HIPAA compliance checklist for SaaS: a CTO companion guide to readiness assessments

HIPAA compliance checklist for SaaS: a CTO companion guide to readiness assessments

In April 2026, OCR had logged 374,322 HIPAA complaints since 2003, and 46,752 formal investigations. OCR also launched a Risk Analysis Initiative in October 2024, tied to the risk analysis requirement in §164.308(a)(1)(ii)(A). That initiative exists for a reason: inadequate risk analysis shows up in about 90 percent of OCR HIPAA Security Rule enforcement actions, per enforcement reporting cited by FaxSipit. That’s not a paperwork problem. It’s a leadership and systems problem. HIPAA violation statistics and Risk Analysis Initiative details.

This guide walks through how to run a HIPAA readiness assessment that holds up in audits and in real incidents. It also shows how to use The Art of CTO HIPAA Compliance tool as a fast, structured starting point for administrative, physical, and technical safeguards.

HIPAA readiness assessment: what it is and what the tool checks

A HIPAA readiness assessment is a structured review of how an org protects PHI and ePHI. Yes, it checks controls. But the real test is evidence. It answers a simple question: can the company prove it manages risk across people, process, and systems?

The Art of CTO HIPAA Compliance tool is a healthcare data security tool that scores an org against the three safeguard categories required to protect PHI. It’s built around what teams can show, not what they think is true.

The tool assesses three safeguard categories:

• Administrative safeguards: policies, training, risk analysis, vendor management, incident response.
• Physical safeguards: facility access, workstation rules, device handling, media disposal.
• Technical safeguards: access control, audit logs, encryption, transmission security.

Teams with 10 to 100 engineers often overbuild technical controls and underbuild the other two. That gap shows up in customer security reviews. It also shows up when OCR starts asking questions.

Keep this framing in your head: HIPAA compliance is a program, not a sprint.

HIPAA compliance checklist: what to build across administrative, physical, and technical safeguards

Most checklists fail for one boring reason: they list controls, but they don’t list owners and proof. As a CTO, you need all three: the control, the person accountable, and the artifact you can hand to a buyer or auditor.

The checklist below is written like a build plan for a small team.

Administrative safeguards checklist (the part most startups skip)

OCR enforcement and audits keep circling back to risk analysis and program ownership. That’s why “we have security features” doesn’t pass.

Administrative controls to implement and document:

• Security responsibility: name a Security Officer and a Privacy Officer, even if part time. A-LIGN calls out assigning a security official as a core administrative safeguard step. A-LIGN HIPAA readiness checklist.
• Enterprise risk analysis: run an org wide risk analysis, not a cloud scan. OCR’s Risk Analysis Initiative targets this exact requirement. HIPAA violation statistics and Risk Analysis Initiative details.
• Risk management plan: track findings, owners, due dates, and acceptance criteria.
• Workforce training: train all staff who touch PHI, including support and sales engineers.
• Vendor management and BAAs: inventory vendors that create, receive, maintain, or transmit PHI, and execute BAAs.
• Incident response and breach notification: write a runbook and test it.
• Contingency planning: backups, restore tests, and disaster recovery roles.

SecureLayer7 also calls out a documented compliance program with risk assessments, policies, logs, training records, and vendor BAAs. It also recommends internal mock audits so teams know their gaps under pressure. SecureLayer7 HIPAA compliance checklist.

Evidence to collect (this is what buyers and auditors ask for):

• Risk analysis report with scope, assets, threats, and remediation plan.
• Policy set with version history and approval dates.
• Training records with dates and attendance.
• Vendor list with BAAs and renewal dates.
• Incident log and tabletop exercise notes.

Physical safeguards checklist (remote teams still need this)

Physical safeguards sound old school until a laptop with PHI gets stolen. Startups also forget that contractors work from coffee shops, shared workspaces, and home networks you don’t control.

Physical controls to implement and document:

• Facility access controls: badge access, visitor logs, and locked server rooms, if any.
• Workstation rules: screen locks, privacy screens for shared spaces, and clean desk rules.
• Device and media controls: encryption at rest on endpoints, secure disposal, and asset tracking.
• Remote work standards: rules for printing, local storage, and shared devices.

Scrut’s startup guide frames physical safeguards as locking down servers, securing offices, and disposing hardware correctly. It also stresses keeping policies and access logs current. Scrut HIPAA compliance for startups.

HIPAA technical safeguards checklist (where engineering teams live)

Technical safeguards aren’t “turn on encryption.” They’re a set of controls that need to match your data flows and your operating model.

Technical controls to implement and document:

• Access control: unique user IDs, role based access, and least privilege.
• MFA: enforce MFA for workforce access and admin paths.
• Audit controls: logs for access to ePHI, admin actions, and data exports.
• Integrity controls: change tracking, checksums where needed, and tamper resistant logs.
• Transmission security: TLS everywhere, and secure APIs.
• Encryption: at rest and in transit, with key management.

