For Health-Tech Vendors & SaaS Platforms

HIPAA Business Associate
Compliance
Built for How Your Product Works

Health-tech companies that touch patient data are business associates under HIPAA — and directly liable since the HITECH Act. Whether a customer just asked for attestation, you're trying to get ahead of it, or you just realized the requirement applies to you — we build the program.

Former HHS Asst. IG 200+ Organizations Served 100% Remote

Book a Free BA Consultation

15 minutes with Jay. He'll tell you whether you're actually a business associate, what your obligations are, and whether you need us or you can handle it yourself.

No obligation. No sales pitch. Not sure if you're a BA? We'll tell you in the first 5 minutes.

40+

Years HIPAA & federal enforcement

200+

Organizations served

2013

Founded — nationwide practice

50

States served nationwide

Most health-tech companies find out they need HIPAA compliance under pressure.

Sometimes it's a customer asking for attestation. Sometimes it's a "wait, this applies to us?" moment. Sometimes it's a founder getting ahead of the curve before a healthcare deal forces the issue. Whichever way you got here, the work is the same — and the sooner you start, the less like a crisis it feels.

Here's what we see in nearly every health-tech company we assess:

You have a BAA but no compliance program behind it.

The BAA is a contract. HIPAA compliance is the program behind it — risk assessment, custom policies, workforce training, incident response. Having one without the other is a deal-killer when your buyer's security team reviews.

"Our cloud provider has a BAA, so we're covered."

AWS, Azure, and GCP sign BAAs that cover their HIPAA-eligible infrastructure. Your application layer, your workforce, your policies, your incident response, your subcontractors — none of that is covered. Direct BA liability means all of it is on you.

No risk assessment means meaningfully higher exposure.

Since the HITECH Act (2009), business associates are directly liable for HIPAA violations — not just contractually through a BAA. A breach with no prior risk assessment lands you in a meaningfully higher penalty tier. Your healthcare buyer's security team knows this before they even ask for the attestation.

Compliance is infrastructure. Once you have it, it stops being a crisis.

Not sure if you're a business associate? Most health-tech companies that touch Protected Health Information (PHI) qualify — and many don't know it. We'll tell you in the first 5 minutes of a call.

"The BAA is a contract. The program is what makes that contract mean anything."

What changes when you have the program your buyers are asking for

A defensible BA compliance program isn't just about avoiding penalties — it's a sales asset that unblocks deals and shortens security review cycles.

A defensible BA program

Custom policies specific to your architecture, a documented 200+ question risk assessment, trained workforce, incident response plan. The program that HIPAA actually requires — not a dashboard.

BAAs you actually understand

Your vendor chain mapped, your obligations clear, your subcontractor risk managed. No more signing BAAs you haven't read because the deal was on the line.

Attestation your buyers accept

A Letter of Attestation documenting your compliance posture — the kind healthcare security teams actually accept during vendor review. Not a self-signed PDF, not a software badge.

Coverage for direct liability

When the HHS Office for Civil Rights (OCR) — the federal agency that enforces HIPAA — comes knocking, you have the paper trail. Documented program, contemporaneous records, defensible decisions. The difference between technical guidance and a corrective action plan.

Book My Free BA Consultation

15 minutes. No obligation. We'll tell you if you don't need us.

The investigator is now on your side.

Jay Hodes

Jay Hodes

President — Colington Consulting

Former Asst. Inspector General, HHS

Jay served as Assistant Inspector General for Investigations at the U.S. Department of Health and Human Services — the agency that enforces HIPAA. He's worked both sides of the table: the federal enforcement side that writes findings, and the client side that has to respond to them.

He works with health-tech vendors and SaaS platforms to stand up the compliance programs their healthcare buyers require.

With 40+ years of combined experience in risk assessments, regulatory compliance, and federal law enforcement management, Jay has personally conducted thousands of assessments — from solo practices to multi-state enterprises. For health-tech BAs, that translates into a program your healthcare customer's security team will actually accept.

He's not going to sell you something you don't need. He recently told a company they didn't need HIPAA compliance at all — they weren't a covered entity or business associate. If you don't need it, he'll tell you straight.

Fmr. Asst. Inspector General, HHS
Expert witness in HIPAA litigation
80+ published articles on HIPAA
Top 10 HIPAA Consulting Firm (2020, 2024, 2025)

"Your healthcare buyer isn't asking if you have compliance software. They're asking if you have a program. Let's give them an answer."

Four steps to a BA compliance program your buyers will accept.

1

Free Consultation (15 minutes)

Tell us about your product, your customers, and how PHI flows through your system. Jay gives you an honest read on your BA scope and whether what you have today would hold up in a buyer's security review.

2

BAA Review & Scope Definition (~1 week)

We review your existing BAAs (with customers, cloud providers, subcontractors), map your vendor chain, and define the scope of your compliance obligations. You'll know exactly what you're liable for and who you're liable to.

