How Do You Know If An App Is HIPAA Compliant? (w/Examples) + FAQs

You know an app is HIPAA compliant when its vendor signs a Business Associate Agreement, enforces the HIPAA Security Rule safeguards (encryption, access controls, audit logs), follows the Privacy Rule on permitted uses and disclosures, and honors the Breach Notification Rule within 60 days. No federal agency “certifies” apps as HIPAA compliant, so anyone claiming an official HIPAA seal is misleading you.

The problem is that the U.S. Department of Health and Human Services never created a stamp, logo, or registry. Developers self-attest, and the Office for Civil Rights (OCR) only verifies compliance after a complaint or breach, when fines can reach $2,134,831 per violation category per year. A 2024 HIMSS survey found that 74% of healthcare organizations experienced a significant security incident in the prior year, and mobile and cloud apps were a leading attack vector per the HHS 2024 Cybersecurity Report.

Here is what you will learn in this guide:

• 🔍 How to verify a vendor’s HIPAA posture in 10 concrete steps, with the exact documents to request.
• 📝 How to read and negotiate a Business Associate Agreement so liability flows correctly.
• 🛡️ Which technical safeguards under 45 CFR 164.312 are non-negotiable in 2026.
• ⚖️ The real fines, rulings, and enforcement actions against apps like GoodRx, BetterHelp, and Cerebral.
• 🚩 The red flags, common misconceptions, and the mistakes that cost covered entities millions.

What “HIPAA Compliant” Really Means for an App

HIPAA compliance is not a product feature, a badge, or a certification. It is a legal and operational state that an app owner maintains by following the HIPAA Rules codified at 45 CFR Parts 160, 162, and 164. The HHS Office for Civil Rights enforces these rules, and only apps that create, receive, maintain, or transmit Protected Health Information (PHI) on behalf of a covered entity or business associate fall inside the HIPAA tent.

A fitness tracker you buy at a store is usually not covered, because the user is the consumer and no covered entity is involved. A telehealth intake form your doctor’s office emails you is covered, because the clinic (a covered entity) uses the app to process PHI. That distinction drives everything else, and it is spelled out in the HHS mobile health apps guidance.

The consequence of getting this wrong is steep. In 2023, the Federal Trade Commission fined GoodRx $1.5 million under the Health Breach Notification Rule even though GoodRx argued it was not a HIPAA covered entity. That case proves a common misconception wrong: an app can escape HIPAA and still be punished for sloppy health-data practices.

A real-world example helps. Maria runs a small pediatric clinic in Austin and picks an online scheduling app. If that app stores patient names and appointment reasons, it handles PHI, so it must sign a BAA and meet the Security Rule. If Maria uses a free calendar tool that refuses to sign a BAA, she is personally exposed to enforcement, no matter how “secure” the tool markets itself.

The Three Core HIPAA Rules an App Must Honor

The Privacy Rule at 45 CFR Part 164 Subpart E limits how an app may use or disclose PHI, and it gives patients the right to access, amend, and receive an accounting of disclosures. The app must support the “minimum necessary” standard, so engineers cannot pull entire patient records when a narrow field will do. Ignoring this rule produced a $6.85 million settlement with Premera Blue Cross in 2020 after plan data leaked.

The Security Rule at 45 CFR Part 164 Subpart C sets administrative, physical, and technical safeguards for electronic PHI. Encryption, audit logging, role-based access, and risk analysis live here. A common misconception is that “addressable” safeguards are optional, but the HHS Security Rule guidance makes clear that an entity must implement the safeguard or document an equivalent alternative, and the proposed 2025 Security Rule update is expected to remove the “addressable” label entirely in May 2026.

The Breach Notification Rule at 45 CFR Part 164 Subpart D forces notice to affected individuals, HHS, and sometimes the media within 60 days of discovery. The consequence of missing that deadline is both fines and public listing on the HHS “Wall of Shame” breach portal. In 2023, Cerebral admitted a breach affecting 3.18 million people after using tracking pixels, and the Cerebral breach report now guides OCR on pixel investigations.

The 10-Point Test: How Do You Know an App Is HIPAA Compliant?

This audit gives you a practical path to test any mobile, web, or SaaS health app. Each point maps to a specific rule and a specific consequence if the vendor cannot answer. You should ask for documents, not promises, and you should re-run the test every 12 months because the proposed Security Rule will require annual verification of business associates.

