SaaS Agreements – Data Protection – HIPAA

On January 25th 2013, the US Department of Health and Human Services modified the rules of the Health Insurance Portability and Accountability Act 1996 (“HIPAA”). HIPAA applies to any SaaS suppliers who process protected health information (“PHI”) on behalf of customers to whom the Act applies, regardless of whether or not the SaaS supplier is located in the USA.


HIPAA is a US law that places security and privacy obligations on “covered entities” in the health care field e.g. SaaS customers who are health care providers. If you are a SaaS supplier who processes PHI on behalf of a covered entity you will also be subject to the provisions of HIPAA, if you are a “business associate”.

A SaaS supplier is a “business associate” under HIPAA if it “creates, receives, maintains, or transmits” PHI even if it does not view the PHI or only does so on a random or infrequent basis. Also, any subcontractor i.e. the data centre of the SaaS supplier will be a business associate for the same reason.

Business Associates

The importance of being a business associate is that it is now mandatory for SaaS Suppliers, who are business associates to include terms covering their privacy and security obligations under HIPAA in their SaaS agreements with customers. Also, SaaS suppliers are now directly liable for breaches of HIPAA’s security and privacy rules, which includes failing to cooperate with DHHS investigations of HIPAA breaches.

Liability is strict i.e. a SaaS supplier will be liable regardless of its intent. The penalties for breach are severe and can be up to 1.5 million dollars for all breaches in any calendar year.

How to Comply with HIPAA

SaaS suppliers cannot ensure that their SaaS customers comply with HIPAA as they have no control or sometimes do not even know what data users are uploading and what particular regulatory requirements apply to users and their data, especially where users are located outside of the UK or are subject to industry specific regulations.

Therefore if you are a SaaS supplier offering SaaS services to the US health care and insurance sector and your customers are subject to HIPAA you should:

  • Consider amending the design of your SaaS software to make it more appropriate for dealing with PHI and to support compliance with HIPAA obligations;
  • Try to physically prohibit PHI from being uploaded into and stored on your SaaS system;
  • Include clauses in your SaaS agreement which prohibit SaaS customers from uploading PHI;
  • Include a SaaS customer indemnity in your SaaS agreement to protect you against any claims for breaches of HIPAA;

By drafting standard business associate clauses for inclusion in your SaaS agreement with customers and your agreements with relevant subcontractors you may be able to limit your liability for breaches of HIPAA and avoid your customers trying to impose their own more onerous clauses upon you.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: