Does HIPAA actually apply to my startup?

Q: Does HIPAA apply to my app just because it handles health information?

Not by itself. HIPAA does not regulate health information in the abstract. It regulates protected health information held by a covered entity or a business associate of a covered entity. A covered entity is a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in connection with a HIPAA-covered transaction (45 CFR 160.103). If you collect health information directly from consumers and you are not a health plan or clearinghouse, and you do not bill payers in standard transactions, you are usually not a covered entity. You become a business associate only if a covered entity hires you to create, receive, maintain, or transmit protected health information on its behalf. If neither is true, HIPAA usually does not apply to you, but other health-privacy laws still can.

Q: If HIPAA does not apply, am I free of health-privacy rules?

No. Landing on neither covered entity nor business associate means HIPAA does not reach you, not that no health-privacy law does. State consumer-health-data laws such as Washington's My Health My Data Act (RCW 19.373) reach consumer health data outside HIPAA and several carry a private right of action. California's CMIA can be stricter than HIPAA and can treat a health or wellness software vendor as a provider of health care (Cal. Civ. Code 56.06). The FTC Health Breach Notification Rule (16 CFR Part 318) applies to vendors of personal health records and related entities that are not covered by HIPAA. So the practical question is not only does HIPAA apply, but which non-HIPAA regime applies given who your users are and what data you collect.

Q: Do I still need a BAA if I am not a business associate?

If you are genuinely not a business associate, a HIPAA business associate agreement is not legally required for you, and signing one you cannot meet can create obligations you do not satisfy. A BAA becomes required when a covered-entity customer hires you to handle protected health information on its behalf. The trigger is the relationship and the data, not the industry. Many startups sell to both covered and non-covered customers, so the honest answer is often that you need a BAA for some customers and not others. I help draw that line before you sign one.

Q: Does selling to a hospital automatically make HIPAA apply?

Selling to a covered entity such as a hospital, clinic, or insurer makes HIPAA apply to you as a business associate only if your service actually creates, receives, maintains, or transmits protected health information on the hospital's behalf. A vendor that never touches identifiable patient health information, for example a generic scheduling or marketing tool that the hospital uses without feeding it patient data, is not automatically a business associate. The analysis turns on whether protected health information flows to you, not on the customer's name.

Most software startups that touch health information are not HIPAA covered entities and are not business associates. The honest answer turns on two questions, in order. I walk you through the decision tree: covered entity, then business associate, then neither. If you land on neither, you are likely outside HIPAA, but consumer-health-data law can still reach you.

Covered entity, then business associate, then neither General and national, with examples Cites the operative federal text CA Bar #279869

Walk the decision tree

Sergei Tokmakov, Esq. | California Bar #279869

🤖 AI Legal Analyst

Tell me what your product does

Describe your product, who your users are, and what data you collect, and I will tell you where you probably land on the HIPAA decision tree and which non-HIPAA regime to look at next. A full applicability opinion on your specific facts is the $240 Written Attorney Consultation, not this chat. AI-generated legal information, attorney-supervised, not legal advice.

Tap a situation to ask

Ask the AI about HIPAA scope

Common questions free, no email

Does handling health data automatically mean HIPAA applies?

No. HIPAA does not regulate health information in the abstract. It regulates protected health information held by a covered entity or its business associate. If you are not a health plan or clearinghouse, do not bill payers in standard transactions, and no covered entity has hired you to handle their patients' data, you are usually not in HIPAA at all, even though you touch health information.

If HIPAA does not apply, am I done?

No. Being outside HIPAA does not mean being outside health-privacy law. State consumer-health-data laws (Washington MHMDA, RCW 19.373), CMIA-type medical-information laws (in California, Cal. Civ. Code 56.06 can reach a wellness-software vendor), and the FTC Health Breach Notification Rule (16 CFR Part 318) all reach health data outside HIPAA. Which one applies depends on who your users are and what you collect.

Do I have to sign a BAA a customer sent me?

