Glossary
HIPAA-Compliant Software
HIPAA-compliant software is any tool that meets the HIPAA Security Rule's administrative, physical, and technical safeguards AND signs a Business Associate Agreement (BAA) with the practice using it.
A vendor cannot make a practice HIPAA-compliant. A practice is HIPAA-compliant; vendors either help or hurt that posture. "HIPAA-compliant software" is shorthand for software whose vendor has signed a BAA, encrypts PHI in transit and at rest, has documented access controls, and can demonstrate audit logging on request.
The BAA is the gate
No BAA = no HIPAA compliance, regardless of any technical claims. The BAA is a legal contract that makes the vendor a Business Associate and defines liability. Demand it before signing the service agreement, not after.
Technical controls auditors check
TLS 1.2+ for transit, AES-256 at rest, individual logins (no shared accounts), audit logs per user per record, breach notification protocols, vulnerability disclosure process, and increasingly: third-party AI subprocessor agreements.
The AI loophole most vendors exploit
A vendor can be technically HIPAA-compliant while still leaking PHI to a consumer LLM API that retains data for training. Always ask: "Does any PHI ever leave your environment to a third-party AI model, and if so under what BAA terms?"
Common misconceptions
"We use AWS so we are HIPAA-compliant" — wrong, AWS provides HIPAA-eligible services but the application built on top must implement the safeguards. "We are SOC 2 certified" — different framework, doesn't replace HIPAA. "Encryption is enough" — necessary, not sufficient.
Related reading
Ready to Get Started?
Contact us today and take the first step. Free consultations available.