ADVERTISEMENT

HIPAA privacy rule: what it means for health tech brands

HIPAA privacy rule
Mirza Silajdzic
Mirza Silajdzic Business Tech & AI Solutions Expert
Nov 3, 2025 7 min read

What is the HIPAA Privacy Rule?

Why does the Privacy Rule exist?

Who does the Privacy Rule apply to?

Organization typeCovered by HIPAA Privacy RuleMust sign BAA
Hospital or clinicYes (covered entity)N/A – they sign BAAs with vendors
Telehealth platformYes, if handling PHI for a covered entityYes
Cloud storage vendorYes, if storing PHI for a covered entity or business associateYes
EHR providerYes, if processing PHI for a covered entityYes
Stand-alone wellness appsNo, unless working with a covered entityNot required (but signs BAA if working with a healthcare provider)

What does the Privacy Rule protect?

  • Related to a person’s physical or mental health condition (past, present or future)
  • Related to the provision of healthcare
  • Related to the payment for healthcare services

What digital health platforms must do

Administrative safeguards

  • Designating a privacy or security officer
  • Maintaining well written security policies
  • Performing regular risk analyses and documenting how you handled any risks
  • Training employees on privacy and security awareness
  • Creating an incident response and breach notification plan
  • Signing BAAs with anyone that handles PHI on your behalf

Technical safeguards

  • Ensuring role-based or least-privilege access controls
  • Applying strong authentication, like multi-factor authentication (MFA)
  • Enabling automatic timeouts and session locks
  • Encrypting stored PHI and when sending/receiving PHI
  • Having detailed access logs and audit trails
  • Implementing integrity checks

Physical safeguards

ADVERTISEMENT
  • Restricting access to facilities and hardware
  • Securing workstations and storage media
  • Implementing policies for how media is disposed of and reused

Patient rights under the HIPAA Privacy Rule

Why the HITECH Act matters for health tech brands

The Minimum Necessary Rule Standard

  • Internal workflows, like job-based access controls
  • Requests from insurers, researchers, or law enforcement
  • Public health reporting and data sharing
  • Disclosure between covered entities and business associates
  • Configuring systems to stop unnecessary PHI exposure
  • Applying clear, role-based controls
  • Restricting API and vendor access to the minimum required
  • Logging and auditing data access
  • Training teams on how much PHI is appropriate to share

Where HIPAA draws the line

Why health tech brands are concerned (2020-2025)

Conclusion

FAQ

ADVERTISEMENT