Do I need a BAA with my compliance software vendor?

Yes, if the software processes, stores, or transmits PHI on your behalf. Most compliance software does. A signed BAA must be in place before you use the tool with patient data.

Is a generic project management tool enough for HIPAA compliance?

Only if it offers a BAA, has audit logging for every PHI-adjacent action, and supports the access controls required by the Security Rule. Most general-purpose tools do not meet all three without expensive add-ons or enterprise tiers.

What is the difference between HIPAA compliance software and a HIPAA-compliant tool?

HIPAA compliance software helps you manage your compliance program — policies, risk assessments, training, audits. A HIPAA-compliant tool is any tool that meets the technical and administrative requirements to safely handle PHI. The two categories overlap but are not the same.

How much should a small clinic expect to pay?

Pricing varies widely. Per-user models can cost $15–$30 per seat per month and scale against you as the team grows. Published clinic-level pricing is more common among purpose-built tools and tends to be more predictable.

Consideration article

HIPAA Compliance Software: A Buyer's Guide for Clinics

What HIPAA compliance software does, the BAA requirement, how to evaluate tools, and why current pricing fits small practices.

Short answer

HIPAA compliance software helps covered entities manage the administrative, technical, and policy requirements of the HIPAA Privacy, Security, and Breach Notification Rules. Evaluating such software means looking beyond feature lists to the BAA, pricing model, and whether the tool was designed for clinical workflows or retrofitted from a generic platform.

HIPAA compliance software is a category of tools that helps covered entities — and their business associates — manage the ongoing requirements of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. The category is broad, and the quality within it varies substantially.

This guide explains what such software does, what the BAA requirement means in practice, and how to evaluate tools as a small or mid-size clinic without in-house legal or IT staff.

What HIPAA compliance software does

At a minimum, a HIPAA compliance software product should handle some or all of:

Policy management — creating, version-controlling, and distributing required HIPAA policies (Privacy, Security, Breach Notification, and others) and capturing signed acknowledgements from staff
Risk analysis and risk management — documenting threats, vulnerabilities, and safeguards against the HIPAA Security Rule’s risk analysis requirement at 45 CFR § 164.308(a)(1)
Audit logging — recording who accessed or modified PHI-adjacent records, and making those logs available for review without modification
Vendor / BAA tracking — maintaining a list of business associates, their signed BAAs, and renewal dates
Training records — tracking required annual HIPAA training for each staff member
Incident and breach management — logging potential incidents, running the four-factor breach risk assessment, and managing notification timelines

Some products focus on one or two of these areas. Others cover the full compliance program. The right scope depends on what your clinic already has in place.

The BAA requirement

Before your clinic uses any software that will process, store, or transmit PHI on your behalf, you need a signed Business Associate Agreement (BAA) with that vendor. This is not optional — it is a specific requirement at 45 CFR § 164.308(b)(1).

Several categories of software that clinics commonly use process PHI without staff realizing it:

Task and project management tools that contain patient-linked assignments
Cloud storage used for patient documents
Email platforms
Scheduling and intake form software
Communication tools used for clinical coordination

If a vendor will not sign a BAA, the clinic cannot lawfully use that tool for PHI-adjacent work. Some major vendors (including certain collaboration platforms) offer BAAs only on higher-tier or enterprise plans, which puts them out of reach for small practices.

For a practical vendor screening process, see When a Vendor Needs a BAA.

Evaluation criteria for small clinics

When reviewing HIPAA compliance software, use these criteria:

BAA availability

Is the BAA offered at the tier your clinic can afford? An enterprise-only BAA is effectively no BAA for a 10-person practice.

Audit log integrity

Does the software maintain immutable audit logs? Logs that can be edited or deleted do not meet the Security Rule’s integrity requirements. Ask vendors directly whether their audit trail is append-only.

Access controls

Can you control which staff see which records? Role-based access is a Security Rule requirement, not a premium feature.

Risk analysis support

Does the software help you document threats, vulnerabilities, and safeguards — or does it only offer a checklist? The Security Rule requires documented risk analysis at least annually, and OCR audits look for evidence of the process, not just a completed form.

Pricing model

Per-user pricing means your compliance costs increase every time you hire. Clinic-flat pricing — a single fee regardless of seat count — is more predictable for practices where staff size changes seasonally or by role.

Clinical vs. generic design

Tools built for general project management and retrofitted with a “HIPAA mode” typically lack the workflow assumptions that matter to healthcare teams: PHI handling in task descriptions, audit-aware notifications, and staff access scoped by role. Purpose-built tools start from the assumption that patient data will appear across every feature.

Common gaps in generic tools

A practice administrator who uses a general-purpose task manager for clinical coordination commonly runs into:

No BAA available at the current plan level
Audit logs that show only login events, not content access
Notification systems that expose PHI in email previews
No mechanism to restrict who can see which tasks

These are not edge cases. They are structural limitations of tools designed for software teams or marketing departments and repurposed for clinical use. For examples of where PHI appears outside the EHR, see What Counts as PHI in a Small Clinic.

What to ask a vendor before signing

Before committing to any HIPAA compliance software:

Will you sign a BAA at this pricing tier?
Where are audit logs stored, and can they be modified or deleted?
What happens to our data if we cancel or if the vendor closes?
Has the product been reviewed by legal counsel familiar with 45 CFR Parts 160 and 164?

A vendor that cannot answer questions 1 and 2 clearly is a compliance risk regardless of what the product page says.

For pricing context and how PHIGuard approaches the compliance software category, visit /hipaa. For the HIPAA Security Rule safeguards in more detail, see HIPAA Security Rule Explained.

PHIGuard commercial baseline

PHIGuard uses flat per-clinic pricing rather than per-user fees. A Business Associate Agreement is included on every public plan. The primary trial path is a 30-day free trial with no credit card required. See current PHIGuard pricing for plan names, monthly list prices, annual totals, and current launch details.

HIPAA Security Rule Guidance Material · HHS
Business Associate Contracts · HHS
45 CFR Part 164 — Security and Privacy · eCFR

Key takeaways

HIPAA compliance software handles policy management, risk analysis, audit logging, and vendor BAA tracking.
Any software that processes PHI must sign a Business Associate Agreement before use.
Per-user pricing scales against clinics as they grow; current pricing is more predictable.
Generic project management tools retrofitted with compliance checklists do not meet the same standard as purpose-built tools.
Small clinics need compliance tools that assume no in-house IT or legal team.