HIPAA Compliance Guide for Tech Companies

HIPAA (the Health Insurance Portability and Accountability Act) applies primarily to covered entities, which include health plans, healthcare providers that transmit health information electronically, and healthcare clearinghouses. However, technology companies frequently fall within HIPAA's scope as business associates — entities that perform functions or activities on behalf of, or provide services to, a covered entity that involve access to protected health information (PHI).

Common technology company scenarios that trigger HIPAA obligations include providing cloud hosting or storage services that hold PHI, developing or maintaining software applications that process PHI, offering data analytics services using health data, providing IT support or managed services to healthcare organizations, and operating telehealth or remote patient monitoring platforms.

Since the HITECH Act, business associates are directly subject to HIPAA's Security Rule, certain provisions of the Privacy Rule, and the Breach Notification Rule. This means technology companies cannot simply defer to their healthcare clients for compliance — they must implement their own HIPAA compliance programs and can face direct penalties from the Office for Civil Rights (OCR) for violations.

Protected health information encompasses any individually identifiable health information created, received, maintained, or transmitted by a covered entity or business associate. PHI includes demographic data, medical histories, test results, insurance information, and any other information that can be used to identify an individual and that relates to their past, present, or future health condition, the provision of healthcare, or payment for healthcare.

Electronic PHI (ePHI) — PHI in electronic form — is the primary focus for technology companies. The 18 HIPAA identifiers that can make health information individually identifiable include names, dates, phone numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, and IP addresses, among others. Technology companies must identify all instances where their systems create, receive, store, or transmit ePHI.

ClassifyIQ automates the identification and classification of PHI across technology systems, scanning databases, file systems, cloud storage, and application data to locate ePHI and tag it for appropriate handling. This automated discovery is essential for technology companies that may receive PHI through multiple channels and store it across distributed systems.

Administrative safeguards are the policies, procedures, and actions taken to manage the selection, development, and implementation of security measures. Key administrative safeguards include conducting a risk analysis to identify threats and vulnerabilities to ePHI, implementing a risk management program to mitigate identified risks, designating a security official responsible for developing and implementing security policies, implementing workforce security measures including authorization and supervision procedures, and establishing security awareness and training programs.

Additionally, organizations must develop contingency plans including data backup, disaster recovery, and emergency mode operation procedures. Information access management policies must ensure that only authorized individuals have access to ePHI, and access privileges must be reviewed periodically. Technology companies should also establish incident procedures for detecting, containing, and correcting security incidents.

ComplyIQ provides workflow templates for implementing administrative safeguards, including risk assessment questionnaires, policy templates, training tracking, and incident management procedures. These pre-built workflows accelerate compliance and ensure that all required administrative safeguards are addressed systematically.

Technical safeguards are the technology and related policies and procedures that protect ePHI and control access to it. Required technical safeguards include unique user identification (assign unique names or numbers for identifying and tracking user identity), emergency access procedure (establish procedures for obtaining necessary ePHI during emergencies), automatic logoff (implement electronic procedures that terminate sessions after a period of inactivity), and encryption and decryption (implement mechanisms to encrypt and decrypt ePHI).

Audit controls are required to implement hardware, software, or procedural mechanisms that record and examine activity in systems containing ePHI. Integrity controls must protect ePHI from improper alteration or destruction, and mechanisms must be in place to authenticate that ePHI has not been improperly modified. Transmission security requirements mandate the implementation of technical security measures to guard against unauthorized access to ePHI being transmitted over electronic communications networks.

ProtectIQ provides automated technical safeguards for ePHI including encryption at rest and in transit, dynamic data masking that allows authorized users to see only the data elements they need, tokenization that replaces sensitive data with non-sensitive equivalents, and comprehensive audit logging that records all access to ePHI for compliance reporting.

Physical safeguards protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion. For technology companies, physical safeguards primarily apply to data centers, offices where ePHI is accessed, and devices that store or transmit ePHI.

Facility access controls must limit physical access to facilities containing ePHI while ensuring that authorized access is allowed. Workstation use and security policies must specify the proper use of and physical safeguards for workstations that access ePHI. Device and media controls must govern the receipt, removal, movement, and disposal of hardware and electronic media containing ePHI.

