HIPAA Policies for UK SaaS Serving US Healthcare

Q: Does HIPAA apply to UK companies?

HIPAA is a US federal statute, but UK SaaS companies processing Protected Health Information (PHI) on behalf of a US covered entity (hospital, clinician, health plan) qualify as 'Business Associates' and are directly liable under HIPAA for any breach. You'll need to sign a Business Associate Agreement (BAA) with each US healthcare client, and demonstrate Security Rule compliance to them and — if audited — to the US HHS Office for Civil Rights.

Q: What is a Business Associate Agreement?

A BAA is a written contract required by HIPAA between a covered entity and any vendor that handles PHI on its behalf. It defines the vendor's obligations around use, disclosure, safeguards, breach notification and sub-contractor management. No BAA = no permitted processing of PHI, regardless of technical controls. Our pack includes a model BAA template plus the underlying policies that make it enforceable.

Q: What policies does HIPAA require?

The HIPAA Security Rule requires documented Administrative, Physical and Technical Safeguards. The Privacy Rule adds rules around use, disclosure, minimum-necessary, patient rights and breach notification. In practice Business Associates need around 11 policies: administrative, physical and technical safeguards, breach notification, workforce training, BAA policy, minimum-necessary, PHI access, risk analysis, contingency plan, and security awareness.

Q: How do HIPAA fines work?

HHS Office for Civil Rights can impose civil penalties from $100 to $71,162 per violation, capped at $2.1 million per year per violation type (2024 adjusted amounts). Criminal penalties for wilful disclosure go up to $250,000 and 10 years' imprisonment. UK companies are subject to these penalties if they operate as Business Associates — practice shows OCR actively pursues cross-border Business Associates after US breach incidents.

Q: Does ISO 27001 get me HIPAA compliance?

ISO 27001 covers about 80% of HIPAA Security Rule requirements but is missing specific HIPAA concepts — workforce sanctions, minimum-necessary, BAAs, the Privacy Rule entirely. Most UK SaaS firms serving US healthcare clients run ISO 27001 as the backbone plus a layer of HIPAA-specific policies. Our pack is designed to sit on top of the ISO 27001 Core Set.

Q: What does the HIPAA policy pack include?

11 HIPAA-aligned policies: Administrative Safeguards, Physical Safeguards, Technical Safeguards, Breach Notification (HITECH-aligned), Workforce Training, Business Associate Agreements (with model BAA), Minimum Necessary Standard, PHI Access, Risk Analysis, Contingency Plan, and Security Awareness. Built for UK SaaS firms serving US covered entities. Bundle with the ISO 27001 Core Set or InfoSec 38 Enterprise Pack for broader security coverage.

11 policies covering the HIPAA Security and Privacy Rules — written for UK SaaS firms operating as Business Associates to US covered entities. BAA-ready in 48 hours.

HIPAA US Healthcare BAA-ready

ISO 27001 Core Set pack

16 policies · £400 one-off

Pair with our HIPAA add-on for Business Associate readiness

Get Started — Buy Pack Free account · preview sample policies · buy pack when ready

UK registered & ICO compliant 197 frameworks · 8 jurisdictions · 990+ bespoke policies Lifetime purchase · no renewal

What is HIPAA?

Quick answer. HIPAA (Health Insurance Portability and Accountability Act 1996) is the US federal law governing protected health information (PHI). The Privacy Rule covers use and disclosure; the Security Rule covers safeguards for electronic PHI; the Breach Notification Rule sets timelines and disclosure thresholds. Enforced by the US Department of Health and Human Services Office for Civil Rights (HHS OCR), with tiered civil penalties up to ~$2.1M per violation category per year (2024-adjusted).

The Health Insurance Portability and Accountability Act is a US federal law regulating Protected Health Information (PHI). It applies to Covered Entities (US healthcare providers, health plans, clearinghouses) and to their Business Associates — any vendor processing PHI on their behalf. UK SaaS firms operating in that chain are directly liable for HIPAA compliance.

HIPAA's two key rules are the Security Rule (technical, administrative and physical safeguards for electronic PHI) and the Privacy Rule (how PHI can be used and disclosed, patient rights). The HITECH Act layered on breach-notification obligations and stricter enforcement. HHS Office for Civil Rights (OCR) enforces it, including against non-US Business Associates.

Who needs HIPAA policies?

