Resources/HIPAA Certification Guide For Edtech

Summary

The Security Rule focuses specifically on electronic PHI (ePHI) and requires three categories of safeguards: If your EdTech platform handles PHI on behalf of a Covered Entity (such as a university health center or hospital-affiliated training program), you are classified as a Business Associate. This triggers a mandatory legal requirement: you must sign a Business Associate Agreement (BAA) before accessing any PHI. Key documentation includes your risk assessment, all policies and procedures, training records, BAAs, audit logs, incident response records, and breach notification documentation. HIPAA requires retaining most documentation for at least six years.


HIPAA Certification Guide for EdTech: What Education Technology Companies Need to Know

The intersection of education technology and healthcare data is more common than many people realize. When EdTech platforms serve K-12 schools, universities, or workforce training programs that handle student health records, mental health data, or employee wellness information, HIPAA compliance can become a critical legal requirement — not just a best practice.

This guide breaks down everything EdTech companies need to understand about HIPAA certification, when it applies, and how to build a compliant infrastructure that protects both your users and your business.


Does HIPAA Actually Apply to EdTech Companies?

This is the first question every EdTech founder or compliance officer should ask. The short answer: it depends on the data you handle and your role in handling it.

HIPAA (the Health Insurance Portability and Accountability Act) applies to Covered Entities and their Business Associates. In the EdTech space, your platform may fall under HIPAA if you:

  • Provide telehealth or mental health counseling tools to schools or universities
  • Process or store student health records on behalf of a healthcare provider
  • Offer employee wellness or occupational health training platforms
  • Integrate with hospital systems, clinics, or insurance providers
  • Build tools used by school nurses or campus health centers that transmit Protected Health Information (PHI)

It’s worth noting that FERPA (the Family Educational Rights and Privacy Act) governs most student education records, and there is overlap between FERPA and HIPAA. However, if your platform touches PHI — individually identifiable health information — HIPAA rules apply.


Understanding “HIPAA Certification”: What It Really Means

Here’s an important clarification that many EdTech companies miss: there is no official government-issued HIPAA certification. The U.S. Department of Health and Human Services (HHS) does not offer a certification program.

What the industry refers to as “HIPAA certification” typically means:

  • Completing a third-party HIPAA compliance audit
  • Achieving attestation from a recognized compliance assessor
  • Implementing documented policies, procedures, and technical safeguards that meet HIPAA standards
  • Training staff and maintaining ongoing compliance programs

For EdTech companies, pursuing third-party HIPAA attestation or audit reports (often from firms using frameworks like HITRUST) signals to school districts, universities, and enterprise clients that your platform takes data protection seriously.


The Three HIPAA Rules EdTech Platforms Must Understand

1. The Privacy Rule

The Privacy Rule establishes national standards for protecting PHI. For EdTech platforms, this means:

  • Defining what counts as PHI within your system
  • Limiting access to PHI to authorized personnel only
  • Establishing patient/user rights regarding their health data
  • Creating clear policies for how PHI is used and disclosed

2. The Security Rule

The Security Rule focuses specifically on electronic PHI (ePHI) and requires three categories of safeguards:

Administrative Safeguards:

  • Designated Security Officer
  • Risk analysis and risk management processes
  • Workforce training programs
  • Access management policies

Physical Safeguards:

  • Facility access controls
  • Workstation and device security policies
  • Media disposal procedures

Technical Safeguards:

  • Access controls and unique user identification
  • Audit controls and logging
  • Data integrity protections
  • Transmission security (encryption in transit and at rest)

3. The Breach Notification Rule

If a data breach involving PHI occurs, your EdTech platform must:

  • Notify affected individuals within 60 days of discovery
  • Report breaches affecting 500+ individuals to HHS and local media
  • Maintain breach logs for smaller incidents and report annually

Business Associate Agreements (BAAs): A Non-Negotiable Requirement

If your EdTech platform handles PHI on behalf of a Covered Entity (such as a university health center or hospital-affiliated training program), you are classified as a Business Associate. This triggers a mandatory legal requirement: you must sign a Business Associate Agreement (BAA) before accessing any PHI.

A proper BAA should include:

  • Permitted uses and disclosures of PHI
  • Obligations to implement appropriate safeguards
  • Breach reporting timelines
  • Subcontractor obligations (your vendors must also be HIPAA-compliant)
  • Termination and data destruction provisions

Never allow a client to share PHI with your platform without an executed BAA in place. This is one of the most common — and costly — compliance mistakes EdTech companies make.


Step-by-Step HIPAA Compliance Roadmap for EdTech Companies

Step 1: Conduct a HIPAA Risk Assessment

Start with a formal, documented risk analysis. Identify:

  • All systems, applications, and workflows that touch PHI
  • Potential vulnerabilities and threats
  • Current security controls and gaps
  • Risk levels assigned to each identified threat

This risk assessment is not optional — it is explicitly required by the HIPAA Security Rule.

