Resources/HIPAA Checklist For Software Company

Summary

Even with strong safeguards in place, breaches can happen. HIPAA requires specific notification procedures. HIPAA requires you to retain documentation for six years from the date of creation or the date it was last in effect, whichever is later. One of the most common mistakes software companies make is treating HIPAA compliance as a one-time project. In reality, it requires continuous monitoring, regular policy reviews, and updated risk assessments as your product and team evolve.

HIPAA Checklist for Software Companies: Everything You Need to Stay Compliant

If your software company handles, stores, transmits, or processes protected health information (PHI) on behalf of a healthcare client, HIPAA compliance isn’t optional — it’s a legal requirement. Whether you’re building an EHR system, a patient portal, a telehealth platform, or any SaaS product that touches healthcare data, this HIPAA checklist will help you understand exactly what you need to do.

This guide breaks down the key requirements into actionable steps your team can work through systematically.

What Makes a Software Company a HIPAA Business Associate?

Before diving into the checklist, it’s important to understand your role. Software companies that create, receive, maintain, or transmit PHI on behalf of a covered entity (hospitals, clinics, insurers) are classified as Business Associates (BAs) under HIPAA.

This means you are legally required to:

  • Sign a Business Associate Agreement (BAA) with each covered entity client
  • Implement administrative, physical, and technical safeguards
  • Report breaches within specified timeframes
  • Train your workforce on HIPAA requirements

Failing to comply can result in fines ranging from $100 to $50,000 per violation, with annual caps up to $1.9 million per violation category.

The Complete HIPAA Checklist for Software Companies

1. Administrative Safeguards

Administrative safeguards are the policies and procedures that govern how your organization manages PHI. These are often the most overlooked — and the most scrutinized during audits.

Assign a HIPAA Privacy and Security Officer

  • Designate at least one person responsible for HIPAA compliance
  • Document their responsibilities in writing
  • Ensure they have authority to enforce policies

Conduct a Risk Analysis

  • Perform a thorough assessment of all systems that store or process PHI
  • Identify vulnerabilities and threats
  • Document findings and remediation steps
  • Repeat the risk analysis annually or after significant system changes

Develop and Implement Written Policies

  • Create a formal HIPAA Security Policy
  • Document your incident response procedures
  • Establish a workforce sanctions policy for violations
  • Maintain all policies with version control and review dates

Business Associate Agreements

  • Execute BAAs with all covered entity clients before accessing their PHI
  • Ensure BAAs include all required HIPAA provisions
  • Sign BAAs with your own subcontractors who access PHI (sub-BAAs)

Workforce Training

  • Train all employees who handle PHI upon hire
  • Provide annual refresher training
  • Document training completion with dates and signatures
  • Include training on phishing, password security, and data handling

2. Physical Safeguards

Physical safeguards control access to the physical locations and devices where PHI is stored or accessed.

Facility Access Controls

  • Restrict physical access to servers and workstations containing PHI
  • Use keycards, locks, or security cameras where appropriate
  • Maintain visitor logs for areas with PHI access

Workstation and Device Security

  • Define acceptable use policies for workstations
  • Require screen locks after periods of inactivity
  • Implement a clean desk policy for remote workers

Device and Media Controls

  • Track all hardware containing PHI (laptops, mobile devices, USB drives)
  • Implement a formal procedure for disposing of hardware securely
  • Encrypt all portable devices that may store PHI
  • Document data disposal with certificates of destruction

3. Technical Safeguards

For software companies, technical safeguards are where the bulk of your compliance work lives. These controls protect PHI within your systems.

Access Controls

  • Implement role-based access control (RBAC) so users only access what they need
  • Assign unique user IDs to every person accessing PHI
  • Enforce multi-factor authentication (MFA) for all systems containing PHI
  • Implement automatic logoff after periods of inactivity

Audit Controls

  • Log all access to PHI, including who accessed what and when
  • Retain audit logs for a minimum of six years
  • Review logs regularly and investigate anomalies

Data Integrity Controls

  • Use checksums, digital signatures, or hashing to detect unauthorized alteration of PHI
  • Implement version control for records containing PHI

Transmission Security

  • Encrypt all PHI in transit using TLS 1.2 or higher
  • Encrypt all PHI at rest using AES-256 or equivalent
  • Avoid sending PHI via unencrypted email or messaging platforms

Application Security

  • Conduct regular vulnerability scans and penetration testing
  • Follow OWASP secure development guidelines
  • Patch known vulnerabilities promptly
  • Implement a formal software development lifecycle (SDLC) that includes security reviews

4. Breach Notification Requirements

Even with strong safeguards in place, breaches can happen. HIPAA requires specific notification procedures.

What Counts as a Breach? A breach is any impermissible use or disclosure of PHI that compromises its security or privacy. This includes accidental disclosures, ransomware attacks, and unauthorized access.

