OCR closed 21 HIPAA settlements and civil monetary penalties in 2025, the second highest annual total on record, with individual penalties ranging from $25,000 to $3,000,000. Enforcement is accelerating, and the agency's current focus has a clear target: risk analysis failures. Many healthcare and healthtech companies still operate with significant compliance gaps, often because the requirements are genuinely misunderstood. Below are the most common HIPAA compliance questions Planet 9 encounters from SMBs in healthcare, healthtech, and SaaS.
Who Needs to Be HIPAA Compliant?
Any company that stores, processes, or transmits electronic protected health information (ePHI) must comply with HIPAA. The law recognizes two categories of obligated parties.
Covered entities are organizations that interact directly with patients, including hospitals, physician practices, and health insurance companies. Their obligation flows directly from the law.
Business associates are service providers to covered entities. If a hospital stores patient records on a cloud platform, that cloud provider qualifies as a business associate. Business associates comply through a contractual instrument called a Business Associate Agreement (BAA), which establishes the permitted uses of PHI and assigns responsibility for safeguarding it.
What Is the Difference Between a Covered Entity and a Business Associate?
The distinction matters because it determines how HIPAA obligations attach. A covered entity has a direct relationship with patients and is subject to both the HIPAA Privacy Rule and the Security Rule by operation of law. A business associate takes on obligations contractually through a BAA signed with the covered entity it serves.
Business associates are not off the hook for independent compliance. The HITECH Act of 2009 made business associates directly liable for Security Rule compliance, meaning OCR can investigate and fine a business associate without going through the covered entity. SaaS companies handling PHI on behalf of healthcare clients should treat this distinction as a compliance trigger, not a technicality.
What Counts as Protected Health Information (PHI)?
HIPAA identifies 17 data elements that can constitute PHI, including names, geographic data, dates tied to individuals, phone numbers, email addresses, Social Security numbers, medical record numbers, and biometric identifiers, among others. These elements are not always PHI in isolation. The key factor is whether the information relates to an individual's past, present, or future physical or mental health condition, the provision of healthcare, or payment for healthcare services.
Any data that could be used to identify a patient in connection with a health-related record should be treated as PHI by default, since under-classification is one of the most common errors that surfaces in audits.
What Are the Main HIPAA Requirements for Software Companies?
Software companies that store, process, or transmit PHI must comply with the HIPAA Security Rule. The Security Rule establishes administrative, physical, and technical safeguards. The technical requirements most relevant to software companies include:
- Encryption of PHI at rest and in transit
- Integrity controls to prevent unauthorized modification of PHI
- Strong authentication mechanisms for systems that access PHI
- Vulnerability management programs with regular scanning and remediation
- Disaster recovery and business continuity planning
- A formal risk analysis to identify, document, and prioritize risks to PHI
The risk analysis deserves special attention. It is the first requirement OCR looks for, and failure to complete one is the most consistently cited violation across audits and breach investigations.
How Do We Get BAAs in Place with Our Service Providers?
A BAA is a written agreement that defines the permitted uses and disclosures of PHI, establishes each party's security obligations, and specifies breach notification procedures. The responsibility to obtain a BAA sits with the covered entity or business associate disclosing PHI to a vendor, not the other way around.
For SMBs handling PHI, that means inventorying every third-party service that touches patient data: cloud infrastructure, SaaS platforms, EHR integrations, analytics tools, and IT support vendors. Each of those relationships requires a signed BAA before PHI is shared. Most major providers, including AWS, Microsoft Azure, and Google Cloud, offer standard HIPAA BAAs. For smaller vendors, the SMB may need to present its own template. A missing BAA with even one vendor who handles PHI is an audit finding that carries direct enforcement risk, and OCR investigations consistently surface this gap.
What Does a HIPAA Compliance Audit Look Like?
