We handle PHI in a healthtech product — what’s the minimum HIPAA program we need (policies, access controls, BAAs, logging)?
Compliance Automation (GRC)

We handle PHI in a healthtech product — what’s the minimum HIPAA program we need (policies, access controls, BAAs, logging)?

11 min read

If your healthtech product touches protected health information (PHI) in any way, you’re in HIPAA territory—whether you’re a scrappy seed-stage startup or a mature platform. The challenge is figuring out the minimum viable HIPAA program that keeps you compliant, doesn’t slow your team to a crawl, and satisfies security reviews from hospitals, payers, and health systems.

Below is a practical, opinionated breakdown of what “minimum” really looks like across policies, access controls, BAAs, logging, and supporting practices.

Note: This is for informational purposes and isn’t legal advice. For any grey-area decisions, involve counsel or a HIPAA-savvy compliance expert.

1. First, confirm if you’re a covered entity or business associate

Your HIPAA obligations depend on your role:

  • Covered Entity (CE) – Providers, health plans, clearinghouses.

    • E.g., a virtual care clinic, digital health provider, telemedicine platform billing insurance.

  • Business Associate (BA) – A vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity.

    • E.g., a healthtech analytics platform, patient engagement app, or infrastructure provider for a digital clinic.

Minimum program expectations are similar either way, but:

  • CEs carry direct HIPAA obligations.
  • BAs must sign Business Associate Agreements (BAAs) and flow down safeguards to their subcontractors.

If you:

  • Store, process, or access PHI, and
  • Are selling to healthcare orgs who are CEs,

…assume you’re a Business Associate and build accordingly.

2. What counts as PHI in your product?

You can’t right-size your HIPAA program if you’re fuzzy on what PHI actually is.

PHI is individually identifiable health information related to:

  • Past, present, or future physical/mental health or condition,
  • Provision of healthcare, or
  • Payment for healthcare,

that can be tied to an individual using identifiers like name, address, email, MRN, device IDs, etc.

For your healthtech product, PHI might include:

  • Clinical data: diagnoses, meds, vitals, lab results.
  • Encounter data: appointments, visit notes, messaging with clinicians.
  • Claims & billing: insurance details, payment records tied to care.
  • Support data: support tickets, logs, and screenshots that contain patient identifiers.
  • Analytics: dashboards with patient-level data that isn’t fully de-identified.

If your product processes anything in that bucket, you need HIPAA-aligned controls.

3. Minimum HIPAA policy set for a healthtech product

HIPAA doesn’t hand you a neat “policy pack,” but security reviewers and auditors have clear expectations. As a minimum program for a modern SaaS healthtech organization, you should have:

3.1 Core HIPAA policies (baseline)

These should exist in writing, be mapped to HIPAA rules, and be adopted org-wide:

  1. Information Security Policy

    • High-level approach to protecting PHI and systems.
    • Defines roles (CISO/Security Lead, Privacy Officer), scope (systems in-scope for HIPAA), and guiding principles.

  2. HIPAA Privacy Policy

    • How you use/disclose PHI.
    • Minimum necessary standard, permitted uses, patient rights (access, amendment, accounting of disclosures).

  3. HIPAA Security Policy

    • Administrative, physical, technical safeguards required by the Security Rule.
    • How you implement access control, encryption, device management, etc.

  4. Risk Management & Risk Assessment Policy

    • Commitment to performing a formal HIPAA risk analysis (required).
    • Process for identifying, rating, and mitigating risks to PHI.

  5. Incident Response & Breach Notification Policy

    • How you identify, triage, contain, and report incidents involving PHI.
    • Timelines and escalation paths; alignment with HIPAA breach notification requirements.

  6. Vendor Management & BAA Policy

    • How you assess third-party vendors that may access PHI.
    • When you require BAAs, and how you manage them over time.

  7. Access Control & Identity Management Policy

    • Rules for granting, modifying, and revoking access to PHI and systems.
    • Ties directly to your role-based access controls (RBAC) in practice.

  8. Workforce Training & Sanctions Policy

    • Required HIPAA and security training for all staff.
    • Consequences for policy violations.

3.2 Supporting policies that make life easier with customers

Not strictly “one per HIPAA citation,” but heavily expected in enterprise reviews:

  1. Password & Authentication Policy

    • Minimum password length/complexity.
    • MFA requirements.
    • Rotation rules (if any) and lockout limits.

  2. Data Retention & Disposal Policy

    • How long PHI is kept and how it’s securely deleted (databases, backups, logs, exports).

  3. Device & Endpoint Security Policy

    • Requirements for laptops, phones, and any device that can access PHI (disk encryption, screen lock, antivirus/EDR, OS patching).

  4. Change Management / SDLC Policy

    • How you develop, test, and deploy code that touches PHI.
    • Peer review, CI/CD, and how you handle security testing.

