How to Build HIPAA-Compliant Software: A Complete Developer Guide

What Does HIPAA Require for Software?

Building HIPAA-compliant software requires implementing specific administrative, physical, and technical safeguards to protect Protected Health Information (PHI). At a minimum, your application must encrypt data at rest and in transit, enforce role-based access controls, maintain comprehensive audit logs, and ensure you have Business Associate Agreements (BAAs) with every vendor that touches PHI. Failure to comply can result in fines ranging from $100 to $50,000 per violation, with annual maximums reaching $1.5 million per violation category.

This guide covers the technical requirements developers and engineering teams need to address when building healthcare software that handles patient data.

Understanding HIPAA Basics for Developers

What Is PHI?

Protected Health Information (PHI) is any individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate. This includes:

Patient names, addresses, dates of birth, Social Security numbers
Medical record numbers and health plan beneficiary numbers
Diagnoses, treatment plans, medications, and lab results
Billing and payment information tied to healthcare services
Any combination of data that could identify a specific patient

Electronic PHI (ePHI) is simply PHI that is stored or transmitted electronically — which is what your software will handle.

Covered Entities vs. Business Associates

Covered entities are healthcare providers, health plans, and healthcare clearinghouses
Business associates are companies that handle PHI on behalf of covered entities — this includes software development companies building applications that process PHI

If you are building software for a healthcare organization that will store or process PHI, your company is almost certainly a business associate and must sign a Business Associate Agreement (BAA).

The Three HIPAA Rules That Matter

The Privacy Rule: Governs how PHI can be used and disclosed
The Security Rule: Requires specific safeguards for ePHI (this is where most technical requirements live)
The Breach Notification Rule: Requires notification of affected individuals and HHS within 60 days of a breach

Technical Safeguards You Must Implement

Encryption

Encryption is the foundation of HIPAA technical compliance. You need it in two places.

Data at rest:

Encrypt all database fields containing PHI using AES-256 encryption
Use full-disk encryption on all servers and storage volumes
Encrypt database backups and any exported data files
Manage encryption keys separately from the data they protect — never store keys alongside encrypted data

Data in transit:

Enforce TLS 1.2 or higher for all connections (TLS 1.3 is preferred in 2026)
Use HTTPS exclusively — no HTTP endpoints, even internal ones
Encrypt API calls between microservices if they carry PHI
Use encrypted email (S/MIME or PGP) if PHI is transmitted via email

Access Controls

HIPAA requires that only authorized individuals can access PHI, and only the minimum necessary amount.

Authentication requirements:

Implement multi-factor authentication (MFA) for all users who access PHI
Enforce strong password policies (minimum 12 characters, complexity requirements)
Implement automatic session timeouts after a period of inactivity (15–30 minutes is standard)
Use unique user identifiers — no shared accounts

Authorization requirements:

Implement role-based access control (RBAC) with the principle of least privilege
Users should only access the PHI they need for their specific job function
Implement emergency access procedures for break-the-glass scenarios
Document all roles and their access levels

Audit Logging

HIPAA requires that you track who accesses PHI, when, and what they do with it.

What to log:

All login attempts (successful and failed)
All access to records containing PHI (reads, writes, updates, deletes)
All changes to user permissions and access controls
All data exports and downloads
System-level events (configuration changes, service restarts)
All API calls that touch PHI endpoints

Logging best practices:

Logs must be immutable — use append-only storage or write-once-read-many (WORM) solutions
Retain logs for a minimum of six years (HIPAA requires six years for most documentation)
Store logs separately from application data to prevent tampering
Include timestamps, user IDs, IP addresses, action types, and affected record identifiers
Never log the actual PHI data itself — log references to records, not their contents

Integrity Controls

You must protect ePHI from improper alteration or destruction.

Implement checksums or digital signatures to verify data integrity
Use database constraints and validation to prevent data corruption
Maintain audit trails that show any changes to PHI records
Implement version history for critical PHI records

Infrastructure Requirements

Cloud Hosting (AWS, GCP, Azure)

All major cloud providers offer HIPAA-eligible services, but not every service within their platform is covered.

