HIPAA Compliance Software — Complete Guide
HIPAA is a federal law, not a voluntary certification. Get it wrong and you're looking at OCR enforcement, not just a failed audit. Here's who actually needs HIPAA compliance software, what it does, and what it costs — clearly.
On This Page
Who HIPAA actually applies to
| Entity type | Examples | HIPAA applies? |
|---|---|---|
| Covered Entity | Hospital, clinic, doctor, pharmacy, health insurer, health plan | ✅ Yes — directly regulated |
| Business Associate | Medical billing company, EHR vendor, healthcare software company, cloud provider storing PHI, transcription service | ✅ Yes — directly regulated since HITECH |
| Business Associate's vendor | A subcontractor who processes PHI on behalf of a Business Associate | ✅ Yes — subcontractor BAA required |
| Health-adjacent company (no PHI) | Wellness app, fitness tracker, general HR software without health plan integration | ❌ No — if no PHI is received or processed |
| Consumer health app | Calorie counter, period tracker, symptom journal (not connected to providers) | ❌ No — explicitly excluded if not a CE or BA |
Common mistake: Many software companies assume being in "healthcare" means they're subject to HIPAA. The trigger is receiving, creating, or transmitting PHI — not just selling into healthcare markets. An analytics company that only receives de-identified data may have no HIPAA obligations at all.
Business Associate Agreements (BAA) explained
A BAA is a contract. Under HIPAA, a Covered Entity cannot share PHI with any Business Associate without a signed BAA in place. Period. If your EHR sends patient data to your cloud storage and your cloud provider hasn't signed a BAA, that's a HIPAA violation — whether or not a breach occurs.
Every vendor that touches PHI must sign a BAA before going live:
- Cloud infrastructure (AWS, Google Cloud, Azure — all offer HIPAA BAAs)
- Email provider (if PHI is in email — Google Workspace and Microsoft 365 offer BAAs)
- EHR / practice management software
- Billing and claims processing companies
- Business analytics / BI tools (if PHI flows into them)
- Backup and disaster recovery services
- IT support and managed services companies
HIPAA compliance platforms maintain a BAA registry — a tracked list of all vendors that have signed BAAs, expiration dates, and scope. Without a platform, this is typically a folder of PDFs that gets out of date.
Some major vendors do NOT offer BAAs — most notably consumer-tier services. Google Workspace offers one; Gmail (personal) does not. Know the difference before you use a tool with PHI.
What HIPAA compliance software actually does
- Risk assessment automation: HIPAA requires a periodic risk assessment of threats to PHI confidentiality, integrity, and availability. Platforms guide you through the assessment and document results in the required format.
- Policy management: Stores HIPAA policies (Privacy Policy, Security Policy, Breach Notification procedures, sanctions policy), versions them, distributes to staff, and tracks acknowledgment signatures.
- Workforce training: Delivers required HIPAA training to all employees and contractors, tracks completion, and generates reports for audit readiness.
- BAA tracking: Maintains a central registry of all Business Associate Agreements — who signed, what scope, when it was signed, and when it needs renewal.
- Incident management: Manages the breach notification process — logging potential breaches, running through the four-factor risk assessment to determine if notification is required, documenting decisions.
- Audit log documentation: HIPAA requires audit controls — records of PHI access. Platforms help document that these technical controls are in place and logs are reviewed.
HIPAA compliance tools compared
| Tool | Best for | Price est. | Key feature |
|---|---|---|---|
| Compliancy Group | Small–mid healthcare practices | $3,000–8,000/yr | Dedicated HIPAA Coach, built for non-technical users |
| Accountable HQ | Solo practitioners, small clinics | $2,000–5,000/yr | Simple interface, BAA library, fast onboarding |
| HIPAA One (now Intraprise Health) | Mid-market healthcare orgs | $5,000–15,000/yr | Risk analysis tools, comprehensive documentation |
| Sprinto (HIPAA module) | Healthcare SaaS companies doing SOC 2 + HIPAA | $10,000–20,000/yr | Multi-framework, integrations, good for tech companies |
| Drata (HIPAA) | B2B healthcare software, tech-first | $15,000–25,000/yr combined | Best automation, strong when paired with SOC 2 |
| Clearwater Compliance | Larger health systems, hospitals | $30,000–100,000+/yr | Managed service, former ONC/OCR staff, enterprise-grade |
For healthcare practices: Compliancy Group or Accountable HQ are purpose-built for your use case and priced accordingly. You don't need a $20k/yr startup compliance platform — it's overkill.
