HIPAA compliance for SaaS: a guide for healthcare providers

HIPAA Compliance for SaaS cover

As healthcare providers increasingly rely on Software-as-a-Service (SaaS) applications to manage patient data, it is crucial for them to understand the importance of HIPAA compliance. 

This article will discuss what healthcare organizations need to know about HIPAA compliance for SaaS and how to ensure that their SaaS applications follow industry-specific regulations.

What does HIPAA compliance mean for SaaS?

When it comes to HIPAA compliance, SaaS providers fall into two broad categories: developers and app providers and SaaS hosting services. The two groups have different compliance needs, so it's helpful to discuss them separately.

HIPAA compliance areas when who is responsible

SaaS developers and providers

SaaS developers and providers that serve the healthcare sector must ensure their products are HIPAA compliant.

HIPAA compliance means that SaaS developers and service providers adhere to HIPAA’s Security, Privacy, and Breach Notification rules. The most important section here is the HIPAA Security Rule, which has three sub-sections: technical, administrative, and physical.

Under the HIPAA Security Rule, Covered Entities (CEs) and Business Associates (BAs) must put in place protective measures to secure Protected Health Information (PHI). SaaS companies tend to fall under the Business Associate header.

SaaS providers must sign Business Associate Agreements (BAAs) with clients. These agreements set out areas of responsibility and liability. Both healthcare companies and cloud providers should be clear about sharing compliance duties and protecting patient data.

SaaS hosting services

The situation is less clear about SaaS hosting services. HIPAA security rule does not set clear guidelines for cloud computing companies hosting healthcare services. Yet, it has become increasingly important to brand cloud infrastructure as HIPAA-eligible.

HIPAA-eligible hosts offer products that clients can adapt to meet HIPAA standards. This reassures clients that shared cloud computing architecture is properly secured. The major cloud platforms offer HIPAA-eligible services, including Amazon Web Services, Microsoft Entra ID (Azure AD), and Google Cloud.

Important HIPAA compliance areas for companies and SaaS providers

Not all SaaS companies working in the healthcare sector need to worry about HIPAA compliance. For example, many health app developers won’t handle patient records if their involvement ends when the app is delivered to clients.

But this changes if DevOps teams maintain and update cloud apps for health companies. If you handle Protected Health Information or could access PHI during development tasks, you must be HIPAA compliant.

Generally speaking, HIPAA compliance is critical for providers of SaaS-based healthcare services such as monitoring apps, payment portals, or insurance management tools. And compliance is also a concern for services that host PHI on cloud infrastructure.

Specifically, healthcare organizations need to protect patient data:

  • When creating patient records

  • When information is received

  • When PHI is at rest on cloud resources

  • During transmission (if this involves SaaS infrastructure or apps).

HIPAA requirements for SaaS providers

What does the process of becoming HIPAA-compliant look like? Under the HIPAA Privacy rule, there are three main areas of focus.

Firstly, achieving SaaS data security involves creating robust technical controls. This could include encryption of data in transit and at rest. It also includes access controls to prevent unauthorized access to confidential data. Multi-factor authentication, firewall protection, and password management systems all contribute.

On the administrative side, SaaS companies must train workers to use SaaS tools safely. They must also have robust data handling policies and device usage rules to prevent the unsafe movement of patient data.

Finally, physical security measures include securing data centers via locks, authorization systems, and cameras. There should be measures to protect physical devices on and off-site and plans to guard data against natural disasters and sabotage.

Business Associate Agreements cover all three of these areas. The Covered Entity and Business Associate sign BAAs before commencing their business partnership.

The BAA describes the areas of responsibility of clients and SaaS providers. It includes details on how to achieve compliance. And it explains how partners will be liable when security breaches occur.

Sharing compliance responsibilities

Under the Privacy Rule. SaaS partners and Covered Entities have shared responsibility for protecting patient data.

Cloud Service Providers guard infrastructure and data at rest on their servers. Service users manage access control, data in transit, and how users interact with their apps. This situation applies in healthcare as well. But controls on data access are much tighter.

HIPAA-compliant SaaS hosts and providers must apply the strongest possible encryption to all confidential data. They are responsible for ensuring data is available when requested. Servers must also remain online when healthcare organizations need them.

SaaS hosts manage the physical safety of hosting infrastructure. SaaS providers handle the integrity of application code. They must guard against emerging threats like Zero Day Exploits and ensure healthcare apps are as secure as possible.

Healthcare organizations (Covered Entities) have different responsibilities. Healthcare organizations must train staff to use SaaS services safely. Every covered entity needs to educate users about safe remote access, using encryption, managing passwords, and avoiding phishing attacks.

Healthcare organizations also deal with access controls. They must ensure PHI is only available to authorized professionals or patients themselves.

Most cloud-based cyber attacks have their roots in unsafe user behavior or loose access controls. Provider-side security is critical. Yet, it’s also important for SaaS providers and hosts to tighten their HIPAA compliance.

HIPAA Compliance for SaaS map

Healthcare organizations and SaaS partners should know exactly how to share responsibility and take appropriate action to ensure watertight compliance.

Implementing HIPAA compliance measures

A robust HIPAA compliance plan ensures that SaaS companies follow HIPAA’s Security, Privacy, and Breach Notification rules. Dividing your compliance plan between the three HIPAA regulations is good practice.

Compliance plans cover many areas, and the exact make-up varies between organizations. But common elements include:

Risk management

Create risk management plans for all critical data protection risks. Risk assessment processes should include risk severity and actions required to mitigate each risk.

Project ownership

Appoint individuals with responsibility for HIPAA privacy and security management.

Security controls

This includes physical safeguards such as cameras and locks. Data protection controls are also crucial. Use encryption, access management, endpoint protection, and monitoring tools to track user activity,

Administrative safeguards

This could include training plans to educate workers and communicate HIPAA responsibilities.


Regular compliance audits ensure controls function properly and that staff training achieves the desired results.

Systems to receive and act on HIPAA complaints

Create a secure email or phone line to report PHI violations. Organizations must make data available to patients and have streamlined processes to report data breaches to regulators.


Create and store clear documentation outlining HIPAA compliance policies. Make documents available to staff members and regulators if needed.

Handling third parties and associates

HIPAA-compliant organizations must have solid procedures to onboard business associates. SaaS partners should be able to provide clear evidence of compliance and HIPAA eligibility (if needed).

Clients should immediately know that the SaaS provider is a dependable and secure partner. If you have not done so, plan to achieve recognized security standards such as NIST 800-53, ISO 27001, or ISO 20000-1.

How can NordLayer help?

Becoming HIPAA compliant can be challenging for SaaS developers and service providers. But if you want to thrive in the healthcare sector, a strong compliance plan is essential. Nordlayer’s HIPAA-compliant solution can help you make the changes needed when building a reputation in SaaS health provision.

Our network security solutions include the following:

  • Streamlined network access controls to ensure only authorized users can access PHI.

  • Secure Remote Access from all endpoints ensures equally secure and protected network access for remote and hybrid work environments without putting health data at risk.

  • 256-bit AES encrypts data that is being sent between networks and reduces data breach risks.

  • Compatibility with major cloud platforms such as Entra ID and AWS. Integrate Secure Remote Access with cloud-native controls to create a solid HIPAA security setup.

All SaaS companies operating in the health sector need rock-solid data protection that complies with HIPAA regulations. Explore your options and ensure safe access to PHI with Nordlayer’s assistance.

Share article


Copy failed

Protect your business with cybersecurity news that matters

Join our expert community and get tips, news, and special offers delivered to you monthly.

Free advice. No spam. No commitment.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.