Is there such a thing as a HIPAA-certified portal?

No. Per HHS, there is no official HIPAA certification or government approval that a product or vendor can earn — HHS does not endorse or certify software for HIPAA compliance. Compliance is a property of how a covered entity deploys, configures and operates a system to meet the HIPAA Security Rule's safeguards. A vendor advertising itself as HIPAA certified is describing something that does not officially exist; ask instead how the system meets the required safeguards and where the data lives.

Is employee pay and tax data covered by HIPAA?

Generally no. HIPAA protects protected health information (PHI) — patient health data. An employee's pay statements, W-2 or T4 and personal information are workforce/identity and tax data, governed by other privacy, security and tax-safeguarding obligations rather than HIPAA. It is still highly sensitive, which is why the same on-premises model that protects PHI is valuable for employee data too.

What makes an on-premises portal more secure than a vendor cloud?

It removes the third party entirely. When the software runs on the hospital's own infrastructure, the data never leaves the hospital's environment, the hospital's existing safeguards and certifications apply to it directly, and there is no separate vendor-operated cloud that could be breached or subpoenaed. The hospital — not a SaaS provider — holds the data and the keys.

Does running on-premises satisfy Canadian data-residency requirements?

By construction. When the system runs inside a Canadian hospital's own environment, the data physically stays in Canada — so residency questions are moot. PIPEDA itself does not mandate that data be stored in Canada, but many provincial public-sector and sector-specific rules and contracts do, and an on-premises deployment satisfies those inherently.

Do you still sign a Business Associate Agreement (BAA) if it runs on-premises?

For the clinical product (HealthPoint), which handles PHI, Bluefish operates under a BAA covering any support access — and the hospital remains the data custodian. The Employee Portal handles employee data rather than PHI, so a HIPAA BAA does not apply to it; the same on-premises model governs where that data lives.

Security & compliance

HIPAA-compliant hospital portals: what it means, and why on-premises matters

Updated June 2026 · Reviewed by David Higginson, CHIME Innovator of the Year

The most important security question about a hospital portal isn't which badge the vendor advertises — it's where the data lives and who controls it. On both counts, on-premises changes the answer.

A HIPAA-compliant hospital portal is one deployed and operated so that the administrative, physical, and technical safeguards required by the HIPAA Security Rule protect the electronic protected health information (ePHI) it handles. An important nuance: per HHS, there is no official "HIPAA certification" a product can earn — compliance is a property of how a covered entity deploys and runs a system. That's why where the system runs and who controls the data matters more than any vendor badge, and why an on-premises deployment, in the hospital's own environment, is the strongest model.

This guide is general information, not legal or compliance advice. Confirm your obligations with your privacy officer or counsel.

What HIPAA actually requires of a portal

The HIPAA Security Rule requires covered entities to protect ePHI with three categories of safeguard. Per HHS, those are:

Administrative safeguards — risk analysis, workforce access management, and policies governing who may see what.
Physical safeguards — controls over the facilities and devices where ePHI lives.
Technical safeguards — access controls, audit controls (logging who accessed what), integrity controls, and transmission security.

Notice what's not on that list: a certificate. There is no government-issued "HIPAA certified" stamp for software. A portal is compliant because of how it is deployed, configured, logged and governed — which means the deployment model is part of the security story, not separate from it.

Employee tax data isn't PHI — but it's just as sensitive

HIPAA protects patient health information. An employee's pay statements, W-2 or T4, and personal details are workforce, identity and tax data — high-value, but governed by other privacy and tax-safeguarding rules rather than HIPAA. A hospital therefore has two streams of sensitive data to protect: PHI on the clinical side and employee/tax data on the workforce side. The advantage of the on-premises model is that it protects both the same way — by keeping the data in the hospital's own environment.