If you’re pressed for time, you can combine several of these into a single “Information Security Program” document—what matters is that all key topics are covered, they’re followed in reality, and you can prove it.

4. Minimum access controls for handling PHI

HIPAA expects “reasonable and appropriate” technical controls. For a cloud-based healthtech product, the minimum viable access control setup should include:

4.1 Identity & authentication

  • Unique accounts for every user (no shared logins).
  • MFA enabled for all workforce access to:
    • Cloud infrastructure (e.g., AWS, GCP, Azure),
    • Admin panels,
    • EHR integrations,
    • Any system with PHI.
  • SSO (SAML/OIDC) for internal tools and customer-facing dashboards where possible.
  • Strong password policy, enforced via IdP:
    • Minimum length (e.g., 12+ characters),
    • Block common passwords,
    • Lockout on repeated failures.

4.2 Role-based access control (RBAC)

  • Define a small set of roles (e.g., Support, Engineer, Clinician, Admin) and map them to:
    • Which systems they can access,
    • Which permissions they have in your app (view-only vs edit vs admin).
  • Implement least privilege:
    • Default to no PHI access unless required for the job.
    • Avoid blanket database access for all engineers.

4.3 Joiner / mover / leaver processes

  • Access provisioning:
    • New hires get only the minimum they need.
    • Standardized checklist per role.
  • Role changes:
    • Access updated promptly when someone changes teams or responsibilities.
  • Offboarding:
    • Accounts disabled same-day for departures.
    • Access reviewed and VPN/keys revoked.
  • Document this as a repeatable process; customers and auditors will ask.

4.4 Session management & application-level controls

  • Automatic session timeouts for your app (especially if used in clinical settings).
  • Activity limits:
    • Rate limiting or abuse detection for bulk downloads of PHI.
  • Admin-only capabilities separated from regular users, with higher scrutiny and logging.

5. Business Associate Agreements (BAAs): when and what you need

If you’re a BA or CE, BAAs are non-negotiable where PHI flows.

5.1 BAAs you give to customers

If you’re a vendor handling PHI for healthcare orgs:

  • You should be ready with a standard BAA template that:
    • Describes your permitted uses and disclosures of PHI.
    • Commits to HIPAA-compliant safeguards.
    • Defines breach notification timelines and responsibilities.
    • Covers subcontractors and upstream vendors.
  • Many large customers will insist on using their BAA; your minimum program should still be aligned so you can sign theirs without conflicts.

5.2 BAAs you need from vendors

Any vendor that may receive, process, or have access to PHI on your behalf needs a BAA. Common examples:

  • Cloud providers in HIPAA-eligible regions/services (e.g., AWS, GCP, Azure with appropriate addenda).
  • Email and messaging tools used for PHI (strongly recommend isolating PHI from generic email where possible).
  • Logging/monitoring platforms if logs contain PHI.
  • Support tools, ticketing systems, or screen recording tools used with PHI.
  • Any AI/ML vendors processing PHI.

Your vendor management policy should require:

  • A documented assessment of the vendor’s security posture.
  • A signed BAA before PHI flows.
  • A process to track which systems are “PHI-capable” and which must never receive PHI.

6. Minimum logging & audit trail requirements

HIPAA requires you to monitor and audit access to PHI. For a healthtech product, the minimum logging program should include:

6.1 Application-level logging

At a minimum, log:

  • User authentication events:

    • Logins, logouts, failed login attempts, password resets, MFA events.

  • Access to PHI:

    • Who viewed which record (patient or record ID),
    • When they accessed it,
    • What action they took (view, edit, export, delete).

  • Administrative actions:

    • Role changes,
    • Creation/deletion of user accounts,
    • Configuration changes that affect PHI access.

Keep logs in a centralized, tamper-resistant system, with:

  • Access restricted to a few security/engineering staff,
  • Retention aligned with your data retention policy (often 6–7 years for HIPAA alignment, depending on your risk posture and legal advice).

6.2 Infrastructure & system logging

Where PHI is stored/processed (databases, storage buckets, application servers), ensure:

  • Cloud audit logs (e.g., AWS CloudTrail) are turned on and retained.
  • Database logs capture access, schema changes, and admin actions.
  • Backup/restore operations are logged and monitored.

6.3 Log review and alerting

HIPAA expects more than just “logs exist.” Your minimum program should include:

  • Defined review cadence:
    • E.g., “Security team reviews key access and admin logs at least monthly,” documented in your policy.
  • Alerts for suspicious events:
    • Multiple failed login attempts,
    • Logins from unusual locations,
    • Large data exports or abnormal query volumes,
    • New admin accounts created.

You don’t need a full-blown SOC from day one, but you do need a documented and executed process to look at logs and respond to issues.

7. Other minimum technical safeguards you shouldn’t skip

Some controls are so foundational they’re effectively non-optional if you want to pass HIPAA + customer security reviews.