AWS HIPAA-eligible services include:

EC2, ECS, EKS, Lambda
RDS (all engines), DynamoDB, Aurora
S3 (with encryption enabled)
CloudWatch, CloudTrail
API Gateway, SQS, SNS
You must sign an AWS BAA before using any of these services with PHI

For a deeper look at cloud infrastructure decisions, see our cloud migration strategy guide.

Google Cloud HIPAA-eligible services include:

Compute Engine, GKE, Cloud Run, Cloud Functions
Cloud SQL, Firestore, BigQuery, Cloud Spanner
Cloud Storage (with encryption enabled)
Cloud Logging, Cloud Monitoring
Sign a Google Cloud BAA through the console

Azure HIPAA-eligible services include:

Virtual Machines, AKS, App Service, Azure Functions
Azure SQL Database, Cosmos DB, Blob Storage
Azure Monitor, Application Insights
Sign a Microsoft BAA (included in their standard terms)

Network Security

Deploy applications within a Virtual Private Cloud (VPC) with private subnets for databases
Use network access control lists (ACLs) and security groups to restrict traffic
Implement a Web Application Firewall (WAF) to protect against common attacks
Use VPN or private connectivity for administrative access — no SSH over the public internet
Segment your network so PHI-handling systems are isolated from non-PHI systems, following zero trust architecture principles

Backup and Disaster Recovery

Implement automated, encrypted backups with at least daily frequency
Store backups in a geographically separate region
Test backup restoration procedures at least quarterly
Document and maintain a disaster recovery plan with defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)

Common HIPAA Compliance Mistakes

Mistake 1: Assuming Your Cloud Provider Handles Compliance

Signing a BAA with AWS does not make your application HIPAA-compliant. The BAA covers the infrastructure provider's responsibilities, but you are still responsible for configuring services correctly, implementing access controls, encrypting data, and logging access.

Mistake 2: Logging PHI in Application Logs

Developers frequently log request and response bodies for debugging, which can inadvertently dump PHI into log files that have weaker security controls. Sanitize all logs to remove PHI before writing them.

Mistake 3: Forgetting About Development and Staging Environments

If your development or staging environments contain real PHI (even from database copies), those environments must also meet HIPAA security requirements. The safest approach is to use synthetic or de-identified data in non-production environments.

Mistake 4: Neglecting Mobile Device Management

If your application is accessed on mobile devices, you need policies for device encryption, remote wipe capabilities, and screen lock requirements.

Mistake 5: Skipping the Risk Assessment

HIPAA requires a formal risk assessment that identifies threats to ePHI and documents how you mitigate them. This is not optional — it is one of the first things auditors look for.

HIPAA Compliance Checklist for Developers

Use this checklist to verify your application meets core HIPAA technical requirements:

All PHI encrypted at rest using AES-256
TLS 1.2+ enforced for all data in transit
Multi-factor authentication implemented for PHI access
Role-based access controls with least-privilege enforcement
Automatic session timeouts configured (15–30 minutes)
Comprehensive audit logging for all PHI access and modifications
Audit logs stored immutably for six years minimum
BAAs signed with all cloud providers and third-party services
Formal risk assessment documented and updated annually
Backup and disaster recovery procedures tested quarterly
Network segmentation isolating PHI systems
No PHI in application logs or error messages
Synthetic data used in non-production environments
Incident response plan documented and tested
Employee training records maintained

Working With a HIPAA-Experienced Development Partner

Building HIPAA-compliant software adds complexity and cost to any project — typically 20–40% more than a non-compliant equivalent. If you are also targeting enterprise buyers, you may need SOC 2 compliance alongside HIPAA. However, cutting corners on compliance creates existential risk for healthcare organizations.

At Code19, we have built HIPAA-compliant applications for healthcare startups and established providers. Our cybersecurity services cover the full compliance landscape, and we can help you navigate it without over-engineering your solution. If you are planning a healthcare software project, reach out for a consultation on the right architecture and compliance strategy for your specific use case.