Quick answer. US-headquartered covered entities (health plans, providers, clearinghouses) and business associates. For UK firms, the question is whether you act as a business associate to a US covered entity — common for UK SaaS providers selling into US healthcare, BPOs handling PHI on behalf of US payers, and clinical-trial subcontractors. If you handle PHI under a Business Associate Agreement, HIPAA applies regardless of geography.

UK SaaS firms with US healthcare clients — EHR vendors, telehealth platforms, patient-engagement tools, analytics providers.
UK BPO and support providers handling PHI on behalf of US hospitals or clinics.
UK AI and ML firms training on US health data — double scrutiny on de-identification and safeguards.
UK cloud and hosting providers used by US covered entities — typically BAA signatories.
UK medical devices and digital health startups selling into the US market.

Policies you need for HIPAA

Quick answer. HHS OCR audits test 11 policy areas: privacy practices notice, minimum necessary, uses and disclosures, individual rights (access, amendment, accounting), business associate management, breach notification, administrative safeguards, physical safeguards, technical safeguards (access controls, audit logs, encryption), workforce training and contingency plan. PolicySuite’s US Healthcare pack covers all 11 with HIPAA-specific language.

The Security Rule's Administrative Safeguards require around 9 specific policies, plus the Privacy Rule adds several more. These 11 policies are the typical Business Associate scope for a UK SaaS firm:

Administrative Safeguards

§164.308 — security management, workforce, training, sanctions.

Physical Safeguards

§164.310 — facility access, workstation use, device controls.

Technical Safeguards

§164.312 — access control, audit, integrity, transmission security.

Breach Notification

HITECH §164.404–414 — 60-day notification, OCR reporting.

Workforce Training

Role-based HIPAA training on hire and annually.

Business Associate Agreements

BAA template + process for signing with covered entities and sub-BAs.

Minimum Necessary Standard

Privacy Rule §164.502 — role-based PHI access limits.

PHI Access

Patient rights: access, amendment, accounting of disclosures.

Risk Analysis

§164.308(a)(1)(ii)(A) — ongoing risk analysis of ePHI systems.

Contingency Plan

§164.308(a)(7) — DR, emergency mode, data backup plan.

Security Awareness

§164.308(a)(5) — security reminders, malware, logins, passwords.

Realistic timeline for UK firms

Quick answer. 6–12 weeks from day zero for a UK SaaS firm taking its first HIPAA-compliant US healthcare contract. Week 1–2: BAA negotiation + scope confirmation. Week 3–4: PolicySuite generates 11 HIPAA policies + risk assessment. Week 5–8: technical controls (encryption at rest + in transit, audit logging, access reviews) implemented and evidenced. Week 9–12: workforce training rollout, breach drill, third-party validation.

Most UK SaaS firms reach Business Associate readiness in 6–10 weeks, with policies being the fastest part thanks to PolicySuite.

Week 1: Scope PHI — which systems, which flows, which sub-processors. Buy the pack; receive bespoke policies in 48 hours.
Week 2–3: Implement technical controls — MFA, encryption at rest/in transit, audit logging, session timeouts.
Week 4–5: Run Security Risk Analysis (§164.308) and document findings.
Week 6–7: Update BAAs with sub-processors, train workforce, run contingency drill.
Week 8–10: Present evidence to US covered-entity clients, sign BAAs, go live.

Policy packs for HIPAA

ISO 27001 Core Set

16 policies · £400 · 80% of HIPAA Security Rule coverage

InfoSec 38 Enterprise Pack

38 policies · £900 · enterprise depth for BAAs

US Healthcare Compliance Essentials

11 policies · £500 · HIPAA Security + Privacy Rule

Incident Notification & Breach Reporting

8 policies · £250 · HITECH breach templates

PolicySuite vs GRC platforms vs consultant vs DIY

Quick answer. HIPAA-specialist US consultants charge £15k–£60k for a full readiness engagement aimed at first-time business associates. GRC platforms (Vanta, Drata) offer HIPAA mappings but assume bring-your-own policy text and price at £15k–£50k/year. DIY templates rarely meet OCR audit standards. PolicySuite generates HIPAA-mapped policies for UK firms operating as business associates in 48 hours from £500.

UK SMEs typically compare four routes when sourcing compliance policies. Here's how they stack up on the decisions that matter.

