HIPAA

HIPAA applies if a SaaS vendor handles protected health information (PHI) on behalf of a healthcare provider, payer, or clearinghouse. The vendor must sign a Business Associate Agreement (BAA), implement specific technical and administrative safeguards, and report breaches within 60 days. HIPAA fines can reach $50K per violation with annual caps in the millions. Vendors selling into healthcare almost always advertise HIPAA compliance and will sign a BAA.