Summary
The Security Rule focuses specifically on electronic PHI (ePHI) and requires three categories of safeguards: If your EdTech platform handles PHI on behalf of a Covered Entity (such as a university health center or hospital-affiliated training program), you are classified as a Business Associate. This triggers a mandatory legal requirement: you must sign a Business Associate Agreement (BAA) before accessing any PHI. Key documentation includes your risk assessment, all policies and procedures, training records, BAAs, audit logs, incident response records, and breach notification documentation. HIPAA requires retaining most documentation for at least six years.
HIPAA Certification Guide for EdTech: What Education Technology Companies Need to Know
The intersection of education technology and healthcare data is more common than many people realize. When EdTech platforms serve K-12 schools, universities, or workforce training programs that handle student health records, mental health data, or employee wellness information, HIPAA compliance can become a critical legal requirement — not just a best practice.
This guide breaks down everything EdTech companies need to understand about HIPAA certification, when it applies, and how to build a compliant infrastructure that protects both your users and your business.
Does HIPAA Actually Apply to EdTech Companies?
This is the first question every EdTech founder or compliance officer should ask. The short answer: it depends on the data you handle and your role in handling it.
HIPAA (the Health Insurance Portability and Accountability Act) applies to Covered Entities and their Business Associates. In the EdTech space, your platform may fall under HIPAA if you:
- Provide telehealth or mental health counseling tools to schools or universities
- Process or store student health records on behalf of a healthcare provider
- Offer employee wellness or occupational health training platforms
- Integrate with hospital systems, clinics, or insurance providers
- Build tools used by school nurses or campus health centers that transmit Protected Health Information (PHI)
It’s worth noting that FERPA (the Family Educational Rights and Privacy Act) governs most student education records, and there is overlap between FERPA and HIPAA. However, if your platform touches PHI — individually identifiable health information — HIPAA rules apply.
Understanding “HIPAA Certification”: What It Really Means
Here’s an important clarification that many EdTech companies miss: there is no official government-issued HIPAA certification. The U.S. Department of Health and Human Services (HHS) does not offer a certification program.
What the industry refers to as “HIPAA certification” typically means:
- Completing a third-party HIPAA compliance audit
- Achieving attestation from a recognized compliance assessor
- Implementing documented policies, procedures, and technical safeguards that meet HIPAA standards
- Training staff and maintaining ongoing compliance programs
For EdTech companies, pursuing third-party HIPAA attestation or audit reports (often from firms using frameworks like HITRUST) signals to school districts, universities, and enterprise clients that your platform takes data protection seriously.
The Three HIPAA Rules EdTech Platforms Must Understand
1. The Privacy Rule
The Privacy Rule establishes national standards for protecting PHI. For EdTech platforms, this means:
- Defining what counts as PHI within your system
- Limiting access to PHI to authorized personnel only
- Establishing patient/user rights regarding their health data
- Creating clear policies for how PHI is used and disclosed
2. The Security Rule
The Security Rule focuses specifically on electronic PHI (ePHI) and requires three categories of safeguards:
Administrative Safeguards:
- Designated Security Officer
- Risk analysis and risk management processes
- Workforce training programs
- Access management policies
Physical Safeguards:
- Facility access controls
- Workstation and device security policies
- Media disposal procedures
Technical Safeguards:
- Access controls and unique user identification
- Audit controls and logging
- Data integrity protections
- Transmission security (encryption in transit and at rest)
3. The Breach Notification Rule
If a data breach involving PHI occurs, your EdTech platform must:
- Notify affected individuals within 60 days of discovery
- Report breaches affecting 500+ individuals to HHS and local media
- Maintain breach logs for smaller incidents and report annually
Business Associate Agreements (BAAs): A Non-Negotiable Requirement
If your EdTech platform handles PHI on behalf of a Covered Entity (such as a university health center or hospital-affiliated training program), you are classified as a Business Associate. This triggers a mandatory legal requirement: you must sign a Business Associate Agreement (BAA) before accessing any PHI.
A proper BAA should include:
- Permitted uses and disclosures of PHI
- Obligations to implement appropriate safeguards
- Breach reporting timelines
- Subcontractor obligations (your vendors must also be HIPAA-compliant)
- Termination and data destruction provisions
Never allow a client to share PHI with your platform without an executed BAA in place. This is one of the most common — and costly — compliance mistakes EdTech companies make.
Step-by-Step HIPAA Compliance Roadmap for EdTech Companies
Step 1: Conduct a HIPAA Risk Assessment
Start with a formal, documented risk analysis. Identify:
- All systems, applications, and workflows that touch PHI
- Potential vulnerabilities and threats
- Current security controls and gaps
- Risk levels assigned to each identified threat
This risk assessment is not optional — it is explicitly required by the HIPAA Security Rule.