SecureLayer7 lists access controls, encryption, audit controls, and secure transmission as core technical safeguards. SecureLayer7 HIPAA compliance checklist.

Grip Security highlights identity gaps as a top attack vector and cites HIPAA Journal data that compromised credentials account for 34 percent of breaches. That makes MFA and identity inventory a board level risk, not a nice to have. Grip Security on 2025 HIPAA Security Rule requirements.

Does HIPAA apply to SaaS companies handling health data? Yes, and the BAA is not the hard part

HIPAA applies to any SaaS company that creates, receives, maintains, or transmits PHI on behalf of a covered entity. That makes the SaaS company a Business Associate. The BAA is the contract that formalizes duties, but it doesn’t create compliance by itself.

Konfirmity’s HIPAA for SaaS guide calls out a common failure mode: teams assume AWS or Google Cloud makes them compliant. The shared responsibility model means the provider secures the cloud, but the SaaS company secures what it builds and configures. A public S3 bucket is still the SaaS company’s breach. Konfirmity HIPAA for SaaS.

HHS also made it clear that audits cover both covered entities and business associates. The 2024 to 2025 HIPAA Audits review 50 entities for Security Rule provisions tied to hacking and ransomware. That scope includes business associates, not just hospitals. OCR HIPAA Audit Program.

One question comes up in every Series A deal cycle: can the startup sign a BAA this quarter and pass a security review next quarter? Yes. But only if you already have owners and evidence, not just good intentions.

HIPAA technical safeguards in practice: a data flow model that works for 10 to 100 engineers

Most CTOs talk about “PHI in the database.” Auditors and attackers care about PHI in motion. That includes logs, analytics, support tools, and exports.

Here’s a simple model teams can run in a week.

The PHI Flow Map, a practical framework

Define PHI handling as a set of flows, then attach controls and evidence to each flow.

• Create: intake forms, HL7 or FHIR ingestion, file uploads.
• Transmit: APIs, webhooks, SFTP, partner integrations.
• Store: primary DB, object storage, backups, data warehouse.
• Access: app users, support staff, on call engineers, contractors.
• Export: CSV exports, reporting, BI tools, customer downloads.
• Delete: retention policies, legal holds, secure deletion.

For each flow, capture four facts:

• System of record: where the data lives.
• Identity boundary: who can access it and how.
• Control set: encryption, logging, and approvals.
• Evidence: screenshots, configs, policies, and tickets.

This model also forces architecture decisions. Where is PHI allowed to exist, and where is it banned?

A concrete scenario I’ve seen more than once: a support team uses a third party screen recording tool. A user shares a patient chart during a call. That recording is now PHI. If the vendor has no BAA, you just created a compliance incident. Grip’s point about shadow SaaS and identity sprawl fits this exact pattern. Grip Security on 2025 HIPAA Security Rule requirements.

If you want a structured way to document these flows, The Art of CTO’s enterprise architecture modeling with ArchiMate pairs well with the PHI Flow Map. It turns “we think data goes here” into a diagram that sales, security, and engineering can all use.

Enterprise implications for Series A and early Series B CTOs

HIPAA work competes with roadmap work. That’s the job. You’re turning compliance into a delivery plan that protects revenue.

1. Sales cycles and BAAs: enterprise buyers ask for a HIPAA compliance checklist, then ask for proof. A tool score is not proof. Evidence is proof. SecureLayer7 recommends mock audits for this reason. SecureLayer7 HIPAA compliance checklist.

2. Audit pressure is rising: OCR’s 2024 to 2025 audit program targets Security Rule provisions tied to ransomware. That focus hits SaaS vendors that connect to provider workflows. OCR HIPAA Audit Program.

3. Credential attacks hit startups hard: compromised credentials account for 34 percent of breaches, per HIPAA Journal data cited by Grip. That pushes MFA, access reviews, and offboarding into the top tier of engineering risk. Grip Security on 2025 HIPAA Security Rule requirements.

4. Compliance stacks collide: many startups also need SOC 2, ISO 27001, or NIST CSF alignment. Valence Security describes how these frameworks overlap and how readiness reviews find gaps. A CTO can map HIPAA controls to SOC 2 controls and cut duplicate work. Valence Security SaaS compliance guide.

This is where a portfolio view helps. The Art of CTO’s Command Center for tech risk and incidents can hold the risk register, evidence links, and remediation work in one place.

CTO recommendations: how to run a HIPAA readiness assessment that produces evidence

The goal is audit ready behavior, not a binder. Konfirmity’s readiness writing makes this point directly: controls that look good on paper fail under incident pressure. Konfirmity HIPAA readiness guide.

