HIPAA · PHI & Digital Health

Handle health data? Your customers need you HIPAA compliant

If you build software that touches protected health information, your healthcare customers can't sign until you can prove HIPAA compliance and execute a BAA. Arclight builds the full program — Security Rule, Privacy Rule, risk analysis, and the paperwork — led by one senior expert.

The basics

Who HIPAA applies to

HIPAA is the US law protecting health information. It applies to covered entities — providers and health plans — and to business associates: the SaaS and technology vendors that create, receive, store, or transmit protected health information (PHI) on a customer's behalf. If you handle PHI for a healthcare client, you are a business associate, and HIPAA applies to you directly.

Covered entities

Healthcare providers, health plans, and clearinghouses that handle PHI as part of delivering or paying for care.

Business associates

Vendors that handle PHI on behalf of a covered entity — including most digital-health and B2B SaaS companies. This is likely you.

Scope

The three rules you have to meet

There's no government HIPAA certificate — compliance is a documented program built around three rules. Arclight implements all three and produces the evidence your customers' security teams ask for.

Security Rule

Administrative, physical, and technical safeguards for electronic PHI — access controls, encryption, audit logging, and a documented risk analysis.

Privacy Rule

Governs how PHI may be used and disclosed, the minimum-necessary standard, and individuals' rights over their own information.

Breach Notification Rule

Defines what counts as a breach and the requirements to notify affected individuals, HHS, and sometimes the media.

The engagement

How Arclight makes you compliant

One senior practitioner builds the whole program — the risk analysis regulators expect, the safeguards, and the BAAs your deals depend on.

01

Risk analysis & gap assessment

We conduct the documented, HIPAA-required risk analysis, map where PHI lives in your systems, and hand you a prioritized remediation plan.

02

Safeguards & policies

We implement the Security Rule safeguards, write your Privacy and Breach Notification policies, and roll out workforce training.

03

BAAs & ongoing readiness

We get your Business Associate Agreements in place and keep the program current — so you can sign healthcare customers with confidence.

Questions

HIPAA FAQ

What is HIPAA and who does it apply to?

HIPAA is the US law governing the protection of protected health information (PHI). It applies to covered entities such as providers and health plans, and to business associates — including most SaaS and technology vendors that create, receive, store, or transmit PHI on a customer's behalf. If you handle PHI for a healthcare client, HIPAA applies to you.

Is there a HIPAA certification?

No. There is no official government HIPAA certification. Compliance is demonstrated through a documented program: a risk analysis, implemented Security and Privacy Rule safeguards, policies, workforce training, and executed Business Associate Agreements. Arclight builds this program and produces the documentation your customers and their auditors expect.

What is a Business Associate Agreement (BAA)?

A BAA is a contract required by HIPAA between a covered entity and a business associate that handles PHI on its behalf. It defines each party's safeguards and breach responsibilities. If you're a SaaS vendor selling to healthcare, your customers will require you to sign one — and to actually meet its terms.

What are the three main HIPAA rules?

The Security Rule requires administrative, physical, and technical safeguards for electronic PHI. The Privacy Rule governs how PHI may be used and disclosed. The Breach Notification Rule sets the requirements for notifying affected individuals, HHS, and sometimes the media after a breach.

How much does it cost?

Arclight manages HIPAA under the Arc Model with published flat pricing from $2,000/mo, and a standalone full-scope gap assessment starts at $5,500. Pricing is transparent — no custom quotes. See the Services page for details.

Other frameworks

Health-tech deals frequently pair HIPAA with SOC 2. If you sell internationally, ISO 27001 may come up too. Arclight runs them together.

Unblock your healthcare deals.

Book a free 30-minute call. We'll tell you exactly what HIPAA requires for your product, how fast you can get there, and what it costs.

Book a Free HIPAA Call