Use the list below in order, and stop the procurement if the vendor fails any single item.

1. The vendor signs a Business Associate Agreement that mirrors 45 CFR 164.504(e).
2. The vendor produces a current NIST 800-66r2 risk analysis or equivalent.
3. The app encrypts PHI in transit with TLS 1.2 or higher and at rest with AES-256, per NIST 800-111.
4. The app enforces multi-factor authentication, which the 2025 proposed rule makes mandatory.
5. The app maintains tamper-evident audit logs of every PHI access, under 45 CFR 164.312(b).
6. The vendor shows a SOC 2 Type II or HITRUST r2 report from the last 12 months.
7. The vendor lists every subcontractor and proves each subcontractor signed a downstream BAA.
8. The app supports the patient right-of-access workflow under the OCR Right of Access Initiative.
9. The vendor has a written incident response plan that meets the 60-day breach notification clock.
10. The vendor does not use tracking pixels on authenticated pages, which the OCR tracking technologies bulletin flags as a disclosure of PHI.

Step 1 — Confirm a Signed BAA

A BAA is the contractual backbone of HIPAA. Without it, sharing PHI with the app is itself a violation, even if the app has perfect security. The sample HHS BAA shows the minimum clauses, including permitted uses, safeguards, subcontractor flow-down, breach reporting, and termination.

The consequence of skipping a BAA is direct liability. In 2016, North Memorial Health Care paid $1.55 million after it let a vendor access PHI without a BAA. The common misconception is that a vendor’s “HIPAA Ready” marketing page replaces the contract, but OCR only accepts a signed, two-party agreement as proof.

A named example clarifies the stakes. Dr. Patel buys a transcription service that offers a BAA only on its top tier, and he picks the free tier to save money. When a laptop is stolen, OCR treats every transcript as an unauthorized disclosure, and Dr. Patel cannot point to a BAA to shift responsibility.

Step 2 — Demand a Written Risk Analysis

45 CFR 164.308(a)(1)(ii)(A) requires every business associate to run an enterprise-wide risk analysis. The analysis must identify threats, vulnerabilities, and the likelihood of harm to ePHI, and it must be documented in writing.

If the vendor cannot produce one, assume it does not exist. OCR fined Anthem $16 million in 2018 in part because the risk analysis was incomplete. A common misconception is that a penetration test equals a risk analysis, but a pen test is only one input into the broader analysis required by NIST 800-66r2.

An example brings it down to earth. Jenna, a compliance officer at a midsize hospital, asks a scheduling startup for its risk analysis. The startup sends a one-page “security overview” instead, so Jenna rejects the vendor and avoids what later becomes the 2024 Change Healthcare breach-class cascade.

Step 3 — Verify Encryption Everywhere

Encryption is the safe harbor of HIPAA. A breach of encrypted PHI that still has its decryption key protected is generally not a reportable breach under the HHS encryption safe harbor guidance. That single fact can save a company millions.

The app must use TLS 1.2 or TLS 1.3 for data in transit, AES-256 for data at rest, and strong key management separate from the data store. An example: Marcus, a developer at a telehealth startup, stores database backups in a public S3 bucket with server-side encryption off. A scanner finds the bucket, 800,000 records leak, and because the data was not encrypted, the full breach notification clock starts.

Step 4 — Test Authentication and MFA

Under 45 CFR 164.312(d), the app must verify that a person seeking access is who they claim to be. The 2025 proposed rule elevates multi-factor authentication from “addressable” to mandatory for almost every workforce role.

The consequence of weak auth is credential stuffing. A common misconception is that SMS codes are enough, but the NIST 800-63B digital identity guidance warns against SMS for restricted applications and favors app-based authenticators or hardware keys. In 2024, Kaiser Permanente reported a breach affecting 13.4 million tied to login and tracking exposure.

Step 5 — Inspect the Audit Logs

An audit log that records who saw what, when, and from where is the only way to investigate a breach. 45 CFR 164.312(b) requires “hardware, software, and/or procedural mechanisms that record and examine activity” in systems containing ePHI.

