HIPAA in Buying

PHI implications.

The HIPAA question

If your software handles protected health information (PHI), every vendor in the data path needs a Business Associate Agreement (BAA).

BAAs are not optional; HIPAA penalties for missing them run $50 to $1.5M per violation.

Default rule: assume HIPAA scope creeps. A logging tool that sees patient names is in scope, even if you didn't intend it.

What to ask vendors

BAA availability and price. Some vendors gate BAA behind enterprise tiers; budget accordingly.

Encryption at rest and in transit. AES-256 at rest, TLS 1.2+ in transit. Anything weaker fails HIPAA.

Access controls and audit logs. Who at the vendor can see PHI? Logs of every access kept for 6 years minimum.

Data flow mapping

Diagram every data path. Application → DB → backups → BI tools → logs → support tickets. PHI lives everywhere.

Mark each node as "covered by BAA" or "out of scope". Out-of-scope nodes must not see PHI; enforce in code.

Re-audit annually. New tools sneak into the data path; HIPAA scope grows silently.

Common traps

Slack and Jira don't sign BAAs at standard tiers. PHI in tickets is a violation.

Email. Most providers (Gmail, Outlook 365) sign BAAs at enterprise tiers, but only if configured correctly.

Production data in dev environments. Even synthetic-looking data triggers HIPAA scope if it derived from real PHI.

Apply

Get a list of all SaaS vendors. Tag each with "in HIPAA path" or not.

Sign BAAs with everyone in path. Pay the upgrade tier where required.

Audit annually. Add HIPAA scope review to your security review checklist.