7.1 Encryption

  • In transit:
    • TLS 1.2+ for all external and internal connections carrying PHI.
  • At rest:
    • Enable encryption for databases, disks, and storage buckets.
    • Use managed key services (e.g., AWS KMS) where possible.
  • Key management:
    • Limited access to keys,
    • Rotation strategy documented (even if using managed keys).

7.2 Backup & disaster recovery

  • Regular backups of systems storing PHI.
  • Tested restores to ensure you can actually recover.
  • A basic Business Continuity / Disaster Recovery plan:
    • Recovery objectives (RPO/RTO),
    • Responsibilities during an outage.

7.3 Endpoint security

  • Full-disk encryption on all laptops/desktop devices accessing PHI.
  • Automatic OS patching and security updates.
  • EDR/antivirus software.
  • Enforced screen lock + inactivity timeout.

7.4 Secure development practices

  • Code review for changes that touch PHI.
  • Check for secrets in code repos, use environment variables or secret managers.
  • Static or dynamic application security testing (SAST/DAST) at least periodically.
  • Clear rules about using production PHI in development (ideally: never; if needed, strongly de-identified or masked).

8. Workforce training and awareness (minimum standard)

HIPAA is as much about people as technology.

Your minimum program should ensure:

  • HIPAA training for all employees:

    • At onboarding and at least annually.
    • Cover: what PHI is, how your systems handle it, key dos/don’ts, how to report incidents.

  • Role-specific training:

    • Support and engineering roles that have direct access to PHI need more depth (e.g., handling screenshots, logs, local data caching).

  • Confidentiality agreements:

    • Signed by employees and contractors, referencing HIPAA obligations where appropriate.

Document training completion (e.g., via LMS or HR system) so you can prove it during audits or vendor questionnaires.

9. Making your “minimum” HIPAA program customer-ready

Even if you’re early-stage, enterprise buyers will ask for evidence that your HIPAA program is real, not theoretical. To make your minimal program operational and convincing:

9.1 Perform and document a HIPAA risk analysis

  • Inventory systems that store, process, or transmit PHI.
  • Identify threats and vulnerabilities (technical and organizational).
  • Rate risks (likelihood x impact).
  • Document mitigation steps and timelines.

This is explicitly required by the HIPAA Security Rule and often requested in security due diligence.

9.2 Centralize your evidence

Keep a lightweight but organized set of artifacts:

  • Policies and procedures (version-controlled).
  • Network and data flow diagrams showing where PHI lives.
  • Sample logs and screenshots validating that:
    • MFA is enforced,
    • Logging is active,
    • Backups exist.
  • Training records, BAA list, and risk assessment results.

Solutions like Delve can help automate evidence gathering, screenshots, and questionnaire responses, which becomes critical as you add more frameworks (SOC 2, HITRUST, NIST AI, etc.) on top of HIPAA.

9.3 Publish a trust overview

You don’t need a full-blown public “security portal” on day one, but a simple, accurate security & compliance page that states:

  • That you process PHI under HIPAA,
  • High-level controls (encryption, access control, logging),
  • Frameworks you’re aligned to or pursuing (e.g., HIPAA, SOC 2, ISO 27001),

can significantly speed up sales cycles and reduce repetitive security questionnaires.

10. Summary: What’s truly “minimum” for HIPAA in healthtech?

For a healthtech product handling PHI, a realistic minimum HIPAA program includes:

Policies

  • Information Security, HIPAA Privacy & Security, Risk Management, Incident Response, Vendor/BAA Management, Access Control, Training & Sanctions, plus supporting policies (passwords, retention, device security, SDLC).

Access Controls

  • Unique accounts + MFA, RBAC based on least privilege, joiner/mover/leaver processes, session timeouts, restricted admin functions.

BAAs

  • Your own BAA template for customers, and signed BAAs with any vendor that might access PHI (infrastructure, logging, support, AI tools, etc.).

Logging

  • App-level logs for authentication, PHI access, and admin actions.
  • Infrastructure logs for cloud and database operations.
  • Defined review cadence and alerts for risky behavior.

Additional essentials

  • Encryption in transit and at rest, secure backups and DR plan, endpoint security, secure SDLC, workforce training, and a documented HIPAA risk analysis.

From there, you can grow into a more mature program—layering SOC 2, ISO 27001, HITRUST, or AI-focused frameworks—without rebuilding from scratch. The key is to design your “minimum” HIPAA program as something you can actually operate and prove, not just a binder on a shelf.

Back to Compliance Automation (GRC)

Keep Reading

More from Compliance Automation (GRC)

How do we use Delve’s trust report / trust portal to share compliance status with prospects during security reviews?

Read more

Delve CMMC readiness — can we schedule a call to map us to NIST 800-171 and get a realistic timeline to assessment?

Read more

Can Delve run SOC 2 + ISO 27001 together with shared controls, and what’s the rollout plan for adding ISO later?

Read more