The consequence of weak logs is a larger breach class. When Memorial Healthcare Systems paid $5.5 million in 2017, the OCR press release specifically called out missing audit controls. An example: Sophie, an IT director, asks a chatbot vendor to show raw logs for a demo account; when the vendor cannot filter by user ID and timestamp within five minutes, she assumes the logs are marketing fiction.

Step 6 — Request Third-Party Attestations

A SOC 2 Type II report from the AICPA framework or a HITRUST r2 certification shows an independent auditor tested the controls over a period of months. These are not HIPAA “certifications,” but they are the strongest proxies the industry uses.

The consequence of skipping this check is trusting marketing. The common misconception is that ISO 27001 alone covers HIPAA, but it does not map the full set of 164.308 administrative safeguards. Example: Andre, a CIO, demands a HITRUST r2 letter from a new remote patient monitoring vendor and discovers the vendor is only r1 certified, which covers fewer controls.

Step 7 — Map the Subcontractor Chain

The HITECH Omnibus Rule extended HIPAA liability to every downstream subcontractor that touches PHI. Each one must sign a BAA with its upstream business associate.

The consequence of a missing subcontractor BAA is joint liability. In 2016, Care New England paid $400,000 after a subcontractor lost a backup tape. A common misconception is that cloud providers’ standard terms replace a BAA; they do not, unless the provider explicitly signs one, which AWS, Google Cloud, and Microsoft Azure all do offer.

Step 8 — Confirm Patient Access Support

The OCR Right of Access Initiative has produced more than 50 enforcement actions since 2019. Patients must get electronic copies of their designated record set within 30 days.

The consequence of blocking access is a fast fine, often $15,000 to $240,000 per case. Example: Priya, a patient, requests her telehealth notes, and the app forces her to fax a release form; the clinic later pays a settlement after Priya complains to OCR.

Step 9 — Review the Incident Response Plan

45 CFR 164.308(a)(6) requires written procedures for security incidents. The plan must include detection, response, mitigation, documentation, and breach notification within 60 days.

The consequence of a weak plan is reputational and financial. Advocate Health Care paid $5.55 million in 2016 after slow incident response. Example: Luis, a compliance lead, tabletop-tests a vendor’s plan and catches that the vendor’s on-call engineer has no authority to notify affected individuals, which would blow the 60-day clock.

Step 10 — Check for Tracking Pixels and Analytics

In 2022 and again in 2024, OCR warned that third-party tracking technologies on authenticated pages transmit PHI to ad networks. The OCR tracking technologies bulletin is now the single most cited Privacy Rule guidance.

The consequence of ignoring this is massive class actions, like the Meta Pixel healthcare litigation that swept hospitals nationwide. Example: Rachel, a marketing director at a dermatology group, removes Google Analytics from the patient portal after she sees her own test results appear in a remarketing ad.

The Three Scenarios You Will Likely Face

The table below shows how common procurement decisions play out against HIPAA. Each row is a real pattern OCR has investigated in the last three years, and the consequence column pulls from published enforcement actions.

Real-World Examples: Apps That Got It Right and Wrong

Epic MyChart — A Compliance Benchmark

Epic’s MyChart is the most widely used patient portal in the U.S., and it works because Epic signs a BAA with every health system, runs HITRUST r2, and publishes a Security and Privacy resource set. Hospitals that deploy MyChart inherit a documented control environment.

The consequence of that investment is lower breach risk. The common misconception is that hospitals can bolt on analytics to MyChart pages freely, but Epic’s own guidance after the 2023 pixel wave was to disable third-party tracking on authenticated views. Example: Dr. Chen turns off a Facebook Pixel in MyChart after reviewing the OCR bulletin, and the clinic avoids joining the 30+ hospitals named in class actions.

GoodRx — A Cautionary Tale

GoodRx’s 2023 FTC settlement is the clearest proof that an app can avoid the HIPAA label and still be punished. GoodRx shared prescription data with Facebook and Google for targeted ads.

The consequence was a $1.5 million civil penalty and a prohibition on sharing health data for ads. A common misconception is that if users “consent” to analytics, no rule is broken, but the FTC rejected the consent defense because disclosures to ad platforms were not clearly revealed.

Cerebral — The Pixel Breach

Cerebral’s 3.18 million-person breach came from Meta, Google, and TikTok pixels on intake forms. Cerebral self-reported in 2023, landing on the HHS breach portal.

