The Art of CTO HIPAA Compliance tool evaluates healthcare organizations against administrative, physical, and technical safeguards required for protecting patient health information (PHI).
Frequently Asked Questions
What are the three HIPAA safeguard categories?
HIPAA requires three categories of safeguards: administrative (policies, training, risk assessments, and workforce security), physical (facility access controls, workstation security, and device disposal), and technical (access controls, audit logs, encryption, and transmission security). All three must be implemented to protect electronic protected health information (ePHI). Most technology companies focus on technical safeguards but underinvest in administrative policies and physical security.
Does HIPAA apply to SaaS companies handling health data?
Yes, any SaaS company that creates, receives, maintains, or transmits protected health information on behalf of a covered entity (hospitals, insurers, providers) is classified as a Business Associate under HIPAA and must comply. This requires signing Business Associate Agreements (BAAs), implementing all required safeguards, and reporting breaches. Cloud providers like AWS and GCP offer BAAs, but the SaaS company remains responsible for proper configuration and data handling.