Compliance

HIPAA

HIPAA (Health Insurance Portability and Accountability Act) is US federal law that sets standards for protecting sensitive patient health information (PHI) — any app that stores, processes, or transmits health data for US patients likely needs to comply.

In depth

HIPAA applies to Covered Entities (healthcare providers, insurers) and their Business Associates (any vendor handling PHI on their behalf — including your app if it stores patient data).

Key requirements: - Encryption at rest and in transit (AES-256, TLS 1.2+) - Access controls and audit logs - Business Associate Agreement (BAA) with cloud providers - Minimum necessary access principle - Breach notification within 60 days

HIPAA-compliant infrastructure: - Supabase (BAA available on Team plan) - AWS (BAA available) - Google Cloud (BAA available) - NOT: standard Vercel, standard Firebase

Building HIPAA-compliant from day one costs 20–30% more than standard apps but avoids a complete rebuild when you get your first healthcare customer.

Real example

A telehealth startup stores patient consultation notes in Supabase with BAA signed, RLS enabled, and all PHI encrypted at rest.

Tools & calculators

Related terms

Ready to build your product?

Fixed price. 21-day delivery. Senior team.

Get a free scoping call →

Browse the glossary