HIPAA · Cloud SaaS · Healthcare Compliance

Top 5 HIPAA Compliance Mistakes Cloud SaaS Companies Make (and What Each One Actually Costs)

You signed a BAA with AWS. Your data is encrypted. Your engineers swear they "do not touch PHI." That sentence is on the cover page of about 80 percent of HIPAA enforcement actions we have seen against cloud-native SaaS. Here is what is actually wrong, in order of how expensive it gets.

Key Takeaways

• A signed BAA with AWS, GCP, or Azure does not make you HIPAA-compliant. It moves liability for the underlying infrastructure controls only. Everything you build on top is your problem.
• The single most common 7-figure mistake we see is ePHI in observability tooling (CloudWatch logs, Datadog traces, Sentry breadcrumbs, BigQuery analytics). Most teams discover it during an OCR audit, not before.
• If your staging environment was ever populated from a production snapshot, you have ePHI in staging right now. Roughly 7 out of 10 SaaS audits we run surface this exact pattern.
• Unmanaged collaboration tools (Slack DMs, Notion pages, shared Google Docs, screenshots in Linear tickets) account for the majority of "covered entity complains that PHI is somewhere it should not be" cases. These are the easiest leaks to find and the hardest to clean up after the fact.
• There is no such thing as a "HIPAA certification." There is only a documented 164.308(a)(1)(ii)(A) Risk Analysis, kept current, and the controls you implemented because of it. Without that document, every other control is unfalsifiable.
• All five mistakes below are fixable in 90 days for under \$80,000 of professional services plus internal time. The cost of not fixing them is measured in resolution agreements that start at \$1.5 million.

HIPAA was written in 1996 for paper records inside hospital walls. The Security Rule was finalized in 2003 for client-server environments. The HITECH Act of 2009 added breach notification and pushed Business Associates into direct accountability. None of those drafters were thinking about a 12-person Vercel-hosted React app talking to a Supabase backend that nightly syncs to Snowflake for analytics.

The regulation is still the regulation. The Office for Civil Rights (OCR) does not care that your stack is more modern than the controls. They will still ask you for three documents in any audit: your most recent 164.308(a)(1)(ii)(A) Risk Analysis, your 164.316(b)(1) policies and procedures, and your 164.312(b) audit logs demonstrating that you can review activity in systems containing ePHI. If any of the three is missing or out of date, you are not arguing about specific controls anymore. You are arguing about whether the program exists.

If you only look at Tier 1, your HIPAA program will appear excellent. If you only look at Tier 1, you will also miss the entire blast radius of any actual incident. The five mistakes below all live in Tiers 2, 3, and 4. They are also the five places we find evidence of ePHI in roughly 70 to 90 percent of audits.

A Business Associate Agreement (BAA) is a contract. It is not a control. It allocates responsibility under HIPAA for what each party will do with ePHI, and it commits both sides to specific obligations under 45 CFR 164.504(e). It does not, by signing, make any technical control exist.

In real engagements, the BAA is the thing that customers ask for and the thing that founders assume is the program. The actual program is much larger. Here is what the BAA covers and what it leaves to you.

How to fix it. Build a single living document, in Notion or your favorite tool, that maps every place ePHI lives or could live to: the vendor, whether a BAA is signed, the date of the most recent BAA review, the specific service-level configuration that makes it BAA-eligible (e.g. "AWS S3 bucket policy: SSE-KMS with CMK, bucket logging enabled, public access blocked, MFA delete on, replicated to us-east-2"), the data classification, and the assigned owner. We call this the ePHI Register. It is the document we ask for first in every engagement. If it does not exist, we build it in the first week.

The cost of skipping it. The startup in our opening anecdote had eight BAAs on file. They did not have an ePHI Register. They had no way to discover, before the customer told them, that Sentry was capturing patient data. The register would have surfaced the gap in about 90 minutes the day a Sentry account was created.

This is the single most common 7-figure mistake we see. Logs and traces are written by engineers who are debugging an outage at 2am. Nobody is thinking about the difference between a patient ID and a patient name when the production database is on fire. The default behavior of nearly every modern logging library is to serialize the entire argument list of the function that threw the error. If that function took a Patient object as input, that Patient object is now in Sentry, Datadog, and CloudWatch.

The seven specific places where ePHI most often leaks into observability:

How to find what is already in there. Run a one-time data-discovery sweep across your Sentry, Datadog, CloudWatch, and any session replay tool you use. Search for regex patterns that look like SSN (3-2-4 digits with separators or contiguous), DOB (anything that parses as a date with year in a plausible patient range), and a small dictionary of common first names. Most teams find something in 30 minutes. The bigger the team, the bigger the find.

The cost. One specific resolution agreement we worked alongside (not as primary counsel) cost the client \$2.1 million in OCR penalty plus another \$3.4 million in remediation, audit, monitoring, and lost revenue. The original leak was a single CloudWatch log group nobody had reviewed in 14 months.

The pattern is universal. A staging environment is initially populated with synthetic data. Six months later, a tricky reproduction case forces an engineer to copy a production snapshot into staging "for debugging." The copy is never deleted. New engineers join. The snapshot becomes the canonical fixture for QA. Over time, the staging environment becomes a less-protected mirror of production, with weaker auth, broader IP access, more permissive logging, and the same ePHI.

The same pattern happens with analytics. A data team gets read-only access to a production replica. The replica is used to build a BigQuery dataset for reporting. The BigQuery dataset is queried by Looker. Looker dashboards are shared by email link. The chain ends with ePHI rendered inside a Looker dashboard that a marketing manager can access because they were given "view-only" Looker permissions for a different report.

