Cyber One Solutions logo.
Get Support

HIPAA Compliance for Healthcare Software Companies

Compliance / HIPAA

HIPAA Compliance for Healthcare Software Companies.

Healthcare software companies that create, receive, maintain, or transmit electronic protected health information (ePHI) on behalf of covered entities are HIPAA business associates. That reaches EHR, practice-management, patient-engagement, digital-health, and health-data platforms that hold provider and patient records. As a business associate you are directly liable under the HITECH Act and the HIPAA Omnibus Rule for the Security Rule and for the Breach Notification and applicable Privacy Rule provisions that apply to you. Whether HIPAA reaches your product depends on the data you handle and for whom: a platform that processes identifiable PHI for provider customers is a business associate, while a pure conduit, a product that works only with de-identified data, or a direct-to-consumer health app may fall outside HIPAA and instead under the FTC Health Breach Notification Rule.

Cyber One Solutions supports the corporate IT and security behind your platform. When we access your ePHI in the course of that work we act as your subcontractor business associate under a signed business associate agreement. We build and manage the administrative, physical, and technical safeguards the Security Rule requires, produce the evidence a customer security review or auditor expects, and help you reach SOC 2 or HITRUST readiness. We do not issue those attestations, we do not assume your legal obligations, and we make no guarantee against a breach.

What You Get
A documented Security Risk Analysis covering the ePHI your platform creates, receives, maintains, or transmits.
Administrative, physical, and technical safeguards mapped to the required and addressable specifications of the Security Rule.
Access controls, MFA, encryption, and audit logging across your application, cloud infrastructure, and corporate environment.
Business associate agreements executed with your covered-entity customers and with your cloud and subcontractor vendors.
A contingency plan and a breach-notification workflow built around your duty to notify covered-entity customers.
Readiness evidence for customer security questionnaires and a SOC 2 or HITRUST assessment run by a third party.
What the Rule Requires

HIPAA for Business Associates, Mapped to Your Healthcare Software.

The HITECH Act and the HIPAA Omnibus Rule made business associates directly responsible for the Security Rule, so the same administrative, physical, and technical safeguards a covered entity owes apply to your platform. The rule builds each safeguard from required and addressable implementation specifications, and addressable is not optional: you implement it, adopt a documented equivalent, or record why it is not reasonable and appropriate. A documented Security Risk Analysis is the foundation the rest rests on. These are the core elements a healthcare software company must put in place, each paired with the work we deliver against it.

Security Risk Analysis (SRA)

The Security Rule requires an accurate, thorough assessment of the risks to the confidentiality, integrity, and availability of the ePHI your platform handles. We inventory where that data lives, across your application databases, multi-tenant data stores, cloud infrastructure, and the corporate systems your team uses, identify the threats to each, and document the analysis so it stands up as the foundation of your program.

Administrative Safeguards

Policies, workforce security, and access management for a software organization: assigning a security official, training engineering and support staff, defining who may reach production ePHI, and reviewing that access. We produce the written policies and the training and access records that evidence the required and addressable administrative specifications.

Physical Safeguards

Controls over the facilities, workstations, and devices that reach ePHI. For a cloud-hosted platform this covers your offices, developer and support endpoints, and secure device and media disposal, and it documents how the data-center physical controls are inherited from your cloud provider under its business associate agreement and attestations.

Technical Safeguards & Secure Development

Access control, audit logging, integrity, and transmission security carried into how you build. Unique user IDs, multi-factor authentication, least-privilege access to production, encryption of ePHI in transit and at rest, audit trails of access to patient data, secure development practices, and the tenant-isolation controls that keep one customer's ePHI separate from another's in a multi-tenant platform.

Business Associate Agreements & Vendor Management

The rules require a business associate agreement in both directions. You sign one with each covered-entity customer whose ePHI you handle, and you sign one with every subcontractor that touches that ePHI on your behalf, including your cloud host and any downstream service. We inventory those relationships, help put the agreements in place, and fold vendor oversight into your program. Cyber One Solutions signs a subcontractor business associate agreement with your company.

Contingency Planning & Breach Notification

A data backup plan, disaster recovery, and an emergency-mode operations plan so your service and its data survive a ransomware event or infrastructure failure. Paired with a breach-notification workflow built around your duty as a business associate: on discovering a breach of unsecured ePHI you must notify each affected covered-entity customer without unreasonable delay and no later than 60 days, so they can meet their own notification obligations to individuals and HHS. We build and test the plan so a real event is handled inside the window.

Why HIPAA Applies to Healthcare Software Companies

A health-tech platform is a business associate, with direct liability.