The consequence was loss of payer contracts and class litigation. Example: Omar, an engineering lead at a mental health startup, uses Cerebral’s story to justify a zero-pixel policy on any authenticated page, pushing analytics to a server-side, de-identified pipeline.

Mistakes to Avoid

Each mistake below has produced a documented settlement or breach, and each costs real money. Read this list before you buy, build, or deploy any health-data app.

• Skipping the BAA because the vendor “says” it is HIPAA compliant, which triggers direct OCR liability for you.
• Treating “addressable” safeguards as optional, which the proposed 2025 rule will eliminate in May 2026.
• Storing PHI on a user’s device without encryption, which violates 45 CFR 164.312(a)(2)(iv).
• Pushing PHI into push notifications, which FTC guidance treats as an unauthorized disclosure.
• Keeping tracking pixels on authenticated pages after the OCR 2024 bulletin.
• Using SMS-only MFA, which NIST 800-63B discourages.
• Failing to run an annual risk analysis, which OCR cites in nearly every settlement.
• Ignoring subcontractor BAAs, which creates joint-liability exposure.
• Missing the 60-day breach notification window, which adds willful-neglect penalty tiers.
• Marketing an app as “HIPAA certified,” which OCR has never recognized and which the FTC treats as deceptive.

Do’s and Don’ts Before You Approve an App

These rules apply whether you are a covered entity, a business associate, or a developer pitching to one. The “why” behind each line ties to either a statute or a published settlement.

• Do sign a BAA before the first byte of PHI moves, because 45 CFR 164.502(e) makes the BAA a precondition.
• Do require MFA for every workforce user, because the proposed 2025 rule will demand it.
• Do document every risk analysis, because OCR requires written proof under 164.316.
• Do encrypt PHI in transit and at rest, because the encryption safe harbor can kill a reportable breach.
• Do audit subcontractors annually, because the Change Healthcare cascade started one layer deep.
• Don’t trust vendor “HIPAA compliant” logos, because no federal agency issues them.
• Don’t send PHI through unsecured email or SMS, because the channel itself lacks Security Rule controls.
• Don’t reuse admin credentials across environments, because it torpedoes the access-control safeguard.
• Don’t delete audit logs before six years, because 164.316(b)(2) sets a six-year retention floor.
• Don’t rely on consumer-grade analytics on any page that displays PHI, because OCR now treats pixel data as PHI.

Pros and Cons of Using a Pre-Built HIPAA-Compliant Platform

Buying a platform with a signed BAA (like AWS HIPAA-eligible services or Google Cloud’s HIPAA posture) saves time. It also shifts some risk, but it does not eliminate your responsibility to configure the service correctly.

Weigh the tradeoffs below before you sign a multi-year contract.

• Pro: The vendor’s SOC 2 and HITRUST attestations cut your audit workload in half, saving months.
• Pro: A signed BAA creates a clear liability boundary between you and the cloud provider.
• Pro: Pre-built encryption, MFA, and logging features accelerate launch by 6-12 months.
• Pro: Downstream subcontractor management is handled by the vendor, reducing your mapping effort.
• Pro: Rapid security patching shrinks the window a zero-day can hurt you.
• Con: You inherit the vendor’s shared-responsibility model, so misconfigurations on your side are still your fault.
• Con: Pricing is higher than generic cloud tiers, often 25-40% more.
• Con: You depend on the vendor’s incident-response timelines, which may not match your 60-day clock.
• Con: Data portability is weaker, making vendor switches painful.
• Con: Feature roadmaps tilt toward large health systems, leaving small practices with gaps.

Key Entities You Need to Know

The U.S. Department of Health and Human Services (HHS) is the parent agency, and its Office for Civil Rights (OCR) enforces HIPAA. The Federal Trade Commission (FTC) handles health apps that fall outside HIPAA through the Health Breach Notification Rule. The National Institute of Standards and Technology (NIST) publishes the 800-66r2 and 800-53 frameworks that OCR uses as benchmarks.

Covered entities include health plans, health care clearinghouses, and most health care providers that transmit information electronically. Business associates include any vendor that creates, receives, maintains, or transmits PHI for a covered entity. Subcontractors are downstream business associates, and they are equally liable under the Omnibus Rule.