The fix. Set a hard rule: production data only leaves production through a deterministic de-identification pipeline. The pipeline runs nightly. It outputs a synthetic dataset that preserves cardinality and join behavior but contains no values that resemble real ePHI. Names become a deterministic hash mapped to a fake-name dictionary. Dates of birth are shifted by a consistent per-record offset. MRNs become a different format with the same uniqueness. Free-text fields are scrubbed by a Named Entity Recognition model with a strict false-positive bias.

Then enforce it. The staging environment cannot connect to production network endpoints. The data warehouse pulls from the de-identified replica only. The analytics tools see the de-identified dataset, period. Real production access requires a break-glass procedure, time-limited, audited, and reviewed by a security-team member who is not on the requesting engineer's team.

Cost to implement. For a 30-person engineering team with a moderately complex data model, building this pipeline is a 4-to-6-week project. Tooling like Tonic, Mockaroo Enterprise, or Gretel can shave a few weeks off, with annual cost in the \$15K-\$60K range. Custom-built scrubbing with Python and a NER library can be done for engineering time alone but is more brittle.

There is no engineer who has not, at some point, pasted a customer support ticket containing real patient information into a Slack DM with a colleague to ask "is this a bug or is this the user being weird?" There is no product manager who has not, at some point, attached a screenshot of a clinician's screen to a Notion spec to illustrate a workflow. There is no support agent who has not, at some point, forwarded a patient email to an internal Google Group to coordinate a response.

Each of these is a HIPAA violation in slow motion. The combined Slack workspaces of a typical 50-person healthcare SaaS contain, by our measurement, between 300 and 2,400 instances of ePHI by the time they are audited. None of it is malicious. All of it accumulates because the collaboration tool is faster than the ticketing system, and the ticketing system never quite has the right context.

The fix has three parts.

There is no such thing as a HIPAA certification. There is a Risk Analysis. The Risk Analysis is the document OCR asks for first in every audit and every investigation, and the absence of one (or the presence of one dated three years ago and never updated) is the single most common finding in resolution agreements. Roughly two-thirds of published OCR resolution agreements name "failure to conduct an accurate and thorough risk analysis" as a primary finding.

A Risk Analysis is not a spreadsheet of vulnerabilities. It is a written document that identifies all the systems where ePHI exists, enumerates threats and vulnerabilities for each, estimates likelihood and impact, documents the controls in place and the residual risk, and proposes mitigations. NIST 800-66 Rev. 2 (the HHS-recommended methodology) is the framework that maps cleanly to the HIPAA Security Rule.

What a defensible Risk Analysis contains. The structure is documented in NIST 800-66 Rev. 2. The shortest readable version is: (1) a system inventory of every place ePHI lives; (2) a threat catalog appropriate to your environment (we use a 32-item list for cloud SaaS); (3) a vulnerability assessment for each system against each threat; (4) likelihood and impact estimates on a defensible scale (we use 1-to-5, documented); (5) the controls in place and their effectiveness; (6) residual risk; (7) mitigation plan with named owners and target dates. For a 30-person SaaS this document is typically 40 to 80 pages and takes three to six weeks to build from zero.

Why the cadence matters. The number one finding in published HIPAA resolution agreements is not "had no Risk Analysis." It is "had a Risk Analysis from three years ago that no longer reflected reality." A stale document is worse than no document, because it shows you knew the obligation and did not maintain the program. Annual refresh is the floor. Quarterly delta reviews are the standard we recommend.

These numbers are not abstract. They come from 30 healthcare-adjacent engagements we have personally run or supported in the past 36 months. The fix-cost ranges depend on team size, code base complexity, and whether the team is starting from zero or has partial work in place. The breach-cost ranges come from published resolution agreements plus our knowledge of unpublished settlements where we were involved alongside breach counsel.

How Atlant Security Helps

90-Day HIPAA Cloud SaaS Hardening Program

We run this as a single 90-day engagement for healthcare-adjacent SaaS between 10 and 200 people. By Day 90, you have a current Risk Analysis, a complete ePHI Register, observability tooling that cannot leak ePHI, a de-identified staging pipeline, DLP enforced on collaboration tools, and a documented quarterly cadence ready to hand to your next customer.

• Fixed pricing from \$58,000, scope written before contract
• Senior consultants only, never juniors
• Half the engagement is implementation, not just findings
• Deliverable kit: Risk Analysis, ePHI Register, DLP runbook, IR plan, training deck, evidence pack for your next vendor security review
• Pay after each phase, not all up front

Book a 30-minute HIPAA scoping call →

The five mistakes in this article are not edge cases. They are the modal pattern. If you are running a cloud-native healthcare SaaS, you almost certainly have at least three of them right now, and probably four. The good news is that all five are fixable inside a single quarter for a fixed and knowable cost. The less good news is that the cost of finding them through an OCR investigation or a covered-entity-triggered audit is roughly an order of magnitude higher, and the discovery is rarely on your schedule.

A healthcare customer who asks you for evidence of HIPAA compliance is not trying to trip you up. They are trying to make their own program defensible. Give them the documents that close their internal review without a back-and-forth: Risk Analysis, ePHI Register, current BAA list with subprocessors, IR plan, and the most recent quarterly attestation that the program is being maintained. Those five documents close more deals than any number of dashboards.

If a hospital or payer is in your pipeline this quarter, book a 30-minute scoping call or email alexander@atlantsecurity.com.