For healthcare SaaS / health tech: Sprinto or Drata with the HIPAA module is the right choice if you're also pursuing SOC 2 — you get both frameworks in one platform.
HIPAA compliance software cost
| Scenario | Typical annual cost | Notes |
|---|---|---|
| Solo practice / small clinic | $2,000–5,000/yr | Accountable HQ or similar; covers policies, training, BAAs |
| Mid-size medical practice (10–50 staff) | $4,000–10,000/yr | Compliancy Group, HIPAA One; includes risk assessment support |
| Healthcare SaaS startup | $10,000–25,000/yr | Sprinto or Drata HIPAA module; often bundled with SOC 2 |
| Mid-market health tech company | $20,000–50,000/yr | Full platform + managed service elements |
| Health system / hospital | $50,000–200,000+/yr | Enterprise GRC; Clearwater, Meditology, or internal CISO team |
Contrast with enforcement fines: OCR has issued fines from $100 per violation to $1.9 million per violation category. Most breach settlements include a Corrective Action Plan that costs more than 3 years of compliance software. The ROI calculation is straightforward.
🧭 SideGuy: Do you actually need HIPAA software?
- ✅ Yes if: you store, receive, or transmit PHI as a Covered Entity or Business Associate. A doctor's office with any digital records. A healthcare SaaS platform that receives patient data from providers. A billing company processing claims.
- 🟡 Maybe if: you're building a consumer health app that may later integrate with provider systems; you're a vendor considering a healthcare market expansion; you have a HIPAA-covered client who is pressuring you to document compliance.
- ❌ Probably not if: you sell marketing software to doctors but never receive patient data; you make general wellness apps with no provider integration; your healthcare connection is purely administrative (facilities management, non-clinical HR).
Unsure? The correct first step is a HIPAA legal opinion from a healthcare attorney ($500–2,000) to confirm whether you're a Covered Entity or Business Associate before spending on software. A 30-minute call can save $10,000+/year in unnecessary compliance spend.
HIPAA Glossary
- PHI (Protected Health Information)
- Individually identifiable health information created, received, or maintained by a Covered Entity or Business Associate. Includes name, address, dates, phone, SSN, medical records, billing info, and more — when linked to health data.
- Covered Entity
- Healthcare providers (doctors, hospitals, pharmacies), health plans (insurers, HMOs), and healthcare clearinghouses. Directly regulated by HIPAA.
- Business Associate
- A vendor or contractor that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity. Also directly regulated by HIPAA since HITECH (2009).
- BAA (Business Associate Agreement)
- Required contract between a Covered Entity and any Business Associate. Defines permitted uses of PHI, safeguards required, and breach notification obligations.
- OCR
- Office for Civil Rights at HHS. Enforces HIPAA. Conducts audits and investigations. Issues fines and requires Corrective Action Plans (CAPs).
- Risk Assessment
- HIPAA Security Rule §164.308(a)(1) requires a periodic assessment of threats and vulnerabilities to PHI. Must be documented — not just performed.
- Minimum Necessary
- HIPAA principle requiring that PHI access and disclosure be limited to the minimum necessary to accomplish the purpose.
- De-identified data
- PHI with all 18 HIPAA identifiers removed. De-identified data is not PHI and not subject to HIPAA privacy restrictions — but de-identification must be done correctly.
More in the compliance cluster
FAQ
What is a Business Associate Agreement (BAA)?
A required HIPAA contract between a Covered Entity and any vendor that touches PHI. If a vendor hasn't signed a BAA before receiving PHI, that's a violation — whether or not a breach occurs.
Do I need HIPAA software if I'm a healthcare software company?
Yes, if you receive, store, or transmit PHI as part of your service. Healthcare software vendors are Business Associates and are directly regulated by HIPAA since HITECH (2009).
How much does HIPAA compliance cost?
Small practices: $2,000–5,000/yr. Healthcare SaaS startups: $10,000–25,000/yr. Enterprise health systems: $50,000–200,000+/yr. There is no formal audit cost but OCR enforcement fines can reach $1.9M per violation category — making software cheap insurance.
Not sure if your company is a Business Associate or whether your vendor BAAs are in order?
Text PJ · 773-544-1231