Skip to main content
RoseleapBlog · Compliance

HIPAA for healthcare businesses in 2026

A practical guide for healthcare worldwide, when HIPAA applies, the Privacy and Security Rules, breach notification, BAAs, encryption, and the cost of getting it wrong.

·14 min read

The Health Insurance Portability and Accountability Act (HIPAA) is the United States' cornerstone healthcare privacy law. It is roughly 30 years old, has been updated several times, and remains the most enforced healthcare privacy framework in the world. If your business, anywhere on the planet, processes Protected Health Information (PHI) for US patients or US healthcare providers, HIPAA applies to you.

Most non-US healthcare technology businesses dramatically underestimate this. They assume HIPAA only applies to US-based companies. It doesn't. The day you sign a Business Associate Agreement with a US Covered Entity, you become subject to HIPAA. The day you process PHI without a BAA, you create exposure for your US client and yourself.

This guide is the practical version: who HIPAA applies to, the three core rules, what your platform actually needs, what a Business Associate Agreement is, the penalties for getting it wrong, and how to start.

The three rules of HIPAA

HIPAA is implemented through three main rules, each governing a different aspect of Protected Health Information:

  • The Privacy Rule: what you can and can't do with PHI. Who can access it, when consent is required, how patients can exercise rights over their own data, what counts as a permitted use.
  • The Security Rule: how PHI must be protected technically. Administrative, physical and technical safeguards. The encryption, access control, audit logging and incident response requirements.
  • The Breach Notification Rule: what to do when something goes wrong. When you must notify HHS, affected individuals and (for large breaches) the media. 60 days to notify.

A fourth rule, the Enforcement Rule, defines penalties and the investigation process. And the HITECH Act of 2009 extended many obligations to Business Associates (third parties handling PHI), which is where most non-US healthcare tech businesses fit in.

Covered Entities and Business Associates

HIPAA has two main subject categories:

  • Covered Entities (CEs): US healthcare providers, health plans (insurers), and healthcare clearinghouses. They generate or hold the PHI directly.
  • Business Associates (BAs): any third party that creates, receives, maintains or transmits PHI on behalf of a Covered Entity. This is where most healthcare technology vendors sit: telemedicine platforms, EHR vendors, billing providers, claims processors, transcription services, IT consultants, cloud hosting providers, software developers handling PHI.

If you fall under Business Associate, HIPAA applies to you the moment you sign a BAA with a Covered Entity. There is no minimum revenue threshold. There is no exemption for non-US-based businesses. A two-person startup in São Paulo handling US dentist billing data is a Business Associate, with the same compliance obligations as a 10,000-employee US enterprise.

What is a Business Associate Agreement?

A Business Associate Agreement (BAA) is a contract that flows HIPAA obligations down the vendor chain. It is the linchpin of HIPAA compliance for any business that doesn't directly hold patient relationships.

Key BAA provisions include:

  • What PHI the Business Associate can access.
  • How the BA will use, disclose, and protect that PHI.
  • The BA's obligation to report breaches to the Covered Entity.
  • Permission to engage sub-contractors (and the requirement that they also sign BAAs).
  • What happens to PHI when the contract terminates.

Without a signed BAA, a Covered Entity is not allowed to share PHI with you. Doing so is a HIPAA violation on the CE's part. Reputable US healthcare clients will simply refuse to onboard a vendor that can't produce a BAA.

Importantly, you also need BAAs with your own sub-processors: your hosting provider, your email service, your analytics tool, your support platform. AWS, Google Cloud, Azure, Microsoft 365, Twilio, SendGrid, Datadog and many other major vendors offer signed BAAs as part of their HIPAA-eligible service offerings. Other common SaaS tools (most consumer-grade chat tools, generic email providers, ad-tech analytics) do not, and using them with PHI breaks the chain.

Every PHI flow needs an unbroken BAA chain, from your client, to you, to each of your sub-processors. The day any link is missing, your compliance posture breaks. Audit your vendor stack and confirm BAAs are in place before PHI starts flowing.

The Security Rule technical safeguards

The Security Rule specifies administrative, physical and technical safeguards. For a modern cloud-hosted healthcare platform, the technical safeguards are where most of the engineering work happens:

  • Access controls: unique user identification (no shared logins), emergency access procedures, automatic logoff, encryption and decryption.
  • Audit controls: record and examine activity in information systems that contain PHI. Tamper-evident logs are the practical implementation.
  • Integrity: protect PHI from improper alteration or destruction. Checksums, version history, immutable storage where appropriate.
  • Person/entity authentication: verify the identity of anyone accessing PHI. Multi-factor authentication is now table stakes; OCR has cited platforms without MFA in recent enforcement.
  • Transmission security: encrypt PHI in transit (TLS 1.2 minimum, 1.3 preferred) and at rest (AES-256 standard).