Immediate actions (next 30 days)

1. Name owners: assign a Security Officer and Privacy Officer, and publish the RACI.
2. Scope PHI: run the PHI Flow Map across product, support, and analytics.
3. Lock identity: enforce MFA for workforce and admin access, and remove shared accounts.
4. Inventory vendors: list every SaaS tool that can touch PHI, then collect BAAs.
5. Start evidence capture: store configs, screenshots, and policies in a single folder with dates.

Aptible’s startup guidance includes a staged view of incident response and technical safeguards, from a short runbook to tested procedures and tooling. That staged view matches how Series A teams actually mature. Aptible HIPAA compliance for startups.

Policy framework (what to write and keep current)

1. Risk analysis policy: define cadence, scope, and sign off.
2. Access control policy: roles, approvals, and access review schedule.
3. Logging policy: what gets logged, retention, and who can read logs.
4. Vendor policy: BAA requirement, security review steps, and renewal dates.
5. Incident response policy: severity levels, notification steps, and breach triage.

Scrut stresses that risk assessments are no longer one off tasks and that auditors expect ongoing threat analysis and mitigation. That means policies need a calendar, not a PDF. Scrut HIPAA compliance for startups.

For incident handling, pair this with The Art of CTO’s blameless incident postmortem template. It helps teams produce the evidence OCR and customers ask for after an event.

Architecture principles (how to reduce PHI exposure)

1. Minimize PHI surface area: keep PHI out of logs, analytics, and support tools.
2. Separate duties: split admin roles, and gate production access.
3. Default encryption: encrypt at rest and in transit, and manage keys centrally.
4. Audit by design: log access to ePHI as a product feature, not an afterthought.

A practical pattern for small teams: create a “PHI boundary” service. Route all PHI reads and writes through it. Then attach logging and access checks there. This reduces the number of places engineers have to reason about compliance.

For build vs buy decisions, use The Art of CTO’s Build vs Buy Matrix for compliance tooling. HIPAA work often fails when teams build a homegrown evidence system that nobody maintains.

A decision matrix: what to do now vs later

Series A teams need a sequence. The matrix below is designed for 10 to 100 engineers.

| Control area | Do now (0 to 60 days) | Do next (60 to 180 days) | Do later (180+ days) | |---|---|---| | Risk analysis | Enterprise wide risk analysis and remediation plan | Quarterly refresh and tabletop exercises | External assessment cadence tied to customer audits | | Identity and access | MFA, least privilege, offboarding checklist | Access reviews every 90 days | Fine grained ABAC where needed | | Logging | Central logs for auth, admin actions, and exports | Alerting on risky events | Tamper resistant log storage and long retention | | Vendor and SaaS sprawl | Inventory and BAAs for PHI touching tools | Shadow SaaS discovery and approvals | Continuous SaaS governance | | Incident response | Runbook and on call roles | Two tabletop exercises per year | Full breach simulation with comms and legal |

This matrix aligns with the staged maturity view in Aptible’s guidance and the “continuous control” focus described by Konfirmity. Aptible HIPAA compliance for startups. Konfirmity HIPAA for SaaS.

For engineering execution, track delivery and stability in one place. The Art of CTO’s Engineering Metrics Dashboard for DORA metrics helps teams see if compliance work is slowing deploys, or if it’s cleaning up chaos.

Bigger picture: HIPAA is now a product capability, not a legal footnote

Healthcare buyers now treat HIPAA readiness as a vendor selection filter. Investors do too. HIPAA Vault argues that startups that prioritize HIPAA from day one become more attractive to partners and enterprise clients. That’s a business outcome, not a compliance outcome. HIPAA Vault on HIPAA ready hosting for startups.

Regulators also changed the tone. OCR’s audit program focuses on Security Rule provisions tied to hacking and ransomware. That focus matches the threat model most startups face. OCR HIPAA Audit Program.

The question is simple: if OCR or a hospital buyer asked for proof next week, could the team show evidence in two hours?

Use the tool to get a baseline score, then turn gaps into owned work. Use the tool.

Sources

1. HIPAA Compliance Checklist: 2025 Guide for SaaS and HealthTech
2. The Complete Guide to SaaS Compliance in 2025, Valence Security
3. HIPAA For SaaS: Key Requirements, Steps, and Templates (2026), Konfirmity
4. 2025 HIPAA Security Rule Requirements, Grip Security
5. A practical guide to HIPAA compliance for startups, Scrut
6. HIPAA Compliance for Startups: When to Start, What to Build, and What to Buy, Aptible
7. HIPAA Violation Statistics: 2026 Enforcement, Fines and Breach Data
8. OCR’s HIPAA Audit Program, HHS.gov
9. HIPAA readiness guide: steps and examples (2026), Konfirmity
10. HIPAA readiness checklist, A-LIGN
11. Why every healthcare startup needs HIPAA ready hosting, HIPAA Vault