For technology companies using cloud infrastructure, many physical safeguards are implemented by the cloud provider. However, the technology company remains responsible for verifying that the cloud provider's physical safeguards meet HIPAA requirements, typically through the cloud provider's BAA and SOC 2 or HITRUST certifications. Additionally, the technology company must implement physical safeguards for its own offices and any devices used by employees to access ePHI.

A Business Associate Agreement (BAA) is a legally binding contract between a covered entity and a business associate that establishes the permitted and required uses and disclosures of PHI by the business associate. Technology companies that qualify as business associates must have a BAA in place before accessing, creating, receiving, or storing PHI on behalf of a covered entity.

The BAA must specify the permitted uses and disclosures of PHI, require the business associate to implement appropriate safeguards, require reporting of security incidents and breaches, ensure that subcontractors agree to the same restrictions, make PHI available to satisfy the covered entity's obligations to individuals, return or destroy PHI at termination of the agreement, and make the business associate's internal practices and records available to the HHS for compliance verification.

Technology companies should develop a standard BAA template reviewed by healthcare regulatory counsel and be prepared to negotiate BAA terms with covered entity clients. All subcontractors that handle PHI must also execute BAAs, creating a chain of contractual obligations. Maintain a register of all BAAs and review them annually to ensure they reflect current data handling practices.

While business associates are primarily governed by the Security Rule, the HITECH Act extended certain Privacy Rule obligations directly to business associates. Business associates must not use or disclose PHI in any manner that would violate the Privacy Rule if done by a covered entity, must comply with the minimum necessary standard (using and disclosing only the minimum PHI necessary to accomplish the intended purpose), and must report any uses or disclosures not permitted by the BAA.

The minimum necessary standard is particularly important for technology companies. When developing software features, designing databases, or providing support services, technology companies should ensure that access to PHI is limited to the minimum necessary for the specific function being performed. Role-based access controls, data masking, and purpose-specific data views help enforce this standard in technical implementations.

ProtectIQ supports minimum necessary compliance through dynamic data masking that restricts PHI visibility based on user role and purpose. Combined with DiscoverIQ's data mapping capabilities, organizations can identify where PHI is stored and ensure that access is appropriately restricted across all systems and applications.

The HIPAA Breach Notification Rule requires covered entities and business associates to provide notification following a breach of unsecured PHI. A breach is the acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI. There is a presumption that any impermissible use or disclosure constitutes a breach unless a risk assessment demonstrates a low probability that the PHI has been compromised.

Business associates must notify the covered entity of a breach without unreasonable delay, and no later than 60 calendar days from the discovery of the breach. The covered entity is then responsible for notifying affected individuals, the HHS Secretary, and (for breaches affecting 500 or more individuals) prominent media outlets. For breaches affecting 500 or more individuals, the HHS posts the incident on its public breach portal, commonly known as the Wall of Shame.

Technology companies should implement breach detection mechanisms, maintain incident response plans specific to PHI breaches, and establish clear communication channels with covered entity clients for breach reporting. ProtectIQ's monitoring capabilities help detect potential breaches in real time, while ComplyIQ provides incident management workflows that ensure timely notification and comprehensive documentation.

HIPAA penalties are structured in four tiers based on the level of culpability. Tier 1 covers violations where the entity was unaware and could not have reasonably known (fines of $100-$50,000 per violation). Tier 2 covers violations due to reasonable cause and not willful neglect ($1,000-$50,000 per violation). Tier 3 covers violations due to willful neglect that are corrected within 30 days ($10,000-$50,000 per violation). Tier 4 covers violations due to willful neglect that are not timely corrected ($50,000 per violation). Annual caps range from $25,000 to $1.5 million per violation category.

The OCR has increasingly targeted technology companies in enforcement actions, particularly following the expansion of business associate obligations under HITECH. Common enforcement triggers include failure to conduct comprehensive risk analyses, failure to implement encryption for ePHI, unauthorized disclosure of PHI through software vulnerabilities, and failure to have BAAs in place with all applicable business associates.

In addition to OCR enforcement, state attorneys general can bring civil actions for HIPAA violations under HITECH, and individuals affected by breaches may bring private lawsuits under state privacy and negligence theories. The cumulative enforcement risk underscores the importance of comprehensive HIPAA compliance for technology companies operating in the healthcare space.