HIPAA reaches healthcare software companies through the business associate relationship. A covered entity is a provider, health plan, or clearinghouse. A vendor that creates, receives, maintains, or transmits ePHI on a covered entity's behalf is that entity's business associate, and since the HITECH Act and the 2013 Omnibus Rule, business associates are directly liable for the Security Rule and for the breach-notification and applicable privacy provisions that apply to them. Whether your product is in scope turns on the data it handles and for whom, so the first task is to establish that clearly rather than assume it.

Business associates carry direct liability, not just contractual risk.

Before HITECH, a business associate's HIPAA obligations flowed only from its contract with the covered entity. The HITECH Act and the Omnibus Rule changed that. A business associate is now directly liable to HHS for compliance with the Security Rule and with the Breach Notification Rule and applicable Privacy Rule provisions, and can be subject to enforcement by the Office for Civil Rights in its own right. For a software company that means the safeguards are your legal responsibility, not just a promise to a customer.

That responsibility runs in both directions along the chain. You sign a business associate agreement with each covered-entity customer whose ePHI your platform handles, and you sign one with every subcontractor that touches that ePHI on your behalf, from your cloud host to a downstream analytics or support service. Cyber One Solutions, supporting your corporate IT and security, is itself a subcontractor business associate and signs a business associate agreement with you. We help you build and evidence the agreements up and down that chain so the requirement is met rather than assumed.

Multi-tenant SaaS and cloud hosting concentrate the risk and split the duty.

A multi-tenant platform holds the ePHI of many provider customers in shared infrastructure, so a single failure of tenant isolation or access control can expose many customers at once. That concentration is why tenant separation, least-privilege access to production, encryption, and audit logging are not niceties but core Security Rule safeguards for your architecture. We help you design and evidence the controls that keep one customer's data walled off from another's.

Hosting on AWS, Azure, or Google Cloud does not move the obligation off your books. The major cloud providers will sign a business associate agreement and secure the physical infrastructure, but under the shared-responsibility model you remain responsible for what you build on top: configuration, identity and access, encryption settings, network controls, and the application itself. A HIPAA-eligible cloud service is a starting point, not compliance. We build and document the controls on your side of that line.

Secure development is where a software vendor's compliance is won or lost.

The Security Rule expects covered entities and business associates to apply reasonable and appropriate safeguards, and for a company whose product is software, that reaches into how the product is built. Access controls, audit logging, encryption, and integrity protections have to be designed into the application, not bolted on, and a vulnerability in your code is a direct path to the ePHI you hold.

We help you fold application security into the development lifecycle: access and secret management, code and dependency scanning, change control, and logging of access to patient data. The goal is a platform where the technical safeguards are part of the build and the evidence is produced as you ship, rather than reconstructed under the pressure of a customer audit.

Customer security reviews, SOC 2, and HITRUST are readiness we build, not attestations we issue.

Provider and health-plan customers increasingly gate procurement on a security questionnaire and, past a certain size, a SOC 2 report or HITRUST certification before they will trust a vendor with patient data. These are issued by third parties: a licensed CPA firm performs a SOC 2 examination, and HITRUST certifies against its CSF through an authorized assessor. Cyber One Solutions does not issue either one.

What we do is build the readiness. We map your controls to the Security Rule and to the SOC 2 Trust Services Criteria or the HITRUST CSF, close the gaps, and assemble the policies, evidence, and answers so you walk into a customer review or a third-party assessment prepared rather than scrambling. The same underlying control set answers the HIPAA obligation and the customer's questionnaire at once.

Frequently asked questions.

Does our cloud provider's HIPAA-eligible service make us compliant?

No. AWS, Azure, and Google Cloud will sign a business associate agreement and offer HIPAA-eligible services, and that is necessary, but it only covers their side of the shared-responsibility model. They secure the underlying infrastructure. You remain responsible for how you configure it, who can access it, how ePHI is encrypted and isolated between tenants, and the security of the application you build on top. A HIPAA-eligible cloud account left on default settings is not a compliant platform. We build and document the controls on your side of the line.

We only handle de-identified data. Are we still a business associate?

It depends on whether the data is genuinely de-identified under HIPAA. Data that meets the Safe Harbor or Expert Determination standard is no longer protected health information, and a product that works exclusively with properly de-identified data may fall outside business associate status. The qualifier matters: incomplete de-identification, the ability to re-identify, or handling any identifiable ePHI for a covered entity puts you back in scope. We help you assess where your data actually sits and document the basis for that determination rather than assume it.

Common Questions

HIPAA for Healthcare Software Companies, Answered.

Common questions from EHR, practice-management, patient-engagement, and digital-health vendors working out whether they are a business associate and what direct HIPAA liability involves.

Don't see your question?
Our team answers questions like these every day, no sales pitch attached.
Ask a Question