HIPAA for startups — when you need it, when you don't, how to start
If your SaaS touches any health information — wearables, mental-health apps, telehealth — you may be subject to HIPAA. Here is how to tell if you are in scope, what it takes to comply, and when to just say no.
HIPAA (Health Insurance Portability and Accountability Act, 1996) regulates how Protected Health Information (PHI) is handled by covered entities (healthcare providers, health plans, clearinghouses) and their business associates. Most indie SaaS startups are not directly in scope — but if you sell to a covered entity, you become a business associate and inherit the compliance burden. The cheapest strategy is often to stay out of scope entirely.
What it is
HIPAA has two main rules: the Privacy Rule (who can access PHI and for what purposes) and the Security Rule (technical, physical, and administrative safeguards for electronic PHI). Enforcement is by the US Department of Health & Human Services Office for Civil Rights (OCR). Fines range from $100 to $50,000 per violation depending on culpability, up to $1.5M/year per violation category.
Vulnerable example
# Signs you might accidentally be in HIPAA scope
- A hospital signed up and pasted patient data into your SaaS
- You integrate with Apple HealthKit or Fitbit API for a non-fitness purpose
- Your LLM prompts are sent by therapists describing named clients
- You store images that might contain medical info (scans, prescriptions)
- A telehealth startup is using your generic form-builder for intake forms
- Your analytics pipeline logs free-text notes that could contain PHIFixed example
# If you need HIPAA, the minimum viable path
1. Sign Business Associate Agreements (BAAs) with all downstream vendors
2. Encrypt PHI at rest (AES-256) and in transit (TLS 1.2+)
3. Implement access controls + audit logging
4. Document technical, physical, administrative safeguards (Security Rule)
5. Train every employee who touches PHI (annual minimum)
6. Maintain a breach-notification procedure (60-day rule to individuals)
7. Have a designated Privacy Officer and Security Officer
8. Run an annual risk assessment and remediate findingsHow Securie catches it
Securie's HIPAA-awareness checks are post-GA. Pre-launch, the tool library includes the Privacy Policy template and DPA template; these are starting points, not HIPAA-compliant out-of-box.
Checklist
- Business Associate Agreements signed with every vendor that touches PHI
- Encryption at rest + in transit (TLS 1.2+, AES-256)
- Access control (role-based, with MFA on privileged access)
- Audit logging of every PHI access/modification
- Annual risk assessment documented + remediation tracked
- Privacy Officer + Security Officer designated
- Employee training completed + logged (annual)
- Breach-notification procedure tested
- Facility controls + workstation security policy
- Data backup + disaster-recovery plan documented + tested
FAQ
Does HIPAA apply to my fitness app?
Only if you are a covered entity (healthcare provider, plan, or clearinghouse) or a business associate of one. A consumer fitness app that collects step counts directly from users is NOT subject to HIPAA. But if a healthcare provider starts using your fitness app to monitor patients, you may become a business associate and need a BAA.
Is Supabase HIPAA-compliant?
Supabase offers HIPAA-eligible deployments on their Team + Enterprise plans with a signed BAA. The standard Supabase plan is not HIPAA-compliant out of the box. Check with Supabase and sign the BAA before storing PHI.
Is Vercel HIPAA-compliant?
Vercel Enterprise offers a BAA. Hobby and Pro plans are not HIPAA-compliant. For a startup needing HIPAA, the options are Vercel Enterprise, or host on AWS/GCP/Azure with their HIPAA-eligible services + signed BAA.
What counts as PHI?
Any of the 18 HIPAA identifiers combined with health information: names, dates, geographic info more specific than state, phone, fax, email, SSN, medical record numbers, health plan IDs, account numbers, certificate/license numbers, vehicle identifiers, device identifiers, URLs, IP addresses, biometric identifiers, full-face photos, and any other unique identifier.
Can I just say 'no' to HIPAA customers until I'm bigger?
Often the right call at pre-seed or seed. Signing one HIPAA customer means investing ~3-6 months of engineering time in BAAs, audit logs, risk assessments, policies, and ongoing compliance. If healthcare is not your GTM, decline until you can dedicate resources to doing it right.