The on-premises difference: no third-party host to trust

Most portals are software-as-a-service: your data is copied into a vendor-operated cloud, and you inherit that vendor's security, breach surface and jurisdiction. Bluefish takes the opposite approach. The software runs on-premises, in the hospital's own data center, which changes the security posture at its root:

The data never leaves your environment. There is no vendor cloud holding copies of your employees' tax forms or your patients' records.
Your controls and certifications apply directly. The system lives inside the safeguards, audits and certifications your security team already maintains — not a separate vendor's.
There's no third-party breach surface. You're not trusting a hosting company's cloud not to be breached or compelled to hand data over; the hospital holds the data and the keys.
It extends what you already run. The portal authenticates against your identity provider and sits alongside your existing systems, consistent with the Bluefish approach of extending the systems you already have.

US and Canada: HIPAA, PHIPA, PIPEDA — and residency

In the United States, PHI is governed by HIPAA and enforced by HHS's Office for Civil Rights. In Canada, health information is governed by provincial laws such as Ontario's PHIPA, while PIPEDA covers personal information in the federal private sector. Employee data falls under the applicable provincial or federal privacy laws.

Data residency is where on-premises is decisive. PIPEDA does not, by itself, require that data be stored in Canada — but many provincial public-sector rules, sector requirements and contracts do. Running in a Canadian hospital's own environment keeps the data in Canada by construction, so those requirements are met without depending on where a vendor's cloud region happens to be.

What to ask a portal vendor

A short checklist that gets past the badges to what matters:

Where does our data physically live — our environment, or your cloud?
Is there any third-party cloud anywhere in the data path?
Does the system run under our existing controls and certifications, or yours?
Is every access logged and auditable by our team?
Does it authenticate against our identity provider, or create a new credential store?
For PHI: will you sign a BAA, and who remains the data custodian?

Where this fits at Bluefish

Both on-site Bluefish products run this way. The Employee Portal keeps pay and tax data in your environment; HealthPoint gives referring physicians a governed, audited, read-only window into your EMR without exporting your data. For the workforce side specifically, see employee self-service portals for hospitals and the rules for electronic W-2 and electronic T4 access.

Sources: HHS — HIPAA Security Rule (US) · Office of the Privacy Commissioner of Canada — PIPEDA · Information and Privacy Commissioner of Ontario — PHIPA.

Frequently asked questions

Is there such a thing as a HIPAA-certified portal?: No. Per HHS, there is no official HIPAA certification or government approval that a product or vendor can earn — HHS does not endorse or certify software for HIPAA compliance. Compliance is a property of how a covered entity deploys, configures and operates a system to meet the HIPAA Security Rule's safeguards. A vendor advertising itself as HIPAA certified is describing something that does not officially exist; ask instead how the system meets the required safeguards and where the data lives.
Is employee pay and tax data covered by HIPAA?: Generally no. HIPAA protects protected health information (PHI) — patient health data. An employee's pay statements, W-2 or T4 and personal information are workforce/identity and tax data, governed by other privacy, security and tax-safeguarding obligations rather than HIPAA. It is still highly sensitive, which is why the same on-premises model that protects PHI is valuable for employee data too.
What makes an on-premises portal more secure than a vendor cloud?: It removes the third party entirely. When the software runs on the hospital's own infrastructure, the data never leaves the hospital's environment, the hospital's existing safeguards and certifications apply to it directly, and there is no separate vendor-operated cloud that could be breached or subpoenaed. The hospital — not a SaaS provider — holds the data and the keys.
Does running on-premises satisfy Canadian data-residency requirements?: By construction. When the system runs inside a Canadian hospital's own environment, the data physically stays in Canada — so residency questions are moot. PIPEDA itself does not mandate that data be stored in Canada, but many provincial public-sector and sector-specific rules and contracts do, and an on-premises deployment satisfies those inherently.
Do you still sign a Business Associate Agreement (BAA) if it runs on-premises?: For the clinical product (HealthPoint), which handles PHI, Bluefish operates under a BAA covering any support access — and the hospital remains the data custodian. The Employee Portal handles employee data rather than PHI, so a HIPAA BAA does not apply to it; the same on-premises model governs where that data lives.