Most healthtech teams treat HIPAA as paperwork that arrives in the procurement phase. The teams that ship products which survive a hospital procurement review treat HIPAA as architecture from week one. The 2024 Security Rule update sharpened the difference. Here is what changed and what the teams who get through procurement do differently.
Three things changed under your feet
In December 2024 the HHS Office for Civil Rights published a Notice of Proposed Rulemaking on the HIPAA Security Rule. The headline move: most addressable safeguards became required. Multi-factor authentication on PHI access is mandatory. Encryption at rest and in transit is mandatory. Asset inventories, network segmentation, and a 72-hour breach response timeline are no longer optional posture statements.
Two months earlier, CMS-0057-F brought new FHIR API obligations into force. As of January 2026, payers must expose Patient Access APIs that include prior-authorization data. If your product sits between a payer and a provider, the question is no longer whether you will need a FHIR R4 endpoint. It is whether yours holds up under scrutiny.
And OCR enforcement is up. HHS Office for Civil Rights settlements in 2024 crossed nine figures in aggregate, with a meaningful share against small business associates rather than hospital systems. Teams that assumed they were too small to matter are reading those resolution agreements with new attention.
The five decisions that actually matter
Most HIPAA controls can be satisfied with sensible defaults. A handful of decisions have long tails, and getting them wrong is what causes the painful rebuilds. Payers, hospitals, ISVs, and growth-stage healthtech teams hit the same five.
1. Where the data lives
Pick a HIPAA-eligible cloud region. Sign the BAA before any PHI goes in. Never let PHI cross into a region or a service that is not covered. That includes logs. Application logs in a third-party tool without a BAA become a violation the moment a stack trace contains a patient identifier. AWS, GCP, and Azure all sign BAAs for their HIPAA-eligible services. The catch is service scope: not every product inside a covered cloud is itself covered.
2. How identity works
Single sign-on with SAML or OIDC. Multi-factor authentication on every account that can read PHI. Least-privilege role-based access control actually enforced, not aspirational. Audit logs that show who did what, when, and to which records, with tamper-evidence on the log itself. Hospital procurement teams will ask for log samples. Payers will ask how you respond to a subject access request inside the 30-day window.
3. How data flows
Substitutable Medical Applications and Reusable Technologies (SMART) on FHIR for clinical data. No PHI in URLs, query strings, or third-party analytics. CDN caching off for anything that could carry patient data. The teams that integrate with Epic Hyperspace, Oracle Cerner PowerChart, MEDITECH Expanse, athenaOne, NextGen, or eClinicalWorks all converge on the same constraints.
4. How AI handles PHI
BAA-eligible endpoints only. Anthropic on AWS Bedrock added HIPAA eligibility in 2024. OpenAI on Azure OpenAI Service is covered under the Microsoft BAA. Google models on Vertex AI sit inside the Google Cloud BAA. The consumer chat endpoints (chat.openai.com, claude.ai, gemini.google.com) are not those offerings. Pass PHI through one of those and you have a breach event the moment a log is exported.
5. How you prove what you did
Continuous evidence collection through Vanta, Drata, or Secureframe is the practical norm. Pre-built security-questionnaire packs cut sales cycles by months. SOC 2 Type II reports older than nine months get questioned. HITRUST is the bar payers and integrated delivery networks raise when stakes are high.
Five decisions, at a glance
DecisionWhat good looks like in 2026Common failureWhere PHI livesHIPAA-eligible region, BAA signed, scoped to services in usePHI in third-party logs without a BAAIdentitySSO via SAML or OIDC, MFA on PHI access, tamper-evident audit logsShared production accounts, RBAC defined but not enforcedData flowSMART on FHIR R4, no PHI in URLs or analytics, CDN caching disabled for PHIPatient IDs in query strings, analytics SDKs ingesting PHIAI handlingBAA-covered endpoints (Bedrock, Azure OpenAI, Vertex AI), prompt and response retention controlledConsumer chat endpoints, prompt logs in unscoped toolsEvidenceContinuous monitoring (Vanta, Drata, Secureframe), current SOC 2 Type II, HITRUST when payers askAnnual point-in-time audits, stale reports, architecture has changed since
What the failing pattern looks like
The struggling pattern is consistent: compliance is a quarterly fire drill, production access is shared across the team, the SOC 2 report is a year old while the architecture has changed three times, and procurement reviews keep stretching the sales cycle by six weeks at a time. The fix is rarely heroic. It is moving compliance work into the same engineering rhythm as any other code change.
Three places teams waste compliance money
Questions worth asking a partner
If a partner cannot answer these in 30 minutes, they will not get sharper after the contract is signed.
The orchestration gap
Healthcare orgs are not buyers of microservices. They lack the in-house engineering depth to wire together Redox, Particle Health, Health Gorilla, Candid, MedPlum, Aptible, Verifiable, and Eligible into a working product. That is the orchestration gap Jan-Felix Schneider names in the HTN community, and it is where most procurement decisions are actually made. The vendor that wins is the one that arrives with the pieces already orchestrated and the BAAs already signed.
Frequently asked questions
What is the 2024 HIPAA Security Rule update?
In December 2024, the HHS Office for Civil Rights issued a Notice of Proposed Rulemaking that moves most addressable safeguards to required status. The headlines are mandatory MFA on PHI access, mandatory encryption at rest and in transit, asset inventories, network segmentation, and a 72-hour breach response timeline. Public comments closed in March 2025. Build to the proposed rule today.
Do AWS, GCP, and Azure all sign BAAs?
Yes. All three sign Business Associate Agreements for their HIPAA-eligible services. The detail that bites teams is service scope. Not every service inside a covered cloud is itself covered. Verify each service against the cloud provider's published HIPAA eligibility list before any PHI touches it.
How do I handle PHI inside an LLM?
Use BAA-covered endpoints only. Anthropic on AWS Bedrock, OpenAI on Azure OpenAI Service, Google models on Vertex AI. Control prompt and response retention. Strip identifiers at the prompt boundary where possible. The consumer endpoints (chat.openai.com, claude.ai, gemini.google.com) are not covered by a BAA. A single PHI prompt through one of those is a breach event.
What is the right compliance sequence for a healthtech company?
HIPAA at build. SOC 2 Type II in year one or two, once production has been stable long enough to produce an audit window. HITRUST when an enterprise customer (typically a payer or an integrated delivery network) makes it a contractual requirement. Inverting that sequence is the most common compliance-money waste in the market.
Does CMS-0057-F apply to my product?
If your product sits between a payer and a provider, or surfaces prior-authorization data to a patient, treat CMS-0057-F as in scope. Payers must expose Patient Access APIs that include prior-authorization data as of January 2026. The FHIR R4 endpoints get inspected in procurement.
Where Life Value sits
Life Value is the engineering team behind Fasten Health OnPrem, an open-source health-record aggregator connected to 50,000+ US health systems and covering 78% of US hospital beds, and HealthWallet.me, the open-source patient-held EHR app. Life Value holds HIPAA, GDPR, HL7 FHIR R4, and ISO 13485 credentials, and works with insurance carriers and payers, public health systems, private hospitals and clinics, established healthcare enterprises (medical-device, pharma, diagnostics, distributors, labs), healthtech ISVs and digital-health platforms, and growth-stage healthtech companies.
The full long-form playbook is in our Insights article: Building HIPAA-compliant healthcare software in 2026.
Last reviewed: 26 May 2026, by Alex Szilagyi, CEO.



.webp)
.webp)
.webp)
.webp)



















.webp)