Penalties, what HIPAA fines actually look like

HIPAA has a tiered penalty structure based on culpability:

  • Tier 1, Lack of knowledge: $100 to $50,000 USD per violation, max $25,000 USD/year per category.
  • Tier 2, Reasonable cause: $1,000 to $50,000 USD per violation, max $100,000 USD/year.
  • Tier 3, Willful neglect (corrected): $10,000 to $50,000 USD per violation, max $250,000 USD/year.
  • Tier 4, Willful neglect (uncorrected): $50,000 USD per violation, max $1.5 million USD/year per category.

These are 2024 inflation-adjusted figures and update annually. Civil penalties can stack across categories, a single breach involving multiple violations can total many millions. Criminal HIPAA violations (knowing misuse for personal gain or malicious harm) carry prison time up to 10 years.

More importantly: HIPAA breaches affecting 500+ individuals are published on the HHS “Wall of Shame” indefinitely. US healthcare procurement teams check this list before signing vendors. A single major breach can end your US healthcare business overnight.

What your platform actually needs

For most healthcare technology businesses (telehealth, clinical research, billing, scheduling, EHR-adjacent tools), the practical HIPAA-aware stack looks like this:

Infrastructure

  • HIPAA-eligible cloud (AWS HIPAA-Eligible Services / GCP Cloud Healthcare API / Azure HIPAA-compliant services).
  • Signed BAAs with cloud provider and every PHI-handling vendor.
  • Encryption at rest (AES-256) on all databases, backups, file storage.
  • Encryption in transit (TLS 1.3) on all network connections.
  • Key management with documented rotation policy.
  • Logs from every system that touches PHI, retained for 6 years.

Application

  • MFA on all administrative access.
  • Role-based access control with documented role definitions.
  • Tamper-evident audit logging of every PHI read, write, export and delete.
  • Automatic session timeout (typically 15 minutes for clinical apps).
  • No PHI in URLs, logs (other than audit logs), error messages or analytics events.
  • Data segregation between tenants in multi-tenant SaaS.

Documentation

  • Notice of Privacy Practices (NPP) for any patient-facing product.
  • Security Risk Analysis, done annually, documented.
  • Breach Notification policy and incident playbook.
  • Sanctions policy for workforce members who violate HIPAA.
  • Workforce training records, annual training is required.
  • BAA inventory, who you have BAAs with, where the executed contracts live.

HIPAA vs other privacy regimes

HIPAA is US-specific to healthcare data. It does not preempt other privacy laws and does not satisfy them either. A platform serving multiple jurisdictions typically needs:

  • US patients → HIPAA (Covered Entity / Business Associate path)
  • EU patients → GDPR (health data is a special category requiring explicit consent)
  • UK patients → UK GDPR + Data Protection Act 2018
  • Indian patients → DPDP Act 2023 (with sensitive personal data category likely to emerge in rules)
  • Canadian patients → PIPEDA + province-specific laws (PHIPA in Ontario, HIA in Alberta, etc.)
  • Australian patients → Privacy Act 1988 + APP-specific health data provisions

The technical controls overlap meaningfully across all of these (encryption, access logging, breach notification, retention). The policy documentation, consent models and notification timelines differ. A multi-jurisdiction healthcare platform typically runs one underlying control framework with jurisdiction-specific policy addenda.

How to start (this week)

  • List every PHI flow in your business.Who creates PHI, where it enters your system, where it's stored, who can access it, who you send it to. This map is the foundation of everything else.
  • Audit your vendor stack. For every tool that touches PHI, confirm a signed BAA is in place. If not, either get one or move PHI off that tool.
  • Check your encryption. At rest, in transit, in backups. Anything not encrypted is a finding waiting to happen.
  • Add MFA to all admin access. Recent OCR enforcement has specifically cited platforms without MFA.
  • Schedule your annual Security Risk Analysis.If you don't have one on file, that's a finding by itself.
HIPAA enforcement has tightened dramatically in 2024–2026. The Office for Civil Rights (OCR) has been actively pursuing Business Associates, not just Covered Entities, and cross-border enforcement is increasingly common. Foreign-based BAs are not invisible to OCR, and US Covered Entities are aggressively offloading liability to their vendors through tighter BAAs.

How RoseLeap can help

We offer HIPAA-Aware Design as a service, gap audit, technical remediation, BAA review, policy authoring and annual risk analysis. We work with healthcare technology businesses globally, based in the US, India, Singapore, Israel, the UK and beyond, that need to do HIPAA properly the first time. We don't sell certification (HIPAA has none); we sell a defensible compliance posture you can point to when a US client's security team comes asking.

Tell us about your platform and your US clients at the contact page. We come back with a fixed-fee scope within one business day.

RoseLeap.

Rooted in Data · Built to Bloom

Need help with your own?

Tell us about your project. We come back with a clear, honest plan.

Start a Project