HIPAA for Canadian healthtech companies
Being Canadian doesn't exempt you. The moment US patient data touches your product, HIPAA applies — by contract, and with teeth.
What it is
HIPAA is US federal law governing protected health information (PHI). For a software vendor, the operative parts are the Security Rule (safeguards for electronic PHI), the Privacy Rule (how PHI may be used and disclosed), and the Breach Notification Rule. There is no HIPAA certificate — no auditor can hand you one. "HIPAA compliant" means your safeguards, documentation, and contracts genuinely meet the rules, and you can demonstrate it.
You'll encounter it through a Business Associate Agreement (BAA): the contract every US covered entity — health system, payer, provider — must sign with vendors that handle their PHI. Signing one makes HIPAA's obligations directly enforceable against you, Canadian or not.
Who actually needs it
Any company whose product touches US patient data: selling to US health systems or clinics, integrating with US EHRs, or serving US digital-health companies as their subprocessor. The trigger is usually the BAA landing in your inbox during procurement — often alongside a security questionnaire that assumes you've done this before.
What it takes
A formal risk analysis (the single most-cited failure in enforcement actions), documented safeguards mapped to the Security Rule, workforce training, breach response procedures, and BAAs down your own vendor chain. For a company with a real security program already, this is weeks of focused work, not months — HIPAA's safeguards are largely a subset of what SOC 2 already demands.
Without that base, budget two to four months. Either way, the risk analysis has to be honest and current — it's the document regulators ask for first.
How it maps to what you may already have
The Security Rule's safeguards overlap heavily with SOC 2 and ISO 27001 controls. Built as one program, HIPAA adds mostly the health-specific layer: PHI data mapping, the risk analysis, BAA management, and breach procedures. US health systems increasingly ask for SOC 2 and HIPAA together — one more reason to build once.
The Canadian angle
You're likely already handling Canadian health data under PHIPA (Ontario), PIPA (BC/Alberta), or their provincial siblings — and those regimes' expectations overlap substantially with HIPAA's. The wrinkle is data flows: where US PHI is stored and processed, whether it crosses the border, and what your BAA promises about it. Canadian residency commitments to provincial customers and US customers' expectations need to be reconciled in your architecture, not just your contracts.
How I help
Healthtech is my deepest vertical — I was CISO at Thrive Health and work with HeadCheck Health today, on exactly these questions. The work runs through the compliance readiness engagement; if a health-system procurement is already underway, enterprise deal support is the faster door.
A BAA on your desk?
The next step is a 30-minute conversation — no pitch, no obligation. An honest read on where you stand and what actually matters next.