HIPAA · Digital Health

HIPAA compliance for digital health and medtech

If your product touches protected health information and you are selling into hospitals, payers, or providers, HIPAA is going to come up fast. This guide explains, in plain language, when HIPAA actually applies to you, what it requires, why your buyers also want SOC 2, and how a Toronto team gets you ready without the guesswork.

Book a free readiness call

When HIPAA applies to you

HIPAA does not care whether you call yourself a health company. It cares about protected health information, or PHI, which is identifiable health data such as a patient name tied to a diagnosis, a claim, a test result, or a device reading. The moment you create, receive, store, or transmit PHI on behalf of someone else, HIPAA is in play.

The two roles that matter are simple. A covered entity is the organization at the center of care or payment: a hospital, a clinic, a physician group, a health plan, or a payer. A business associate is a company that handles PHI on behalf of a covered entity. If you are a digital health, medtech, or healthtech vendor, you are almost always the business associate, not the covered entity.

In practice the trigger is a signature. When a hospital, clinic, or payer wants to use your product with real patient data, they will ask you to sign a Business Associate Agreement, or BAA. That contract is the moment HIPAA obligations attach to you directly, because it binds you to the HIPAA Security Rule and makes you accountable for protecting the data you touch. So the honest test is not "are we a health company," it is "are we about to sign a BAA," and for most companies selling into providers or payers the answer is yes.

What HIPAA actually requires

The HIPAA Security Rule groups your obligations into three categories of safeguards. Here is what each one means without the legalese.

Administrative safeguards

The people and process side. A documented risk analysis that identifies where PHI lives and what could go wrong, written policies and procedures, a named security official, workforce training, and access management so only the right people can reach the data. This is where most first-time programs are thinnest, because the risk analysis is a genuine requirement, not a formality.

Physical safeguards

Protecting the physical places and devices where PHI can be reached. For a cloud-native product this leans heavily on your hosting provider, but it still covers facility access, workstation use, and how laptops and drives are controlled and disposed of. You inherit a lot of this from your cloud, and you document what you inherit.

Technical safeguards

The controls in your systems: access control so each user is uniquely identified and limited to what they need, encryption of PHI in transit and at rest, audit logging so you can reconstruct who did what, and integrity and transmission controls. This is the part a buyer's technical reviewer will actually test, so it needs to be real, not just written down.

Two things people miss: a HIPAA program is anchored by a documented risk analysis, and you need signed BAAs flowing in both directions, with the covered entities you serve and with your own subprocessors such as your cloud host and any vendor that touches PHI on your behalf.

Why buyers also want SOC 2

Here is the friction point almost every digital health company hits. HIPAA is a legal obligation, but it produces no certificate. There is nothing to hand a hospital's vendor security team that proves you did the work, because the government does not certify anyone as HIPAA compliant. So buyers ask for something they can independently verify, and increasingly that is a SOC 2 Type II report on top of HIPAA.

The good news is that the two overlap heavily. Access control, encryption, audit logging, risk assessment, vendor management, and incident response show up in both. Building them twice is wasteful. Building them once and mapping the same evidence to both HIPAA safeguards and SOC 2 criteria is how experienced teams do it, which is why we run HIPAA readiness and SOC 2 as one program rather than two disconnected projects.

If you want the SOC 2 side in detail, see our playbook on SOC 2 for Canadian SaaS and how our compliance program works end to end.

How long it takes and what it costs

The honest answer is that it depends on scope. A small team with clean cloud infrastructure and only a few subprocessors gets ready faster than a company retrofitting an older product that was not built with PHI boundaries in mind. What we can promise is a fixed scope, so you know the number and the plan before you start, rather than an open hourly meter that grows every week.

A typical readiness engagement runs the risk analysis, closes the priority gaps, and gets your policies, training, and BAAs in order in a matter of weeks. If you are running HIPAA and SOC 2 together, the SOC 2 Type II observation window then adds the usual monitoring period on top, which is worth planning for early.

One caveat worth setting up front. Some large buyers ask specifically for HITRUST. If a buyer demands full HITRUST certification, that is a larger, separate program with its own cost and timeline, and it sits outside our prep-only lane. We will tell you plainly if that is what you are facing so you can budget for it, rather than discovering it late.

How traztech helps

We are a Toronto boutique prep partner, and we run HIPAA readiness and SOC 2 together so you build the evidence once. We are also unusually technical about it. Our founder is a published security researcher with six CVEs, including CVE-2024-45163, a CVSS 9.1 kill-switch for a variant of the Mirai botnet, so when we build technical safeguards like access control, encryption, and audit logging, they are real controls that hold up when a hospital or payer starts testing them. We quote fixed scope, we coordinate your independent SOC 2 auditor, and when a penetration test is needed as evidence we run it with our partner Lorikeet Security. To be clear about our lane, we do HIPAA readiness and SOC 2 prep, and if a buyer insists on full HITRUST certification we will scope that honestly as a separate, larger program.

Get HIPAA-ready without the guesswork

Tell us what you are building, who is asking, and your deadline. We will tell you honestly what HIPAA requires of you, whether you also need SOC 2, and how fast we can get you there.

Book a free readiness call

Frequently asked questions

Does my digital health startup need to be HIPAA compliant?

If you create, receive, store, or transmit protected health information on behalf of a covered entity like a hospital, clinic, or payer, then yes. You become a business associate the moment you sign a Business Associate Agreement, and that agreement contractually binds you to the HIPAA Security Rule. If you never touch identifiable health data, HIPAA may not apply, but most digital health and medtech products do handle it at some point.

Is HIPAA a certification?

No. There is no official HIPAA certificate and no government body that certifies you as HIPAA compliant. You demonstrate compliance through a documented risk analysis, written policies, technical safeguards, training records, and signed Business Associate Agreements. Any vendor selling a HIPAA certificate is selling something HIPAA does not define. What you can show a buyer is evidence of a real program, which is why many companies pair HIPAA readiness with a SOC 2 report.

Do we need HIPAA and SOC 2?

Often, yes. HIPAA is a legal requirement when you handle protected health information, but it produces no certificate a buyer can file. Hospitals and payers increasingly ask for a SOC 2 Type II report on top of HIPAA because it is an independent, audited attestation. The two frameworks overlap heavily on access control, encryption, and monitoring, so they are best run as one program rather than two.

What is a BAA?

A Business Associate Agreement is a contract between a covered entity and a business associate, or between a business associate and its own subcontractors. It requires you to safeguard protected health information, limit how you use it, report breaches, and hold your subprocessors to the same standard. Signing a BAA is usually the moment HIPAA obligations attach to you, and you also need BAAs in place with vendors like your cloud host and any subprocessor that touches the data.

How long does HIPAA readiness take?

It depends on scope and where you are starting. A small digital health team with clean cloud infrastructure and few subprocessors moves faster than a company retrofitting an older product. With a fixed scope, we can complete a risk analysis, close the priority gaps, and get your policies and BAAs in order in a matter of weeks. If you are running HIPAA and SOC 2 together, the SOC 2 Type II observation window then adds the usual monitoring period on top.