If you build software for healthcare, work with doctors or clinics, or handle patient data in any form — HIPAA compliance isn't optional. It's the law, and the penalties for getting it wrong can end a small business.
This guide cuts through the complexity. We cover what HIPAA actually requires from a small company, what Protected Health Information (PHI) really means, and the practical steps you need to take starting today.
What Is PHI? (And What's Not)
PHI is any information that can identify a patient and relates to their health, healthcare delivery, or payment for healthcare. The key is the 18 identifiers — if data contains any of these AND relates to health, it's PHI.
The 18 HIPAA Identifiers
PHI that has been de-identified (all 18 identifiers removed or encrypted so re-identification is not reasonably possible) is no longer subject to HIPAA. If you're working with truly de-identified data, you're not a business associate — but get a legal opinion before relying on this.
The Three HIPAA Rules You Must Know
1. The Privacy Rule
Governs who can access PHI and under what circumstances. Covered entities can't share PHI without patient authorization unless it's for treatment, payment, or healthcare operations. Your privacy policy must actually match your data practices.
2. The Security Rule
The part most technical teams focus on. Requires administrative, physical, and technical safeguards to protect electronic PHI (ePHI). We'll cover these in detail below.
3. The Breach Notification Rule
If PHI is compromised, you must notify affected individuals within 60 days of discovery. If the breach affects 500+ people in a state, you must also notify HHS and local media. Reportable breaches are more common than companies expect.
The Three Safeguard Categories
HIPAA separates requirements into three categories. Most startups concentrate on technical safeguards — but auditors will review all three.
Technical
Encryption, access controls, audit logs, automatic logoff, transmission security
Administrative
Risk analysis, security officer, workforce training, incident response, BAAs
Physical
Workstation controls, device disposal, facility access management
Technical Safeguards (Most Common Gaps)
The following are required for any system handling ePHI. These are where small companies get caught:
- Encryption: AES-256 or equivalent for ePHI at rest. TLS 1.2+ for data in transit. This is the minimum — unencrypted PHI on a stolen laptop is a reportable breach.
- Access controls: Unique user accounts for every person. No shared logins. Role-based access limiting users to the minimum data needed to do their job.
- Audit logging: Log every access to ePHI. Who viewed it, when, from where. Retain logs for at least 6 years (HIPAA requires this).
- Automatic logoff: Workstations that access ePHI must log off after a period of inactivity (typically 15-20 minutes).
- Transmission security: Any ePHI leaving your network must be encrypted. This means your Slack messages, your email to the client, your Jira tickets — all need to be covered if they contain PHI.
Administrative Safeguards
These are the policies and procedures that prove you take HIPAA seriously:
- Risk Analysis: A documented, ongoing assessment of risks to ePHI confidentiality, integrity, and availability. This is the most commonly cited safeguard in HHS audits. Do it before anything else.
- Designated Security Officer: Someone responsible for HIPAA compliance. For a 10-person startup, this can be the CTO with a clearly defined scope.
- Workforce Training: All employees who access ePHI must be trained on HIPAA requirements. Annual refreshers are standard practice.
- Incident Response Plan: Documented procedures for handling security incidents, including how to determine if a breach occurred and how to notify affected parties.
- Business Associate Agreements (BAAs): Before sharing any PHI with a vendor, you must have a signed BAA. Vendors without BAAs are a compliance gap and a breach risk.
Physical Safeguards
- Facility access controls: Physical access to servers and workstations must be restricted. Cloud-hosted infrastructure is generally fine if your cloud provider signs a BAA (AWS, Azure, and GCP all do).
- Workstation security: Workstations that access ePHI must have automatic screen lock and be restricted to authorized users.
- Media disposal: Any device that stored ePHI must be securely wiped before disposal. Simple deletion is not enough.
HIPAA Penalties Are Not a Slap on the Wrist
The HHS Office for Civil Rights (OCR) has been increasingly aggressive in enforcement. Fines are calculated per violation, not per incident.
In 2023, the average HIPAA settlement was $1.2 million. Even a "small" breach at a 20-person startup can easily exceed $100,000 in combined fines, breach notification costs, and credit monitoring for affected patients.
Getting Started: Your First 5 Steps
- Conduct a HIPAA Risk Analysis. Before anything else. Know where PHI exists in your systems and what risks it faces. This is required by law and is the foundation of everything else.
- Identify every vendor that touches PHI. Your EHR, your messaging tool, your email provider, your cloud host. Get BAAs signed with every one of them. No BAA = no PHI.
- Encrypt everything. Full-disk encryption on all devices. TLS on all connections. If you can afford nothing else, do this.
- Write your HIPAA policies. Minimum: Privacy Policy, Security Policy, Incident Response Plan, Workforce Training Policy. Make sure they reflect what you actually do.
- Designate a Security Officer. Give someone explicit responsibility. Even if it's a co-founder wearing multiple hats, having a named owner prevents compliance from falling through the cracks.