If you're building software that touches patient data, even as a third-party cloud provider, HIPAA compliance isn't optional. This guide cuts through the legal fog and focuses on what matters for tech teams. Who actually needs to comply? Most developers assume HIPAA is a hospital problem. It isn't. If your product falls into any of these categories, you're in scope: Custom healthcare software for a medical org EMR/EHR platforms Cloud storage or processing of any PHI Any SaaS tool used by a covered healthcare entity You're likely classified as a Business Associate (BA) — which means you're directly liable under HIPAA, and you need a signed Business Associate Agreement (BAA) before processing any patient data. No BAA = you're already in violation before writing a single line of code. What counts as PHI? Protected Health Information (PHI) is broader than most devs expect.…