Step 2: Develop Policies and Procedures

Create a comprehensive HIPAA compliance policy library covering:

  • Information access management
  • Incident response and breach notification
  • Employee training requirements
  • Device and media controls
  • Audit log review processes

Step 3: Implement Technical Controls

Work with your engineering team to ensure:

  • End-to-end encryption for all PHI in transit and at rest
  • Role-based access controls (RBAC)
  • Multi-factor authentication (MFA) for systems accessing PHI
  • Automated audit logging and monitoring
  • Secure backup and disaster recovery procedures

Step 4: Train Your Workforce

Every employee who touches PHI — or systems that process PHI — must receive HIPAA training. Document all training completions and maintain records for at least six years.

Step 5: Execute BAAs with Clients and Vendors

Audit your entire vendor ecosystem. Any third-party tool that processes PHI (cloud storage, email platforms, analytics tools) must either sign a BAA or be replaced with a HIPAA-compliant alternative.

Step 6: Pursue Third-Party Attestation

Engage a qualified third-party assessor to audit your HIPAA compliance program. This provides credibility with enterprise clients and helps identify remaining gaps before they become enforcement issues.


Common HIPAA Compliance Mistakes EdTech Companies Make

  • Assuming FERPA compliance equals HIPAA compliance — these are separate frameworks with different requirements
  • Skipping the formal risk assessment — auditors and regulators look for this first
  • Using consumer-grade tools (Gmail, Dropbox, Slack) without confirming HIPAA-compliant configurations and signed BAAs
  • Failing to train non-technical staff — customer success, sales, and support teams often handle PHI without realizing it
  • Neglecting subcontractor BAAs — your vendors’ non-compliance becomes your liability

HIPAA Penalties: Why EdTech Companies Can’t Afford to Ignore This

HIPAA violations carry penalties ranging from $100 to $50,000 per violation, with annual maximums reaching $1.9 million per violation category. Beyond financial penalties, violations can result in:

  • Criminal charges for willful neglect
  • Reputational damage with school districts and universities
  • Loss of enterprise contracts
  • Required corrective action plans under HHS oversight

For EdTech startups and growth-stage companies, a single HIPAA enforcement action can be existential.


FAQ: HIPAA Compliance for EdTech

Q1: Does every EdTech company need to be HIPAA compliant?

No. HIPAA only applies if your platform handles Protected Health Information (PHI) as a Covered Entity or Business Associate. Many EdTech platforms operate solely under FERPA. Conduct a data mapping exercise to determine which regulations apply to your specific use case.

Q2: How long does it take to become HIPAA compliant?

For most EdTech companies starting from scratch, achieving a solid HIPAA compliance baseline takes 3 to 6 months. This includes completing risk assessments, drafting policies, implementing technical controls, training staff, and executing BAAs. Ongoing compliance is a continuous process, not a one-time event.

Q3: What’s the difference between HIPAA compliance and HITRUST certification?

HIPAA compliance means meeting the requirements of the HIPAA regulations. HITRUST is a private certification framework that incorporates HIPAA requirements along with other security standards (NIST, ISO 27001). HITRUST certification is more rigorous and widely recognized by enterprise healthcare clients, but it is not legally required.

Q4: Can we use AWS or Google Cloud and still be HIPAA compliant?

Yes. Both AWS and Google Cloud offer HIPAA-eligible services and will sign BAAs with qualifying customers. However, simply using these platforms does not make you compliant — you must configure them correctly and implement all required safeguards.

Q5: What documents do we need to maintain for HIPAA compliance?

Key documentation includes your risk assessment, all policies and procedures, training records, BAAs, audit logs, incident response records, and breach notification documentation. HIPAA requires retaining most documentation for at least six years.


Build Your HIPAA Compliance Program Faster

Navigating HIPAA compliance from scratch is time-consuming, complex, and expensive — especially for lean EdTech teams focused on building great products.

Don’t start with a blank page.

Our ready-to-use HIPAA compliance template library gives EdTech companies everything they need to launch a defensible compliance program immediately, including:

  • ✅ HIPAA Risk Assessment Templates
  • ✅ Complete Policy and Procedure Library (30+ documents)
  • ✅ Business Associate Agreement Templates
  • ✅ Employee Training Acknowledgment Forms
  • ✅ Incident Response and Breach Notification Checklists
  • ✅ Vendor Assessment Questionnaires

[Browse our HIPAA Compliance Templates →]

Save hundreds of hours, reduce legal costs, and give your enterprise clients the documentation they need to trust your platform with their most sensitive data.

Next step after reading this guide
Open the HIPAA Documentation Kit

Best for teams building a HIPAA documentation and readiness baseline.

Recommended documentation for HIPAA Certification Guide For Edtech
HIPAA Documentation Kit

HIPAA Security + Privacy Rule documentation with audit-readiness artifacts

View template →
Need documents now?
Get editable kits instead of starting from a blank page.
Browse Documentation Kits →
Need an execution path?
See how the readiness workflow turns a purchase into review and evidence work.
See How It Works →
Need more guidance first?
Keep exploring framework guides before choosing your starting kit.
Explore More Guides →
We use analytics cookies to understand traffic and improve the site.Learn more.