HIPAA Compliance for SaaS & Cloud Apps
Quick Answer
SaaS companies that store, process, or transmit PHI for covered entities are business associates under HIPAA and must implement required safeguards, sign BAAs, and maintain compliance documentation.
HIPAA for SaaS: The Business Associate Obligation
If your SaaS application handles PHI for healthcare organizations, you're a business associate under HIPAA. This means you must implement administrative, physical, and technical safeguards to protect ePHI, sign Business Associate Agreements with your customers, and comply with the breach notification requirements.
Key Takeaways
- Any SaaS app that touches PHI (stores, processes, transmits) is a business associate
- You need BAAs with customers (covered entities) AND with your cloud providers
- Encryption, access controls, and audit logging are non-negotiable technical requirements
- Multi-tenancy requires strong data isolation to prevent cross-tenant PHI exposure
- Cloud providers offer HIPAA-eligible services, but configuration is your responsibility
Technical Requirements for HIPAA SaaS
HIPAA Technical Safeguards for SaaS
- Encryption at rest: AES-256 for all databases and storage with PHI
- Encryption in transit: TLS 1.2+ for all API and web traffic
- Access controls: role-based access with principle of least privilege
- Multi-factor authentication for all admin and user access
- Unique user identification: no shared accounts
- Automatic session timeout after inactivity
- Audit logging: all access to PHI logged with user, timestamp, action
- Audit log integrity: logs are tamper-proof and retained per policy
- Data backup with tested recovery procedures
- Vulnerability management: regular scanning and patching
- Penetration testing: annual at minimum
- Intrusion detection / monitoring for anomalous access patterns
Cloud Architecture for HIPAA
HIPAA-Compliant SaaS Architecture
Key architectural components for a HIPAA-compliant SaaS application on cloud infrastructure
WAF + CDN
Web Application Firewall, DDoS protection
Application Layer
Encrypted connections, session management, input validation
Data Layer
Encrypted databases, tenant isolation, backups
Audit Layer
Centralized logging, SIEM, access monitoring
IAM
Role-based access, MFA, SSO, deprovisioning
Cloud Provider HIPAA BAAs
| Provider | BAA Available | HIPAA-Eligible Services | Cost |
|---|---|---|---|
| AWS | Yes | 170+ services (check AWS HIPAA eligible services page) | No additional cost for BAA |
| Google Cloud | Yes | Most GCP services covered | No additional cost for BAA |
| Microsoft Azure | Yes | Most Azure services covered | No additional cost for BAA |
| Heroku | Yes (Shield) | Heroku Shield (Private Spaces) | Heroku Shield pricing applies |
| Vercel | Limited | Contact sales for BAA | Enterprise plan required |
| Supabase | Yes (Pro+) | Available on Pro plan and above | Pro plan pricing |
❗ Only Use HIPAA-Eligible Services
Cloud providers designate specific services as HIPAA-eligible. Not all services are covered under the BAA. For example, on AWS, you should only use services listed on the AWS HIPAA Eligible Services page for PHI. Using a non-eligible service for PHI may void your BAA protections.
Multi-Tenant PHI Isolation
Multi-tenant SaaS applications must ensure strong isolation between customers' PHI. A breach that exposes one customer's PHI to another tenant is both a HIPAA violation and a catastrophic customer trust issue.
- Database-level isolation: Separate databases per tenant (strongest) or row-level security with enforced tenant context
- Application-level isolation: Tenant ID enforcement in every query, validated at the middleware layer
- Network isolation: VPC isolation for customers requiring dedicated infrastructure
- Encryption key isolation: Per-tenant encryption keys for maximum data isolation
- Audit trail separation: Tenant-specific audit logs that can be provided to individual customers
Can I use serverless (Lambda/Cloud Functions) for HIPAA workloads?
Yes, but with caveats. AWS Lambda is HIPAA-eligible. Google Cloud Functions and Azure Functions are also covered. Ensure your serverless functions don't log PHI to console, use encrypted environment variables for any credentials, and that the function execution environment is within the BAA scope.
Is a SaaS product HIPAA compliant if it runs on AWS with a BAA?
No. The AWS BAA covers AWS's infrastructure responsibilities. Everything you build on top — application code, access controls, encryption configuration, audit logging, data handling — is your responsibility. You need your own compliance program.
Do I need separate environments for PHI?
Best practice is to isolate production environments containing PHI from development/staging. Developers should never use real PHI for testing. Use synthetic or de-identified data in non-production environments.
How do I handle PHI in logs?
PHI should not appear in application logs. Implement logging that captures access events (who accessed what, when) without recording the actual PHI content. If PHI must be logged for debugging, ensure logs are encrypted, access-controlled, and subject to retention policies.
Find HIPAA-Compliant SaaS Tools
Compare compliance platforms designed for SaaS companies handling healthcare data.
Browse HIPAA SaaS Tools