Skip to main content



Coupa Success Portal

Coupa HIPAA Compliance

Coupa compliance with HIPAA

HIPAA, the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed.

This includes covered entities (CE), anyone who provides treatment, payment and operations in healthcare, and business associates (BA), anyone with access to patient information and provides support in treatment, payment or operations. Subcontractors, or business associates of business associates, must also be in compliance.

Coupa is committed to partnering with health insurers and care providers to deliver savings so urgently needed in the sector without sacrificing patient care outcomes or patient experiences. Under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, insurers and providers must take steps to protect Electronic Protected Health Information (ePHI) of their customers or patients. Coupa’s Healthcare Cloud provides protections of ePHI required by HIPAA.

While Coupa does not provide any patient records management or patient care services, customers are protected in cases where ePHI is entered into Coupa by staff members. Coupa recommends against using ePHI such as Medical Record Numbers (MRNs) as part of business process or integration design. There are certain cases where ePHI may be entered in the context of a financial transaction. Examples include submitting an expense report for flowers with a patient’s name in the expense description, attaching a receipt with the patient’s name or room number, or attaching a laboratory report to an invoice. Coupa protects customers against the risk of exposure of ePHI.

Under HIPAA, insurers, and providers who allow service providers to create, receive, maintain, or transmit ePHI on their behalf must enter into Business Associate agreements (BAA) with those providers. BAAs extend responsibility for protection of ePHI to those providers. Coupa’s Healthcare Cloud lets Coupa enter into a Business Associate relationship with customers, ensuring that ePHI appropriately entered into Coupa for spend management is protected as mandated under HIPAA. Coupa has taken a number of steps to protect ePHI according to the standards set out by HIPAA including Administrative Safeguards, Physical Safeguards, and Technical Safeguards.

Coupa completes an annual audit with a third-party firm. This annual audit is conducted in September and includes the review of administrative, physical, and technical controls. Coupa Customers can download this annual attestation from the Security and Compliance page on the Coupa Support Portal.

Other interested parties in Coupa compliance reports and certifications can access these reports through the Coupa Compliance Reports Self-Serve Portal.

For additional details please see the Coupa Healthcare Cloud Data Sheet.

  • Was this article helpful?