3

Risk Assessment & Policy Build (~3-6 weeks)

Jay personally conducts the 200+ question Security Risk Assessment. Our policy team writes custom policies tailored to your architecture — not templates. Your workforce gets trained. Your incident response plan gets documented.

4

Attestation & Ongoing Support

A documented Letter of Attestation you can send to prospects during security review. Annual refresh. Policy updates as regulations change. When your buyer's compliance team asks for documentation, you send it — same day.

Most health-tech BAs are audit-ready within a few weeks to a couple of months. If there's a specific deal at stake, we can expedite around your sales cycle.

What we deliver for business associates.

A full BA compliance program, scoped to your product and your customers. Not a checklist. Not a dashboard. Actual deliverables your healthcare buyer's security team will accept.

BAA Review & Drafting Support

Review existing BAAs from customers, cloud providers, and subcontractors. Draft new ones when you need them.

Security Risk Assessment

200+ question assessment conducted directly by Jay — threats, vulnerabilities, high-risk findings specific to your architecture.

Custom Policies & Procedures

Manually customized by our policy writer. Not templates. Not AI-generated. Tailored to how your product and workforce actually operate.

Workforce Training

Required annual training for all staff who touch PHI — engineering, support, data teams. Documented and compliant.

Subcontractor & Vendor Chain Review

Map every vendor that touches your PHI path. Identify missing BAAs. Define obligations for each node in the chain.

Letter of Attestation

Documentation of your compliance posture you can send to prospects during security review. The artifact that unblocks deals.

Incident & Breach Response Planning

Documented response plan. Notification workflows. The paper trail OCR will ask for if something goes wrong.

Ongoing Compliance Maintenance

Policy updates as regulations change. Annual re-attestation. Audit-ready documentation maintained year over year.

Software tracks. We do the work.

Compliance automation platforms are great tools for evidence collection, dashboards, and ongoing monitoring. They're not designed to write custom policies, run the risk assessment interview, or respond to an active breach. That's work a person does — not a platform.

Compliance software platforms

What they're good at

  • Tracking controls and evidence at scale
  • Automating evidence collection from cloud accounts
  • Dashboards and continuous monitoring
  • SOC 2 and ISO 27001 workflows
  • Ongoing evidence refresh for existing programs

Real HIPAA compliance work

What requires a person

  • Custom policies specific to your architecture
  • Risk assessment interview — with someone who can explain it
  • Subcontractor and vendor chain evaluation
  • Breach response judgment under federal scrutiny
  • Regulatory judgment calls a tool can't make

If your healthcare prospect is asking for attestation, they're asking whether you have the program — not whether you have the dashboard.

Questions we hear from health-tech founders.

No. The cloud BAA covers their HIPAA-eligible infrastructure — specific services listed in the BAA, configured correctly. It does not cover your application, your workforce, your policies, your incident response, or your subcontractors. Under direct business associate liability (HITECH Act, 2009), all of that is on you. Your healthcare buyer's security team knows this and will ask for proof you have the program behind the infrastructure.

If you create, receive, maintain, or transmit PHI on behalf of a covered entity, you're a business associate under HIPAA — and since HITECH you're directly liable for compliance, not just contractually through a BAA. That includes most health-tech SaaS: scheduling tools, billing platforms, messaging services, analytics, AI tools that process clinical data, and many more. If you're not sure whether you qualify, that's the first thing we'll tell you on a 15-minute call — and if you don't qualify, we'll say so.

A Business Associate Agreement is a contract between you and a covered entity (or another BA) that defines how you'll handle PHI. It's one specific document. HIPAA compliance is the program behind the contract — the risk assessment, the policies, the training, the safeguards, the incident response plan. Signing a BAA without the program behind it doesn't make you compliant. Most health-tech companies have the BAA but not the program, and that's exactly where deals stall.

Every vendor or subcontractor that touches PHI on your behalf is a business associate of yours — and you need a BAA with each one. The whole chain has to be documented: who has PHI, what BAAs are in place, what flows where. We map your vendor chain as part of the scope definition step and identify missing BAAs, so when OCR or a buyer asks "who else touches this data?" you have the answer.

Most health-tech BAs are audit-ready within a few weeks to a couple of months, depending on the complexity of your architecture and existing documentation. The questionnaire takes a few days. Policy drafting takes about two weeks. Risk assessment and training scheduling follows. If there's a specific deal at stake with a real deadline, we can expedite around your sales cycle.

The math is usually deal-size math, not penalty-avoidance math. Healthcare enterprise contracts often dwarf a compliance program's cost — and the program is reusable across every healthcare deal you close going forward, not a one-time tax per deal. Add in the downside protection from direct BA liability (one breach with no compliance program is a significantly higher penalty tier) and the calculus tends to be straightforward. We'll walk you through it honestly on the first call.

Find out where your BA compliance stands.

15 minutes with Jay. He'll tell you what your healthcare buyers are actually asking for — and whether you need us to build it or you already have what you need.

What happens next: You'll pick a time on the next page. Jay calls you for a 15-minute BA scope assessment.

Prefer to call? 844.740.7100

Book My Free BA Consultation