Blog
Regulatory Compliance

What is HIPAA?

January 15, 2026
3 min
Share this post

Table of contents

Get a Free Privacy & Security Consultation Now!

Learn more

HIPAA is a U.S. healthcare privacy and security law. It sets expectations for how certain healthcare organizations and the vendors that support them handle protected health information.

For Canadian companies, HIPAA usually becomes relevant when you work with U.S. healthcare clients or touch U.S. patient data through your product or services.

What HIPAA is trying to protect

HIPAA focuses on protecting protected health information (PHI), health information that can identify an individual.

PHI can show up in more places than people expect, including:

  • Patient records and clinical notes
  • Appointment, billing, and insurance details
  • Support tickets and call recordings
  • Logs, screenshots, and exported reports

Who HIPAA applies to (in practical terms)

HIPAA often applies to:

  • U.S. healthcare organizations and health plans
  • Vendors that handle PHI on their behalf

If you’re a vendor, you may be asked to sign a business associate agreement (BAA) and demonstrate that you have appropriate safeguards and documentation.

What HIPAA compliance usually looks like in practice

Most HIPAA “compliance” work is operational. Common expectations include:

  • Clear understanding of where PHI flows and where it’s stored
  • Strong access controls (MFA, least privilege, clean off-boarding)
  • Security safeguards (encryption, monitoring, incident response readiness)
  • Vendor and subcontractor controls
  • Documentation you can stand behind during security reviews

If you want to formalize data flows and privacy risk, start with: Privacy Impact Assessment (PIA)

HIPAA readiness for Canadian companies

A practical approach is to:

  • Confirm whether you actually touch PHI or just adjacent data
  • Set clear boundaries for what vendors can receive
  • Implement baseline controls and documentation
  • Add assessment and testing where needed

If you need a baseline privacy program first, start here: Minimum Viable Privacy (MVP)

Want help scoping HIPAA expectations?

If you’re selling into U.S. healthcare or supporting U.S. patient data, we can help you confirm scope and build a realistic plan.

Start here: Book a call

Or browse: FAQs