HIPAA Guide
HIPAA Compliance for Digital Health Startups
HIPAA compliance touches every technical decision your team makes once you're handling protected health information: how you host your application, how you write your logs, how you sign vendor contracts, how you build with AI. This guide covers all of it.
The chapters below move from foundational to specialized. Start at the beginning if you're new to HIPAA. Jump to the chapter that matches where you're stuck if you're not.
This guide is for informational purposes only and does not constitute legal advice. Consult qualified legal or compliance counsel for advice specific to your organization.
Chapter | What it covers |
|---|---|
Who HIPAA applies to, what PHI is, the three rules, the safeguard framework, and what "HIPAA compliant" actually means. The foundation everything else builds on. | |
A stage-by-stage breakdown of when HIPAA compliance becomes mandatory, what to tackle first on a limited budget, which tools are worth buying at each stage, and what happens when you wait too long. | |
Every required control under the HIPAA Security Rule, organized by owner: what your hosting platform covers, what your application code must handle, and what belongs to your organization's policies and procedures. | |
What "HIPAA-compliant hosting" actually means, how different architectures compare, and how to evaluate whether a provider meets the requirements, including a side-by-side comparison of BAA availability across major platforms. | |
The specific technical, administrative, and physical safeguards the Security Rule imposes at the infrastructure layer, with code examples, configuration guidance, and an evaluation checklist for platform selection. | |
What your application code is responsible for under HIPAA: access controls, audit logging, session management, PHI handling in logs and error messages, and the BAA implications of your full vendor stack. | |
What the six-year retention requirement actually covers, what events you need to log, how logs must be protected, where retention breaks in practice, and what auditors specifically check. | |
What a BAA must contain, what it doesn't do, how to evaluate terms before signing, and how BAA access and requirements vary across major hosting platforms. | |
The technical requirements for using LLMs with PHI: BAAs, audit logging, encryption, de-identification, key management, and how AI gateways compare for HIPAA-compliant implementations. |
Want infrastructure that handles the technical safeguards by default? Aptible is a HIPAA-compliant platform built for digital health. Every deployment includes a signed BAA, encryption at rest and in transit, audit logging, network isolation, and HITRUST R2-certified controls. Learn more about Aptible →
HIPAA Compliance for Digital Health Startups
HIPAA compliance touches every technical decision your team makes once you're handling protected health information: how you host your application, how you write your logs, how you sign vendor contracts, how you build with AI. This guide covers all of it.
The chapters below move from foundational to specialized. Start at the beginning if you're new to HIPAA. Jump to the chapter that matches where you're stuck if you're not.
This guide is for informational purposes only and does not constitute legal advice. Consult qualified legal or compliance counsel for advice specific to your organization.
Chapter | What it covers |
|---|---|
Who HIPAA applies to, what PHI is, the three rules, the safeguard framework, and what "HIPAA compliant" actually means. The foundation everything else builds on. | |
A stage-by-stage breakdown of when HIPAA compliance becomes mandatory, what to tackle first on a limited budget, which tools are worth buying at each stage, and what happens when you wait too long. | |
Every required control under the HIPAA Security Rule, organized by owner: what your hosting platform covers, what your application code must handle, and what belongs to your organization's policies and procedures. | |
What "HIPAA-compliant hosting" actually means, how different architectures compare, and how to evaluate whether a provider meets the requirements, including a side-by-side comparison of BAA availability across major platforms. | |
The specific technical, administrative, and physical safeguards the Security Rule imposes at the infrastructure layer, with code examples, configuration guidance, and an evaluation checklist for platform selection. | |
What your application code is responsible for under HIPAA: access controls, audit logging, session management, PHI handling in logs and error messages, and the BAA implications of your full vendor stack. | |
What the six-year retention requirement actually covers, what events you need to log, how logs must be protected, where retention breaks in practice, and what auditors specifically check. | |
What a BAA must contain, what it doesn't do, how to evaluate terms before signing, and how BAA access and requirements vary across major hosting platforms. | |
The technical requirements for using LLMs with PHI: BAAs, audit logging, encryption, de-identification, key management, and how AI gateways compare for HIPAA-compliant implementations. |
Want infrastructure that handles the technical safeguards by default? Aptible is a HIPAA-compliant platform built for digital health. Every deployment includes a signed BAA, encryption at rest and in transit, audit logging, network isolation, and HITRUST R2-certified controls. Learn more about Aptible →
HIPAA Guide
HIPAA Compliance for Digital Health Startups
HIPAA compliance touches every technical decision your team makes once you're handling protected health information: how you host your application, how you write your logs, how you sign vendor contracts, how you build with AI. This guide covers all of it.
The chapters below move from foundational to specialized. Start at the beginning if you're new to HIPAA. Jump to the chapter that matches where you're stuck if you're not.
This guide is for informational purposes only and does not constitute legal advice. Consult qualified legal or compliance counsel for advice specific to your organization.
Chapter | What it covers |
|---|---|
Who HIPAA applies to, what PHI is, the three rules, the safeguard framework, and what "HIPAA compliant" actually means. The foundation everything else builds on. | |
A stage-by-stage breakdown of when HIPAA compliance becomes mandatory, what to tackle first on a limited budget, which tools are worth buying at each stage, and what happens when you wait too long. | |
Every required control under the HIPAA Security Rule, organized by owner: what your hosting platform covers, what your application code must handle, and what belongs to your organization's policies and procedures. | |
What "HIPAA-compliant hosting" actually means, how different architectures compare, and how to evaluate whether a provider meets the requirements, including a side-by-side comparison of BAA availability across major platforms. | |
The specific technical, administrative, and physical safeguards the Security Rule imposes at the infrastructure layer, with code examples, configuration guidance, and an evaluation checklist for platform selection. | |
What your application code is responsible for under HIPAA: access controls, audit logging, session management, PHI handling in logs and error messages, and the BAA implications of your full vendor stack. | |
What the six-year retention requirement actually covers, what events you need to log, how logs must be protected, where retention breaks in practice, and what auditors specifically check. | |
What a BAA must contain, what it doesn't do, how to evaluate terms before signing, and how BAA access and requirements vary across major hosting platforms. | |
The technical requirements for using LLMs with PHI: BAAs, audit logging, encryption, de-identification, key management, and how AI gateways compare for HIPAA-compliant implementations. |
Want infrastructure that handles the technical safeguards by default? Aptible is a HIPAA-compliant platform built for digital health. Every deployment includes a signed BAA, encryption at rest and in transit, audit logging, network isolation, and HITRUST R2-certified controls. Learn more about Aptible →
548 Market St #75826 San Francisco, CA 94104
© 2026. All rights reserved. Privacy Policy
548 Market St #75826 San Francisco, CA 94104
© 2026. All rights reserved. Privacy Policy