If you have a patient portal developed, provided by, or on behalf of a covered entity (health plan, healthcare clearinghouses, or healthcare providers), it must be HIPAA compliant. If you are a business associate that stores, collects, processes, or transmits PHI on behalf of covered entities, your patient portal must be HIPAA compliant..