Handle health data? Your customers need you HIPAA compliant
If you build software that touches protected health information, your healthcare customers can't sign until you can prove HIPAA compliance and execute a BAA. Arclight builds the full program — Security Rule, Privacy Rule, risk analysis, and the paperwork — led by one senior expert.
The basics
Who HIPAA applies to
HIPAA is the US law protecting health information. It applies to covered entities — providers and health plans — and to business associates: the SaaS and technology vendors that create, receive, store, or transmit protected health information (PHI) on a customer's behalf. If you handle PHI for a healthcare client, you are a business associate, and HIPAA applies to you directly.
Covered entities
Healthcare providers, health plans, and clearinghouses that handle PHI as part of delivering or paying for care.
Business associates
Vendors that handle PHI on behalf of a covered entity — including most digital-health and B2B SaaS companies. This is likely you.
Scope
The three rules you have to meet
There's no government HIPAA certificate — compliance is a documented program built around three rules. Arclight implements all three and produces the evidence your customers' security teams ask for.
Security Rule
Administrative, physical, and technical safeguards for electronic PHI — access controls, encryption, audit logging, and a documented risk analysis.
Privacy Rule
Governs how PHI may be used and disclosed, the minimum-necessary standard, and individuals' rights over their own information.
Breach Notification Rule
Defines what counts as a breach and the requirements to notify affected individuals, HHS, and sometimes the media.
The engagement
How Arclight makes you compliant
One senior practitioner builds the whole program — the risk analysis regulators expect, the safeguards, and the BAAs your deals depend on.
Risk analysis & gap assessment
We conduct the documented, HIPAA-required risk analysis, map where PHI lives in your systems, and hand you a prioritized remediation plan.
Safeguards & policies
We implement the Security Rule safeguards, write your Privacy and Breach Notification policies, and roll out workforce training.
BAAs & ongoing readiness
We get your Business Associate Agreements in place and keep the program current — so you can sign healthcare customers with confidence.
Questions
HIPAA FAQ
What is HIPAA and who does it apply to?
HIPAA is the US law governing the protection of protected health information (PHI). It applies to covered entities such as providers and health plans, and to business associates — including most SaaS and technology vendors that create, receive, store, or transmit PHI on a customer's behalf. If you handle PHI for a healthcare client, HIPAA applies to you.
Is there a HIPAA certification?
No. There is no official government HIPAA certification. Compliance is demonstrated through a documented program: a risk analysis, implemented Security and Privacy Rule safeguards, policies, workforce training, and executed Business Associate Agreements. Arclight builds this program and produces the documentation your customers and their auditors expect.
What is a Business Associate Agreement (BAA)?
A BAA is a contract required by HIPAA between a covered entity and a business associate that handles PHI on its behalf. It defines each party's safeguards and breach responsibilities. If you're a SaaS vendor selling to healthcare, your customers will require you to sign one — and to actually meet its terms.
What are the three main HIPAA rules?
The Security Rule requires administrative, physical, and technical safeguards for electronic PHI. The Privacy Rule governs how PHI may be used and disclosed. The Breach Notification Rule sets the requirements for notifying affected individuals, HHS, and sometimes the media after a breach.
How much does it cost?
Arclight manages HIPAA under the Arc Model with published flat pricing from $2,000/mo, and a standalone full-scope gap assessment starts at $5,500. Pricing is transparent — no custom quotes. See the Services page for details.
Other frameworks
Healthcare buyers often want more
Health-tech deals frequently pair HIPAA with SOC 2. If you sell internationally, ISO 27001 may come up too. Arclight runs them together.
Unblock your healthcare deals.
Book a free 30-minute call. We'll tell you exactly what HIPAA requires for your product, how fast you can get there, and what it costs.
Book a Free HIPAA Call