as a SaaS provider, complying with these regulations is crucial to avoid costly fines and legal action.  

In edition #9 of All Things AppSec, we’ll look into where you fall under HIPAA as a SaaS vendor and what are the HIPAA compliance requirements. 

Where do you fall under HIPAA as a SaaS vendor? 

To understand where you fall under HIPAA as a SaaS vendor, it’s important to understand the two types of entities defined by HIPAA – Covered entities and Business associates. 

Covered entity 

A covered entity is defined as a healthcare provider, health plan, or healthcare clearinghouse that electronically transmits health information in connection with a transaction covered by HIPAA. 

Covered entities are required to comply with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, which set standards for protecting the privacy and security of protected health information (PHI). 

Business associate 

A business associate, on the other hand, is an individual or entity that performs certain functions or activities on behalf of a covered entity that involve the use or disclosure of PHI.  

Most SaaS vendors fall under the category of business associates as their solutions interact with systems that contain ePHI. 

According to a survey by the Cloud Security Alliance (CSA), 63% of healthcare organizations reported using at least one cloud-based SaaS application, indicating that many SaaS providers may be handling PHI on behalf of covered entities or business associates.  

This underscores the importance of SaaS providers understanding their obligations under HIPAA and taking appropriate steps to ensure compliance. 

Business associates of HIPAA covered entities need to sign a contract with the covered entity, termed as a business associate agreement (BAA). The BAA outlines the responsibilities of the business associate and as a business associate you are required to comply with the HIPAA Privacy Rule and the HIPAA Security Rule. 

If any subcontractors are used, it falls upon the business associate to ensure that they too agree to comply with HIPAA Rules and sign a BAA. 

What are the HIPAA compliance requirements? 

In the earlier section where we discussed covered entities and business associates, we mentioned specific rules they need to comply with. 

Let's take a look at some of these key HIPAA compliance requirements: 

Privacy Rule 

The HIPAA Privacy Rule sets standards for the use and disclosure of PHI by covered entities.  

It requires covered entities to obtain patient consent for certain uses and disclosures of PHI, to provide patients with access to their own PHI, and to implement administrative, physical, and technical safeguards to protect PHI. 

Security Rule 

The HIPAA Security Rule sets forth standards for the security of electronic PHI (ePHI).  

It requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect ePHI, including access controls, data encryption, and regular risk assessments. 

Breach Notification Rule 

The HIPAA Breach Notification Rule requires covered entities and business associates to notify affected individuals, the Secretary of Health and Human Services, and, in some cases, the media, in the event of a breach of unsecured PHI.  

The notification must be made without unreasonable delay, and in no case later than 60 days following discovery of the breach. 

Omnibus Rule 

The goal of the HIPAA Omnibus Rule is to strengthen the privacy and security of PHI, while also updating HIPAA regulations to reflect changes in healthcare technology and the healthcare industry. 

Covered entities and business associates must comply with the requirements of the Omnibus Rule in addition to the other HIPAA requirements. 

Enforcement Rule 

The HIPAA Enforcement Rule sets forth the procedures for investigating HIPAA violations and imposing civil monetary penalties.  

It also establishes the HIPAA Privacy and Security Rule compliance audit program. 

Alright, that’s it for today’s newsletter. Now you know where you fall under HIPAA as a SaaS vendor and what are the HIPAA compliance requirements. Next week, we’ll look into the steps needed to achieve your HIPAA compliance along with a checklist.  

Stay tuned for edition #10 and make sure to subscribe if you haven’t already so that you don’t miss the next part. Au revoir! 

Thanks for reading All Things AppSec! Subscribe for free to receive new posts and support my work.

2

Share this post

All Things AppSec
All Things AppSec
All you need to prep for your SaaS HIPAA compliance
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

No posts

Ready for more?

© 2025 Beagle Security
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More