Only if you are actually a business associate, meaning the customer is a covered entity and hired you to handle protected health information on its behalf. If you are not, signing a BAA can saddle you with obligations you do not meet. Many startups need a BAA for some customers and not for others. Draw that line before you sign.

What does a HIPAA applicability review cost?

A written attorney opinion on whether HIPAA applies to your specific facts, and what else does, is the $240 Written Attorney Consultation. If you are launching and want the full document stack built (TOS, privacy policy, BAA where needed, DPA framework, and a compliance gap memo), that is the $2,500 Healthcare SaaS Legal Package.

HIPAA does not ask whether your data feels like health data. It asks whether you are one of three kinds of regulated organization, or are handling protected health information on behalf of one. Work down the tree.

Question 1

Are you a covered entity??

You are a covered entity only if you are a health plan, a health care clearinghouse, or a health care provider that bills or transacts electronically in HIPAA standard transactions. Most software startups are none of these. A pure software vendor that does not provide care and does not bill payers is not a covered entity.

Yes → HIPAA applies to you directly. Go to the covered-entity section. No → Go to Question 2.

Question 2

Are you a business associate??

You are a business associate if a covered entity hires you to create, receive, maintain, or transmit protected health information on its behalf. The trigger is the relationship plus the data flow, not the customer's industry. If a covered entity sends you identifiable patient health information to process, host, or analyze, you are usually a business associate and a BAA is required.

Yes → HIPAA applies to you through the BAA. Go to the business-associate section. No → You are likely outside HIPAA. Go to the neither section.

Where most startups land

Neither: likely outside HIPAA

If you are not a covered entity and not a business associate, HIPAA usually does not apply to you. That is the common result for a direct-to-consumer health, wellness, or fitness product. But outside HIPAA is not outside health-privacy law. Consumer-health-data statutes, CMIA-type medical-information laws, and the FTC Health Breach Notification Rule can all still reach you. Read the neither section for what does apply.

One product can sit in two places at once. A hybrid product can be a business associate for the data a covered-entity customer feeds it and outside HIPAA for the data it collects directly from consumers, sometimes in the same database. The decision tree is applied per data stream and per customer relationship, not once for the whole company.

A covered entity is one of exactly three things under the HIPAA rules. Read each against your own business.

Under 45 CFR 160.103, a covered entity is:

A health plan. An individual or group plan that provides or pays the cost of medical care, including most insurers, HMOs, and many employer-sponsored health plans.
A health care clearinghouse. An entity that processes health information between nonstandard and standard formats, such as a billing-translation service.
A health care provider that transmits health information in electronic form in connection with a HIPAA-covered transaction. The provider is covered only because of that electronic transaction trigger, for example submitting claims, eligibility, or remittance electronically.

The transaction trigger is the part founders miss. A provider that never bills electronically in a standard transaction may not be a covered entity at all. And a pure software company that does not provide care and does not bill payers is not a provider, not a plan, and not a clearinghouse. Source: 45 CFR 160.103 (definitions of covered entity, health plan, health care clearinghouse, health care provider), law.cornell.edu/cfr/text/45/160.103. General information, confirm the current text for your matter.

Plain example. You build a symptom-tracking app sold directly to consumers. You do not provide treatment, you do not pay for anyone's care, and you do not submit standard electronic transactions to payers. You are not a covered entity. Go to Question 2.

If Question 1 was no, this is the question that actually decides whether HIPAA reaches you.

Under 45 CFR 160.103, a business associate is, broadly, a person or company that, on behalf of a covered entity, creates, receives, maintains, or transmits protected health information for a regulated function, or that provides services to a covered entity where the service involves disclosing protected health information. When you are a business associate, the covered entity must have a business associate agreement in place with you, and since the HITECH amendments business associates are directly liable to the HHS Office for Civil Rights, not only contractually liable to the customer. Source: 45 CFR 160.103 (definition of business associate); business-associate direct liability under HITECH. General information, confirm against the current text.