Your Notification Obligations as a Business Associate

  • Notify the covered entity within 60 days of discovering a breach
  • Provide details including the nature of the PHI involved, who may have accessed it, and what steps were taken
  • Document all breach incidents, even those determined not to require notification

Internal Incident Response

  • Maintain a documented incident response plan
  • Assign clear roles for breach investigation and notification
  • Test your incident response plan at least annually

5. HIPAA-Compliant Vendor Management

Your compliance doesn’t stop at your own systems. Any third-party vendor that accesses PHI on your behalf must also be HIPAA compliant.

Sub-Business Associate Agreements

  • Identify all vendors with access to PHI (cloud providers, analytics tools, support platforms)
  • Execute sub-BAAs before sharing PHI
  • Review vendor security practices and request SOC 2 reports or equivalent documentation

Cloud and Hosting Providers

  • Ensure your cloud provider (AWS, Azure, Google Cloud) offers a signed BAA
  • Configure your cloud environment according to HIPAA-eligible service settings
  • Do not store PHI in services that don’t offer a BAA

6. Documentation and Recordkeeping

HIPAA requires you to retain documentation for six years from the date of creation or the date it was last in effect, whichever is later.

What to Document

  • Risk analyses and risk management plans
  • All HIPAA policies and procedures
  • Training records
  • BAAs and sub-BAAs
  • Incident and breach records
  • Audit log reviews

Keeping documentation organized and up to date is critical — it’s your primary defense during an HHS audit.

HIPAA Compliance Is an Ongoing Process

One of the most common mistakes software companies make is treating HIPAA compliance as a one-time project. In reality, it requires continuous monitoring, regular policy reviews, and updated risk assessments as your product and team evolve.

Recommended Annual Activities

  • Repeat your risk analysis
  • Update policies to reflect new systems or workflows
  • Retrain all staff
  • Review and renew BAAs
  • Test your incident response plan
  • Conduct an internal HIPAA audit

Frequently Asked Questions

Do all software companies need to be HIPAA compliant?

Not necessarily. HIPAA applies only to software companies that qualify as Business Associates — meaning they access, process, store, or transmit PHI on behalf of a covered entity. If your software never touches PHI, HIPAA requirements don’t apply. However, if you’re unsure, it’s always safer to consult a compliance professional.

What is a Business Associate Agreement (BAA), and do I need one?

A BAA is a legally required contract between a covered entity and a Business Associate. It outlines each party’s responsibilities for protecting PHI. If your software company handles PHI for a healthcare client, you must have a signed BAA in place before accessing that data. Operating without one exposes both parties to significant legal liability.

What’s the difference between HIPAA Privacy Rule and Security Rule?

The Privacy Rule governs how PHI can be used and disclosed. The Security Rule specifically addresses electronic PHI (ePHI) and requires administrative, physical, and technical safeguards to protect it. Software companies primarily focus on the Security Rule, but both apply to Business Associates.

How often should we conduct a HIPAA risk analysis?

At minimum, annually. You should also conduct a new risk analysis whenever you make significant changes to your systems, add new features that involve PHI, onboard new vendors, or experience a security incident. The risk analysis is one of the most scrutinized elements in an HHS audit.

What are the penalties for HIPAA non-compliance?

Penalties are tiered based on culpability. Unknowing violations start at $100 per violation, while willful neglect with no correction can reach $50,000 per violation. The HHS Office for Civil Rights (OCR) has levied multi-million dollar settlements against organizations of all sizes, including small software companies.

Stop Starting From Scratch — Use Ready-Made HIPAA Templates

Building compliant HIPAA documentation from the ground up is time-consuming, expensive, and easy to get wrong. Our professionally drafted HIPAA compliance template bundle gives you everything you need in one package:

  • ✅ HIPAA Security Policy Template
  • ✅ Risk Analysis and Risk Management Template
  • ✅ Business Associate Agreement (BAA) Template
  • ✅ Workforce Training Log and Acknowledgment Form
  • ✅ Incident Response Plan Template
  • ✅ Device and Media Disposal Policy
  • ✅ Audit Log Review Procedure

Each template is written by compliance experts, formatted for immediate use, and fully editable to match your company’s specific environment.

[Download the Complete HIPAA Template Bundle →]

Save weeks of work, reduce legal risk, and walk into your next client audit with confidence. Your next BAA negotiation will thank you.

Next step after reading this guide
Open the HIPAA Documentation Kit

Best for teams building a HIPAA documentation and readiness baseline.

Open Recommended KitCompare All Kits
Recommended documentation for HIPAA Checklist For Software Company
HIPAA Documentation Kit

HIPAA Security + Privacy Rule documentation with audit-readiness artifacts

View template →
Need documents now?
Get editable kits instead of starting from a blank page.
Browse Documentation Kits →
Need an execution path?
See how the readiness workflow turns a purchase into review and evidence work.
See How It Works →
Need more guidance first?
Keep exploring framework guides before choosing your starting kit.
Explore More Guides →
We use analytics cookies to understand traffic and improve the site.Learn more.