Most healthcare SaaS companies discover their HIPAA gaps during a customer security review, a vendor assessment, or — worst case — a breach investigation. The Security Rule has been in effect since 2005, but the number of organizations still operating on partial implementations is striking. This checklist won't substitute for legal counsel, but it will give your technical and compliance teams a clear picture of what "actually implemented" looks like.

Who HIPAA Actually Applies To

The most common misconception: HIPAA only applies to hospitals and insurance companies. In practice, it extends to any business associate (BA) that creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity. If your SaaS platform processes, stores, or transmits any data that could identify a patient and is connected to healthcare delivery or payment, you are almost certainly a business associate.

Signing a Business Associate Agreement (BAA) with your covered entity customers is required — but it does not make you compliant. A BAA establishes the legal relationship; the Security Rule controls what you're actually obligated to do.

Administrative Safeguards Checklist

Administrative safeguards are the policies, procedures, and training requirements that govern how your organization handles PHI. These are not optional.

Security Management Process (Required)
- Conduct and document a formal risk analysis identifying threats and vulnerabilities to PHI
- Implement a risk management plan that reduces identified risks to a reasonable level
- Apply appropriate sanctions to workforce members who violate policies
- Implement a process to regularly review information system activity logs

Assigned Security Responsibility (Required)
- Designate a security official responsible for developing and implementing HIPAA security policies

Workforce Security
- Implement authorization procedures for workforce access to PHI systems
- Establish a workforce clearance process
- Define termination procedures that revoke access promptly when someone leaves

Access Management
- Implement formal procedures for granting and reviewing access authorization
- Establish a process for managing access changes (role changes, transfers)

Security Awareness and Training
- Train all workforce members on security policies — at hire and at least annually
- Include specific training on malicious software detection and reporting
- Document that training occurred, including content and attendees

Security Incident Procedures (Required)
- Define what constitutes a security incident involving PHI
- Implement procedures to identify, respond to, mitigate, and document incidents
- Maintain incident records — regulators will ask for them

Contingency Plan (Required)
- Maintain a data backup plan for PHI
- Implement a disaster recovery plan
- Establish an emergency mode operation plan
- Test and revise procedures periodically

Technical Safeguards Checklist

Technical safeguards are the technology controls that protect PHI and control access to it.

Access Controls (Required)
- Assign unique user IDs to every person who accesses PHI systems — no shared accounts
- Implement emergency access procedures for when normal authentication is unavailable
- Implement automatic logoff from systems containing PHI after a period of inactivity
- Encrypt and decrypt PHI where appropriate (this is addressable, not optional in practice)

Audit Controls (Required)
- Implement hardware, software, or procedural mechanisms to record and examine activity in systems containing PHI
- Log who accessed PHI, when, and what actions were taken
- Review logs regularly and retain them per your policy

Integrity Controls
- Implement electronic mechanisms to corroborate that PHI has not been altered or destroyed in an unauthorized way
- This typically means checksums, hashing, or integrity monitoring for stored PHI

Transmission Security
- Implement technical security measures to prevent unauthorized access to PHI transmitted over electronic networks
- In practice: TLS 1.2 or higher for all PHI in transit, no exceptions

Physical Safeguards Checklist

Physical safeguards control physical access to systems and devices that contain PHI. For cloud-based SaaS, many of these are inherited from your cloud provider — but you still need to document that inheritance and understand what your BAA with AWS, Azure, or GCP covers.

Facility Access Controls
- Implement policies to limit physical access to electronic information systems and facilities where they're housed
- Maintain records of facility access repairs, modifications, and access log reviews

Workstation Use and Security
- Specify proper use of workstations that access PHI (physical location, screen position, locking policy)
- Implement physical safeguards for workstations that access PHI — in practice, screen locks and clean desk policies

Device and Media Controls
- Implement policies for disposal of hardware and media that contain PHI — this includes secure wipe or physical destruction
- Implement procedures for removing PHI from equipment before reuse or disposal
- Maintain records of media movement if PHI is involved

Two Mistakes Healthcare SaaS Companies Make

Treating the BAA as the compliance control. A BAA is a contract, not a security program. Signing one obligates you to be compliant — it does not make you compliant. The enforcement actions that have resulted in seven-figure settlements almost always involved organizations that had BAAs in place but hadn't implemented the underlying requirements.

Implementing the Security Rule but skipping the Breach Notification Rule. HIPAA has three rules that apply to business associates: the Privacy Rule, the Security Rule, and the Breach Notification Rule. The Breach Notification Rule requires you to notify covered entities of breaches within 60 days of discovery and defines what constitutes a breach. If you don't have a documented process for breach detection, assessment, and notification, you are not fully compliant — regardless of how good your technical controls are.

What "Actually Implemented" Looks Like

The gap between "we have a policy" and "we are compliant" is evidence. During an audit or OCR investigation, you'll be asked to demonstrate that controls exist and operate as described. That means training records, access review logs, risk analysis documents with dates and signatures, incident tickets, and backup test results.

If you're a healthcare SaaS company that has grown quickly, the most common state is: some controls implemented, some documented, few with evidence, and the risk analysis not done since the company was smaller and the system was simpler. That's the starting point for most HIPAA readiness engagements.

The good news: a properly scoped engagement can close most gaps in three to four months. The bad news: waiting until a customer asks for a HIPAA attestation before starting the work is how companies end up in trouble.