The relationship and the data flow are the test. Selling to a hospital does not automatically make you a business associate. You become one when the covered entity actually sends you protected health information to handle on its behalf. A scheduling or marketing tool a hospital uses without feeding it identifiable patient health information is not automatically a business associate. A cloud platform that hosts a clinic's patient records is.

The encryption myth. "We only store encrypted PHI, so HIPAA does not apply" is wrong. Encryption reduces breach risk but does not remove you from business-associate status. If you can hold or transmit the protected health information, you generally need a BAA, even if it is encrypted.

Plain example. A clinic licenses your analytics tool and pipes in identifiable patient records so you can generate reports. You receive and maintain PHI on the clinic's behalf. You are a business associate. The clinic must sign a BAA with you, and you are directly liable for safeguarding that data.

This is the result for most direct-to-consumer health and wellness products. HIPAA usually does not apply. The mistake is to read that as no rules apply. Three non-HIPAA regimes routinely reach data that HIPAA never touches.

1. State consumer-health-data laws (MHMDA-type). Washington's My Health My Data Act (Chapter 19.373 RCW) reaches consumer health data of Washington consumers held outside the HIPAA-covered stream, with a separate consumer-health-data privacy policy, layered consent, and a private right of action through the state Consumer Protection Act. Nevada (SB 370) and Connecticut (CTDPA health amendments) have related consumer-health-data regimes. These laws are data-specific and often reach inferences and pre-relationship intake that are not PHI. Source: Chapter 19.373 RCW, app.leg.wa.gov/rcw/default.aspx?cite=19.373. General information.

2. CMIA-type medical-information laws. California's Confidentiality of Medical Information Act can be stricter than HIPAA and, under Cal. Civ. Code 56.06, can treat a business that offers health or wellness software, mobile apps, or certain digital health services as a provider of health care directly subject to the CMIA, with a private right of action. You cannot assume the CCPA's HIPAA and CMIA exemptions cover you if you are caught by CMIA directly. Source: Cal. Civ. Code 56.06, leginfo.legislature.ca.gov. General information.

3. FTC Health Breach Notification Rule. The FTC Health Breach Notification Rule (16 CFR Part 318) applies to vendors of personal health records, related entities, and their third-party service providers that are not covered by HIPAA. It is the federal breach-notification regime that fills the gap precisely because HIPAA does not reach you. A consumer health app that suffers a breach can owe notice to consumers, the FTC, and in some cases the media under this rule. Source: 16 CFR Part 318, law.cornell.edu/cfr/text/16/part-318. The rule expressly does not apply to HIPAA-covered entities or their business associates. General information.

A structural trap to know about. Several comprehensive state privacy laws (for example Oregon, Maryland, and New Jersey) exempt HIPAA data at the data level but do not exempt the company at the entity level. So even a HIPAA business associate is not automatically exempt from those state laws as an organization. The general lesson: do not assume any HIPAA status, including no HIPAA status, settles your state-law exposure. It depends on where your users are.

Bottom line. Landing on neither is good news and a checklist, not a finish line. You are likely outside HIPAA, so a HIPAA BAA is probably not your starting document. But you almost certainly need an accurate privacy policy, product terms that disclaim what you are not, and a look at the consumer-health-data law of the states where your users live.

These are general illustrations, not conclusions about your product. Your facts control. Tap each card for the reasoning.

Direct to consumer

A wellness and mood-tracking app

Consumers sign up directly. No insurance billing, no covered-entity customer feeding it data.

Tap for the reasoning

Likely outside HIPAA.

Not a plan, clearinghouse, or billing provider, so not a covered entity. No covered entity hired it to handle PHI, so not a business associate. But consumer-health-data law (MHMDA-type), CMIA in California, and the FTC Health Breach Notification Rule can apply.

Tap to flip back

Sells to a clinic

A platform hosting a clinic's patient records

A clinic uploads identifiable patient records so the platform can store and report on them.

Tap for the reasoning

Business associate. HIPAA applies.

The clinic is a covered entity and the platform receives and maintains PHI on its behalf. A BAA is required and the platform is directly liable to OCR for safeguarding the data. State laws may also apply on top.