	PolicySuite	GRC platforms (Vanta, Drata, SecureFrame)	Compliance consultant	DIY templates
Typical cost	£250–£1,500 one-off	£10k–£40k per year	£5k–£30k one-off	£0 + your time
Pricing model	Lifetime purchase	Annual seat-based	Project fee	Free (indefinite effort)
Time to policies ready	48 hours	4–8 weeks setup	8–16 weeks	Months — rarely finished
UK-specific content	✓ Built for UK SMEs	Partial — US-originated	✓ If UK consultant	Partial — boilerplate templates only
Bespoke to your business	✓ LLM-tailored from your answers	Partial — fill-in-the-blank	✓ Yes — manual	✗ Generic template
Framework coverage	197 frameworks · 8 jurisdictions	20–50 frameworks	Whatever the consultant knows	Up to you to find
Audit-ready evidence	✓ Acknowledgements, distributions, version history	✓ Strong — but seat-priced	✗ You track it yourself	✗ You track it yourself
Suits <50-person SMEs	✓ Designed for UK SMEs	✗ Price-prohibitive at SME scale	Sometimes — depends on scope	✓ If you have the time
Cost to switch away	✓ You own the docs — export anytime	✗ Lose access on cancellation	✓ You own the docs	✓ You own the docs

See full head-to-head comparisons →

Frequently asked questions

Does HIPAA apply to UK companies?

HIPAA is US federal law, but UK SaaS firms processing PHI on behalf of US covered entities qualify as Business Associates and are directly liable. You'll need a BAA with each US healthcare client and must demonstrate Security Rule compliance to them and — if audited — to the US HHS Office for Civil Rights.

What is a Business Associate Agreement?

A BAA is a required written contract between a covered entity and any vendor handling PHI on its behalf. It defines obligations around use, disclosure, safeguards, breach notification, and sub-contractor management. No BAA = no permitted processing of PHI. Our pack includes a model BAA template plus the policies that make it enforceable.

What policies does HIPAA require?

The Security Rule requires documented Administrative, Physical and Technical Safeguards. The Privacy Rule adds use/disclosure, minimum-necessary, patient rights and breach notification. Business Associates typically need 11 policies covering all those areas — all included in our pack.

How do HIPAA fines work?

HHS Office for Civil Rights can impose civil penalties from $100 to $71,162 per violation, capped at $2.1 million per year per violation type (2024 figures). Criminal penalties for wilful disclosure go up to $250,000 and 10 years. OCR actively pursues cross-border Business Associates after breach events.

Does ISO 27001 get me HIPAA compliance?

ISO 27001 covers about 80% of HIPAA Security Rule requirements but misses HIPAA-specific concepts — workforce sanctions, minimum-necessary, BAAs, the entire Privacy Rule. Most UK SaaS firms serving US healthcare run ISO 27001 as backbone plus a HIPAA-specific overlay. Our pack is designed to sit on top of ISO 27001 Core Set.

What does the HIPAA policy pack include?

11 HIPAA-aligned policies: Administrative, Physical and Technical Safeguards, Breach Notification, Workforce Training, BAAs (with model template), Minimum Necessary, PHI Access, Risk Analysis, Contingency Plan, and Security Awareness. Built for UK SaaS firms serving US covered entities — see live pricing.

Be BAA-ready for your next US client

Get 16 bespoke security policies covering the HIPAA Security Rule — lifetime access.

Get Started — £400

References and primary sources

Quick answer. The framework guidance on this page is reviewed against the primary-source documents below. Each link resolves to an official regulator or standards-body publication so an auditor, procurement reviewer or DPO can verify the alignment without taking the page on trust.

HHS Office for Civil Rights — the US federal regulator with HIPAA enforcement authority.
NIST SP 800-66 (HIPAA security) — NIST’s HIPAA security rule implementation guide.
CISA Healthcare guidance — sector-specific cybersecurity advisories for HIPAA-covered entities.
ISO 27001 alignment — the international standard many US healthcare SaaS use as the HIPAA baseline.

In our experience working with UK SMEs and similar organisations across the EU and US, the framework pages that survive enterprise vendor reviews are the ones that cite primary sources rather than secondary blog posts. Many UK SMEs typically discover this only after their first failed vendor questionnaire — the reviewer asked for a clause-to-source map and the standard reply pointed at a marketing page rather than the relevant regulator. The references above are the standing set we cite from inside the policies themselves so the chain stays intact end-to-end.