Compliance & Security
HIPAA (Health Insurance Portability and Accountability Act)
HIPAA — the Health Insurance Portability and Accountability Act of 1996 — is the United States federal law that sets national standards for protecting the privacy and security of health information. For anyone building healthcare software for the US market, HIPAA is the baseline regulatory framework: it defines what counts as Protected Health Information (PHI), who must safeguard it, how, and what happens when they fail. Understanding HIPAA is not optional for a healthcare AI product — it shapes architecture, contracts, and operations from the first line of code.
The Privacy Rule and the Security Rule
HIPAA's protections rest on two pillars. The Privacy Rule governs the use and disclosure of PHI — who may see health information and for what purposes — and grants patients rights over their own data, including access and correction. The Security Rule applies specifically to electronic PHI (ePHI) and requires administrative, physical, and technical safeguards: access controls, encryption, audit logging, risk assessments, and contingency planning. Together they answer two questions: who is allowed to use this data, and how must it be protected technically.
Covered entities and business associates
HIPAA applies to 'covered entities' — health plans, clearinghouses, and providers — and to 'business associates', the vendors and subcontractors that handle PHI on their behalf. A software company building tools for a hospital is almost always a business associate. That status is formalised through a Business Associate Agreement (BAA), a contract that binds the vendor to HIPAA's requirements. No BAA, no lawful handling of PHI — which is why securing a signed BAA is a prerequisite, not a formality, before any real patient data touches your systems.
What HIPAA compliance means in engineering terms
Compliance is not a certificate you buy; it is an ongoing posture you build and prove. In practice it means encrypting PHI in transit and at rest, enforcing least-privilege access with strong authentication, logging every access for audit, conducting and documenting risk assessments, controlling where data lives (and ensuring cloud providers sign BAAs), planning for breaches and disaster recovery, and training staff. For AI products specifically, it also means scrutinising how PHI flows to and from models, and ensuring third-party AI services are themselves covered by appropriate agreements.
Penalties and why it matters commercially
HIPAA violations carry significant civil and, in egregious cases, criminal penalties, alongside mandatory breach notification that can be reputationally devastating. But beyond avoiding fines, HIPAA readiness is a commercial enabler: health systems will not buy from a vendor that cannot demonstrate compliance. Being able to show a mature security posture, sign BAAs confidently, and answer a hospital's security questionnaire is often what gets a healthcare product through procurement at all. Compliance, done right, is a sales advantage rather than a cost centre.
Frequently asked questions
What is a Business Associate Agreement (BAA)?
A BAA is a contract between a covered entity (like a hospital) and a vendor that handles PHI on its behalf, binding the vendor to HIPAA's privacy and security obligations. You generally cannot lawfully process real PHI for a client without one in place.
Is HIPAA the same as GDPR?
No. HIPAA is US health-specific; GDPR (and UK GDPR) is a broad EU/UK data protection law covering all personal data. A product serving both markets must satisfy both frameworks, which overlap in spirit but differ in detail and scope.
Can you use cloud services and AI APIs under HIPAA?
Yes, provided the provider will sign a BAA and supports compliant configurations. Major cloud platforms offer HIPAA-eligible services; the responsibility is to architect and configure them correctly and to ensure any AI services handling PHI are covered by agreements.
Building for the US healthcare market? We architect HIPAA-compliant systems and help you pass security review. Book a discovery call.