HIPAA doesn't regulate code or even infrastructure. It regulates organizational policy and behavior. HIPAA consists of things like: have a security policy. Enforce that security policy. Update it periodically. Update a change tracking document every time you do something to your infrastructure. Read your logs periodically and be able to prove that you do so. Have an appropriately empowered person in your organization designated as the HIPAA compliance officer. Do periodic mandatory security training for your employees. Perform periodic risk assessments. Control access to your facility. (It doesn't actually require that you do so in a particularly secure way, just that you do so.) Have and enforce a policy for disposal of media. Write it down every time a device containing PHI is moved.<p>These things are organizational behavior. I don't understand how you can claim to sell this as a SaaS solution.