[didgeoridoo]

Is "HIPAA certification" an actual thing? As far as I know, the various HIPAA "certificates" offered by private companies are not universally recognized, nor do they have clear legal relevance. See TrueVault's FAQ: https://www.truevault.com/hipaa-compliance.html

[mbesto]

It's not. You typically sign whats a called a BAA[0] with an entity that is covered by HIPAA compliance. In other words, if a hospital wants to use the software they would make the SaaS provider sign a BAA. This then subjects both the hospital to HIPAA as well as the BAA. The best you can do is basically get audited by an external firm, not dissimilar to how PCI compliance works (which also doesn't have a certification, but has QSA certifications).

[0] - https://www.hhs.gov/hipaa/for-professionals/covered-entities...