If you’re building a digital health product, a patient portal, a telehealth platform, or any software that touches protected health information (PHI), HIPAA isn’t optional—and “we’ll deal with it when we have to” is not a compliance strategy. HIPAA violations can result in civil penalties starting at $100 per violation and reaching $1.9 million per violation category per year. Criminal penalties can include imprisonment.
This guide covers what Illinois healthtech founders need to understand about HIPAA in 2026.
Does HIPAA Apply to Your Startup?
HIPAA applies to covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates (vendors and service providers that create, receive, maintain, or transmit PHI on behalf of a covered entity).
Most healthtech startups are business associates—they’re not the provider, but they handle PHI on behalf of providers. If your software:
- Stores or processes patient records, clinical notes, or diagnoses
- Transmits health information between providers and patients
- Provides analytics on patient populations
- Integrates with EHR systems via HL7/FHIR
…you are almost certainly a business associate and must comply with HIPAA.
Business Associate Agreements (BAAs)
A Business Associate Agreement (BAA) is a contract required by HIPAA between a covered entity and each of its business associates. The BAA establishes permitted uses of PHI, security obligations, breach notification requirements, and return/destruction of PHI upon contract termination.
For healthtech startups, you’ll need to:
- Execute a BAA with every hospital, clinic, or healthcare provider customer before they share any PHI with you
- Execute BAAs with your own subcontractors (cloud hosting, analytics vendors) who may access PHI
- Have a standard BAA template ready so it doesn’t become a sales bottleneck
HIPAA Security Rule: Technical Safeguards for Healthtech
The HIPAA Security Rule requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect electronic PHI (ePHI). For tech companies, the technical safeguards are most operationally significant:
- Access controls: Unique user identification; automatic logoff; encryption for data at rest and in transit
- Audit controls: Hardware, software, and procedural mechanisms to record and examine access to ePHI
- Integrity controls: Mechanisms to authenticate that ePHI has not been altered or destroyed
- Transmission security: Technical measures to prevent unauthorized access during transmission (TLS/HTTPS at minimum)
HIPAA Breach Notification Rule
If a breach of unsecured PHI occurs, business associates must:
- Notify the covered entity within 60 days of discovering the breach
- Provide specific information: nature of PHI involved, who accessed it, steps to mitigate harm, contact information
Covered entities then notify affected individuals and HHS. Business associates who fail to notify on time face direct liability under HIPAA.
Illinois-Specific Health Data Laws
Illinois has additional health data protections beyond HIPAA:
- Illinois Mental Health and Developmental Disabilities Confidentiality Act (740 ILCS 110): Stricter than HIPAA for mental health records; requires specific written consent for most disclosures
- Illinois AIDS Confidentiality Act (410 ILCS 305): Restricts disclosure of HIV-related information beyond HIPAA’s requirements
- Illinois Personal Information Protection Act (815 ILCS 530): Requires notification of breaches involving medical and health insurance information, with timelines that can be stricter than HIPAA’s
Common HIPAA Mistakes by Healthtech Startups
- Using non-HIPAA-compliant cloud services (standard Gmail, Google Drive, Dropbox for PHI)
- Failing to execute BAAs with AWS, Google Cloud, or other infrastructure providers before they store PHI
- Assuming that de-identified data is automatically safe (HIPAA de-identification has strict requirements)
- Not conducting an annual Security Risk Assessment (required for all covered entities and BAs)
- Using PHI for product development or AI training without proper authorization
FAQ: HIPAA for Illinois Healthtech Startups
Is a wellness app covered by HIPAA?
Generally not if it collects data directly from consumers without a healthcare provider relationship. But if the app receives data from or transmits data to covered entities (hospitals, insurers), it may be a business associate. The line is blurry—consult a HIPAA attorney before concluding you’re exempt.
Does HIPAA apply to AI tools trained on health data?
If the AI is trained on PHI, HIPAA applies to the training data. Using PHI to train models requires either proper authorization under HIPAA or compliant de-identification under HHS standards. The OCR has signaled increasing scrutiny of AI uses of health data.
Fitter Law helps Illinois healthtech startups navigate HIPAA compliance, draft BAAs, and structure data use agreements. Learn about our compliance services or view our flat-fee packages.