Each entity’s role feeds the next. OCR investigates, NIST informs the controls, and the FTC fills the gaps for consumer-facing apps. A named example: when Easy Healthcare’s Premom app leaked fertility data to China-based analytics in 2023, the FTC stepped in because Premom was not a HIPAA business associate.

Recap of Key Enforcement Rulings

Court and agency rulings define how HIPAA compliance is judged in practice. Knowing the top cases helps you defend procurement choices.

• Anthem, Inc. — $16 million, 2018 for the largest breach-related HIPAA settlement.
• Premera Blue Cross — $6.85 million, 2020 for inadequate risk analysis and access controls.
• Memorial Healthcare Systems — $5.5 million, 2017 for missing audit controls.
• Advocate Health Care — $5.55 million, 2016 for weak incident response.
• GoodRx — $1.5 million, 2023 for unauthorized sharing of health data.
• BetterHelp — $7.8 million, 2023 for deceptive privacy practices.
• Easy Healthcare Premom — $100,000, 2023 for sharing fertility data without disclosure.

State-Level Nuances That Touch Apps

HIPAA is the federal floor, and states can raise it. California’s Confidentiality of Medical Information Act (CMIA) extends to health apps that collect information from a provider or patient. Texas HB 300 makes any entity with PHI a covered entity in Texas, which sweeps in many apps HIPAA would not.

Washington’s My Health My Data Act (RCW 19.373) went into force in 2024 and gives consumers a private right of action for health-data violations, with per-violation damages. The consequence of ignoring state law is layered fines and class litigation.

An example: Rebecca, a startup founder in Seattle, builds a menopause tracker that is not a HIPAA business associate; under WMHMDA, she still must gather affirmative consent before collecting symptom data. A common misconception is that “HIPAA preempts state law,” but HIPAA only preempts weaker state laws, not stronger ones.

FAQs

Is there an official HIPAA certification body?

No. The U.S. Department of Health and Human Services does not certify any app, vendor, or platform as HIPAA compliant. Third-party attestations like HITRUST or SOC 2 are proxies, not certifications.

Does a free health app need a BAA?

Yes, if the free app creates, receives, maintains, or transmits PHI for a covered entity. Price does not change HIPAA status, and a free tier without a BAA cannot handle PHI legally.

Is my fitness tracker HIPAA covered?

No, most consumer wellness wearables are outside HIPAA because the consumer, not a covered entity, collects the data. They can still be covered by the FTC Health Breach Notification Rule and state laws like Washington’s My Health My Data Act.

Does HIPAA apply to apps used by patients at home?

Yes, whenever a covered entity directs the patient to use the app or shares PHI through it. A clinic’s patient portal is HIPAA covered; a patient’s personal journal app usually is not.

Can an app be HIPAA compliant without encryption?

No in practice, even though encryption is technically “addressable.” Without encryption you cannot rely on the safe harbor, so every breach becomes reportable and the fines stack up fast.

Must a HIPAA app support multi-factor authentication?

Yes under the proposed 2025 rule expected to finalize in May 2026. Even today, OCR views MFA as the baseline expectation given current cyber threats.

Can I use Google Analytics on a HIPAA-covered app?

No, not on authenticated pages that reveal PHI. The OCR online tracking bulletin treats pixel transmissions to ad networks as unauthorized disclosures.

Is Zoom HIPAA compliant?

Yes, but only the Zoom Workplace for Healthcare tier with a signed BAA. The free consumer version is not HIPAA compliant.

Does HIPAA apply to AI chatbots handling patient questions?

Yes, when the chatbot processes PHI on behalf of a covered entity. The AI vendor must sign a BAA and comply with the Security Rule, as clarified in the OCR 2024 AI guidance.

What happens if I use a non-HIPAA app to store patient records?

No safe harbor applies, and you face direct OCR penalties up to $2,134,831 per category per year. Your patients can also file OCR complaints and state lawsuits.

Does HIPAA preempt state privacy laws?

No, HIPAA only preempts weaker state laws. Stronger state statutes like California’s CMIA and Washington’s My Health My Data Act still apply in full.

Is a mental-health app covered by HIPAA?

Yes, when it serves a covered entity or receives referrals from one. Direct-to-consumer mental-health apps like the pre-settlement BetterHelp model can still face FTC action even when HIPAA does not apply.