Tap to flip back

Hospital is a customer

A generic scheduling tool a hospital buys

A hospital licenses the tool but never feeds it identifiable patient health information.

Tap for the reasoning

Customer is covered, you may not be.

Selling to a covered entity does not by itself make you a business associate. If no PHI flows to you, you may not be one. But the line is fact-specific, and if the tool starts touching patient data the answer changes. Confirm the data flow before assuming.

Tap to flip back

Hybrid

A product with a clinical arm and a consumer arm

Clinicians use it under contracts with covered entities; consumers also use a self-guided version directly.

Tap for the reasoning

Both at once, stream by stream.

Business associate for the PHI fed by covered-entity customers; outside HIPAA for the data collected directly from consumers, which falls under consumer-health-data law. The same database can hold both. You map it field by field.

Tap to flip back

Healthcare SaaS HubFull HIPAA, BAA, and 50-state health-privacy map HIPAA BAA generatorBusiness associate agreement starter, for when you are one Privacy Policy generatorPlain-language privacy policy for a consumer product Terms of Service generatorClickwrap terms with product disclaimers Washington MHMDA hubConsumer health data outside HIPAA SaaS Agreements HubThe full SaaS contract stack

What it costs to get a real answer

Flat fees. A written opinion on whether HIPAA applies to your specific facts, or the full launch document stack if you are building.

Written opinion

Written Attorney Consultation

$240 written response

Send your product description, your users, and the data you collect. I send back a written attorney view on where you land on the HIPAA tree and which non-HIPAA laws to plan for. Not a full document build.

Full launch tier

Healthcare SaaS Legal Package

$2,500 flat

MSA and order form, HIPAA BAA where you are a business associate (with a 42 CFR Part 2 or CMIA schedule where needed), Terms of Service, Privacy Policy, a DPA framework, and a compliance gap memo across your vendor stack. One revision round.

Request this package · $2,500

Cheapest entry

Minimum pilot scope

Scoped by email

Running a small or free pilot and want the cheapest defensible legal footing: consent and authorization, a product disclaimer and terms, and a short privacy notice. See the minimum pilot scope page, then email me to scope it.

See minimum pilot scope Email me to scope it

The $2,500 Healthcare SaaS Legal Package is the confirmed flat-fee launch tier. The minimum pilot scope is quoted by email because the right entry scope depends on your facts. Overflow on unusually large matters bills at $240 per hour.

Does HIPAA apply to my app just because it handles health information?

Not by itself. HIPAA regulates protected health information held by a covered entity or business associate, not health information in the abstract. If you collect health data directly from consumers, are not a plan or clearinghouse, and do not bill payers in standard transactions, you are usually not a covered entity. You are a business associate only if a covered entity hires you to handle PHI on its behalf. If neither is true, HIPAA usually does not apply, though other health-privacy laws can.

If HIPAA does not apply, am I free of health-privacy rules?

No. Outside HIPAA you can still be reached by state consumer-health-data laws (Washington MHMDA, RCW 19.373), CMIA-type medical-information laws (California can treat a wellness-software vendor as a provider of health care under Cal. Civ. Code 56.06), and the FTC Health Breach Notification Rule (16 CFR Part 318), which applies specifically to vendors of personal health records that are not covered by HIPAA. Which one applies depends on your users and your data.

Do I still need a BAA if I am not a business associate?

If you are genuinely not a business associate, a HIPAA BAA is not legally required, and signing one you cannot meet creates obligations you do not satisfy. A BAA becomes required when a covered-entity customer hires you to handle PHI on its behalf. Many startups need a BAA for some customers and not others. I help draw that line before you sign one.

Does selling to a hospital automatically make HIPAA apply?

Only if your service actually creates, receives, maintains, or transmits PHI on the hospital's behalf. A tool the hospital uses without feeding it identifiable patient health information is not automatically a business associate. The analysis turns on whether PHI flows to you, not on the customer's name.