OCR conducts two types of reviews: scheduled desk audits and investigations triggered by breach reports or complaints. Both are documentation-intensive. OCR will request a completed risk analysis, written security policies and procedures, BAAs with all relevant business associates, training records, access logs, and incident response documentation.
The most common findings are: missing or incomplete BAAs, failure to conduct a proper security risk assessment, and inadequate access management controls. Organizations that have addressed these three areas are significantly better positioned when an audit occurs.
What Are the Biggest HIPAA Violations Companies Make?
Risk analysis failure is the dominant pattern in 2025 enforcement. In the first five months of the year, OCR announced ten resolution agreements, every one citing failure to conduct a thorough risk analysis as a primary violation. Penalties ranged from $25,000 to $3,000,000. A risk analysis is not a checkbox exercise; it requires identifying where PHI lives, how it moves, who can access it, and what controls are in place. OCR has signaled it will expand its enforcement focus in 2026 to risk management, meaning organizations will need to show not just that a risk analysis was completed, but that identified risks were reduced to an acceptable level.
Beyond risk analysis, 2025 provided other concrete examples:
- Solara Medical Supplies settled a phishing-related Security Rule investigation for $3,000,000.
- Warby Parker received a $1,500,000 civil monetary penalty following a hacking investigation.
- Health Fitness Corporation settled after OCR found it had failed to conduct an accurate and thorough risk analysis.
- Multiple smaller providers paid five- and six-figure penalties for the same gap.
The pattern is consistent: missing or incomplete risk analysis, inadequate access controls, and BAAs that were absent or not current.
Smaller healthtech companies often assume that being a business associate means lighter compliance obligations. That assumption is incorrect and has led to direct enforcement actions against vendors who believed the covered entity bore sole responsibility.
How Should PHI Be Securely Stored in the Cloud?
The foundational principles for cloud storage of PHI are the same as in any environment, with cloud-specific controls applied on top.
PHI must be encrypted at rest and in transit. Data flows should be restricted to only those required by the specific business process. High-sensitivity elements, such as Social Security numbers or driver's license IDs, should be encrypted at the field level and masked when displayed in applications.
Unstructured PHI, including physician notes, scanned intake forms, or diagnostic images, should be stored on encrypted volumes with access controls limited to individuals with a documented, legitimate business reason. Cloud environments also require active vulnerability management, periodic scanning, patch cadence tracking, and access recertification to ensure permission grants remain appropriate over time.
Can We Use ChatGPT or AI Tools and Still Stay HIPAA Compliant?
This question has become one of the most frequent in HIPAA compliance conversations, and the honest answer is: it depends on the tool and configuration. Most general-purpose AI platforms, including consumer-facing versions of tools like ChatGPT, are not HIPAA compliant. They do not offer a BAA, and their data handling practices are not designed to meet Security Rule requirements.
Enterprise versions of some platforms, including certain Microsoft Azure OpenAI Service configurations and select Google Cloud AI offerings, do offer BAAs and are structured to support HIPAA-compliant use cases. The evaluation criteria match those for any vendor: does the provider offer a BAA, what are its data retention policies, and how does the system handle PHI once submitted?
The practical guidance is to prohibit consumer AI tools for any workflow involving PHI, document that prohibition in policy, and evaluate enterprise AI tools through the same vendor risk management process applied to any other third-party system. AI governance in healthcare is a developing area, and the absence of formal policy is increasingly an audit exposure.
HIPAA Compliance Requires Ongoing Attention
HIPAA compliance is not a certification with a fixed endpoint. It is an ongoing program requiring periodic risk assessments, policy updates, vendor reviews, and staff training. Companies that treat it as a one-time project accumulate gaps over time, often without realizing it until a breach or audit forces the issue.
Planet 9 is a Bay Area cybersecurity consulting firm specializing in HIPAA compliance and security risk assessments for SMBs in healthcare, healthtech, and SaaS. Our vCISOs and compliance managers help organizations identify where PHI lives, close audit exposure gaps, and build programs that hold up under scrutiny.