Step 2: Develop Policies and Procedures
Create a comprehensive HIPAA compliance policy library covering:
- Information access management
- Incident response and breach notification
- Employee training requirements
- Device and media controls
- Audit log review processes
Step 3: Implement Technical Controls
Work with your engineering team to ensure:
- End-to-end encryption for all PHI in transit and at rest
- Role-based access controls (RBAC)
- Multi-factor authentication (MFA) for systems accessing PHI
- Automated audit logging and monitoring
- Secure backup and disaster recovery procedures
Step 4: Train Your Workforce
Every employee who touches PHI — or systems that process PHI — must receive HIPAA training. Document all training completions and maintain records for at least six years.
Step 5: Execute BAAs with Clients and Vendors
Audit your entire vendor ecosystem. Any third-party tool that processes PHI (cloud storage, email platforms, analytics tools) must either sign a BAA or be replaced with a HIPAA-compliant alternative.
Step 6: Pursue Third-Party Attestation
Engage a qualified third-party assessor to audit your HIPAA compliance program. This provides credibility with enterprise clients and helps identify remaining gaps before they become enforcement issues.
Common HIPAA Compliance Mistakes EdTech Companies Make
- Assuming FERPA compliance equals HIPAA compliance — these are separate frameworks with different requirements
- Skipping the formal risk assessment — auditors and regulators look for this first
- Using consumer-grade tools (Gmail, Dropbox, Slack) without confirming HIPAA-compliant configurations and signed BAAs
- Failing to train non-technical staff — customer success, sales, and support teams often handle PHI without realizing it
- Neglecting subcontractor BAAs — your vendors’ non-compliance becomes your liability
HIPAA Penalties: Why EdTech Companies Can’t Afford to Ignore This
HIPAA violations carry penalties ranging from $100 to $50,000 per violation, with annual maximums reaching $1.9 million per violation category. Beyond financial penalties, violations can result in:
- Criminal charges for willful neglect
- Reputational damage with school districts and universities
- Loss of enterprise contracts
- Required corrective action plans under HHS oversight
For EdTech startups and growth-stage companies, a single HIPAA enforcement action can be existential.
FAQ: HIPAA Compliance for EdTech
Q1: Does every EdTech company need to be HIPAA compliant?
No. HIPAA only applies if your platform handles Protected Health Information (PHI) as a Covered Entity or Business Associate. Many EdTech platforms operate solely under FERPA. Conduct a data mapping exercise to determine which regulations apply to your specific use case.
Q2: How long does it take to become HIPAA compliant?
For most EdTech companies starting from scratch, achieving a solid HIPAA compliance baseline takes 3 to 6 months. This includes completing risk assessments, drafting policies, implementing technical controls, training staff, and executing BAAs. Ongoing compliance is a continuous process, not a one-time event.
Q3: What’s the difference between HIPAA compliance and HITRUST certification?
HIPAA compliance means meeting the requirements of the HIPAA regulations. HITRUST is a private certification framework that incorporates HIPAA requirements along with other security standards (NIST, ISO 27001). HITRUST certification is more rigorous and widely recognized by enterprise healthcare clients, but it is not legally required.
Q4: Can we use AWS or Google Cloud and still be HIPAA compliant?
Yes. Both AWS and Google Cloud offer HIPAA-eligible services and will sign BAAs with qualifying customers. However, simply using these platforms does not make you compliant — you must configure them correctly and implement all required safeguards.
Q5: What documents do we need to maintain for HIPAA compliance?
Key documentation includes your risk assessment, all policies and procedures, training records, BAAs, audit logs, incident response records, and breach notification documentation. HIPAA requires retaining most documentation for at least six years.
Build Your HIPAA Compliance Program Faster
Navigating HIPAA compliance from scratch is time-consuming, complex, and expensive — especially for lean EdTech teams focused on building great products.
Don’t start with a blank page.
Our ready-to-use HIPAA compliance template library gives EdTech companies everything they need to launch a defensible compliance program immediately, including:
- ✅ HIPAA Risk Assessment Templates
- ✅ Complete Policy and Procedure Library (30+ documents)
- ✅ Business Associate Agreement Templates
- ✅ Employee Training Acknowledgment Forms
- ✅ Incident Response and Breach Notification Checklists
- ✅ Vendor Assessment Questionnaires
[Browse our HIPAA Compliance Templates →]
Save hundreds of hours, reduce legal costs, and give your enterprise clients the documentation they need to trust your platform with their most sensitive data.
Best for teams building a HIPAA documentation and readiness baseline.
HIPAA Security + Privacy Rule documentation with audit-readiness artifacts
View template →