HIPAA compliance is required for any software that handles protected health information (PHI). This practical guide covers what HIPAA requires technically, common misconceptions, and what to implement in your stack.
In this guide
Protected Health Information (PHI) is any information that can identify an individual and relates to their health condition, treatment, or payment for healthcare. HIPAA applies if you are a Covered Entity (healthcare provider, health plan, clearinghouse) or a Business Associate (any vendor that handles PHI on behalf of a covered entity). If your software touches names, dates, addresses, phone numbers, or any identifiers combined with health data — HIPAA applies.
HIPAA Security Rule requires: access controls (unique user IDs, automatic logoff, encryption), audit controls (log who accessed what PHI and when), integrity controls (prevent unauthorized alteration of PHI), transmission security (encrypt PHI in transit — TLS 1.2+ required), and encryption at rest (AES-256 minimum). These are not optional extras — they are minimum requirements for any system handling electronic PHI.
Any third-party vendor that touches PHI must sign a BAA. This includes: your cloud hosting provider (AWS, GCP, Azure all have HIPAA BAA programs), your database service, your email provider if emails contain PHI, your logging service, and your analytics platform. If a vendor will not sign a BAA, you cannot send them PHI. Many popular SaaS tools (Slack, Google Workspace standard tier, many analytics tools) do not offer BAAs.
Encrypt the database at rest (AWS RDS encryption, or application-level AES-256 for sensitive fields). Enforce TLS everywhere — no HTTP. Implement role-based access control — no shared logins. Log all PHI access with user ID, timestamp, and action. Implement automatic session timeout (typically 15-30 minutes of inactivity). Use audit-capable database queries — no bulk select * queries that sweep PHI. Store encryption keys separate from data.
Misconception 1: HIPAA certification exists — it does not. There is no HIPAA certification body. You self-attest compliance. Misconception 2: HIPAA-compliant hosting = compliant app — wrong. AWS signing a BAA means AWS is compliant in its infrastructure. Your application code must also implement safeguards. Misconception 3: de-identified data is not PHI — partially true. HIPAA has a specific de-identification standard (18 identifiers must be removed or expert determination performed). Removing just a name is not sufficient.
Need Help?
Our engineering team handles implementations like this every week. Get a free scoping call — we will tell you exactly what it takes and what it costs.
Book a free callCompetitive Intelligence
Efficiency Modeling
© 2026 NexWorldTech — Built for Global Dominance.