Skip to main content
Back to blog

HIPAA Compliant App Development: A Technical Guide for Engineering Teams

A practical, architecture-level guide to HIPAA compliant app development. Covers technical safeguards, PHI data flows, audit logging, encryption, BAA obligations, and common mistakes that cause compliance failures.

HIPAAHealthcareSoftware DevelopmentComplianceArchitecture
HIPAA Compliant App Development: A Technical Guide for Engineering Teams

Building a HIPAA compliant application is not primarily a legal exercise. It is an engineering discipline.

The regulation defines outcomes — confidentiality, integrity, availability of protected health information — but leaves implementation to you. That flexibility is also where most teams get into trouble. Without a clear architectural framework, "HIPAA compliance" becomes a checklist of surface-level controls that looks good in a vendor assessment and fails badly in an audit or breach investigation.

This guide is written for CTOs, engineering leads, and product owners who are building or rebuilding healthcare software and need to understand what HIPAA technical safeguards actually require — not at the legal summary level, but at the level of system design.

What HIPAA Technical Safeguards Actually Require

The HIPAA Security Rule organizes requirements into three categories: administrative safeguards, physical safeguards, and technical safeguards. Engineering teams own the technical safeguards, and that category is more specific than most developers realize.

The Security Rule (45 CFR §164.312) defines five technical safeguard standards:

  1. Access control — Unique user identification, emergency access procedures, automatic logoff, and encryption/decryption
  2. Audit controls — Hardware, software, and procedural mechanisms to record and examine activity in systems that contain PHI
  3. Integrity — Mechanisms to authenticate that PHI has not been improperly altered or destroyed
  4. Transmission security — Guard against unauthorized access to PHI transmitted over electronic networks
  5. Person or entity authentication — Verify that a person or entity seeking access to PHI is who they claim to be

Each of these has required specifications (mandatory) and addressable specifications (implement if reasonable and appropriate, or document why an equivalent alternative was used). The common mistake is treating addressable as optional. It is not. You must either implement it or document a compliant alternative — and that documentation will be examined if you are audited.

What "Encryption" Actually Means Under HIPAA

HIPAA does not mandate a specific encryption algorithm, but it does reference NIST guidance. In practice, this means:

  • AES-256 for data at rest
  • TLS 1.2 or higher for data in transit (TLS 1.3 strongly preferred)
  • Key management must be documented — who holds the keys, how rotation works, what happens during personnel changes

Encrypting your database and using HTTPS is necessary but not sufficient. If your encryption keys are stored in the same environment as the encrypted data, the protection is weaker than it appears. Key management is where many implementations fall short.

Architecture Patterns for HIPAA Compliant Software

Separate PHI Storage from Operational Data

The most durable pattern in HIPAA software architecture is to treat PHI as a distinct data tier with its own access controls, encryption, and audit logging — separate from your general application database.

This means:

  • PHI lives in a dedicated data store with row-level or field-level encryption
  • Application logic fetches PHI only when explicitly required for a specific operation
  • PHI identifiers (patient IDs, record IDs) are separate from PHI content

A common implementation uses a dedicated encrypted database — RDS with encryption at rest, for example — while operational data (scheduling, billing metadata, workflow state) lives in a separate store. The application joins these only at the point of rendering, and the join itself is logged.

This pattern reduces the blast radius of a breach. If your operational database is compromised, it contains identifiers but not PHI content. It also makes access control simpler: you can apply strict IAM policies to the PHI store without restricting access to general operational data.

Access Control: Role-Based Is Not Enough

Role-based access control (RBAC) is the baseline, but healthcare applications typically require attribute-based access control (ABAC) or a hybrid. The difference matters:

  • RBAC: A user with the "clinician" role can access patient records
  • ABAC: A user with the "clinician" role can access patient records for patients currently assigned to their care team, within the facilities where they hold active credentials

Pure RBAC grants overly broad access. A clinician at a large hospital system should not be able to query PHI for patients in facilities they have no relationship to. HIPAA's minimum necessary standard requires that access be scoped to what is actually needed for the current purpose.

Designing for ABAC upfront is significantly easier than retrofitting it. The key components:

AccessDecision = f(
  subject.role,
  subject.department,
  subject.facility_assignments[],
  resource.patient_id,
  resource.facility_id,
  resource.sensitivity_flags[],
  action.purpose_of_use
)

This decision function lives in your authorization layer — not scattered across individual API handlers. Every PHI access request passes through it, and the decision (including the parameters that drove it) is logged.

Audit Logging: What to Log and How

Audit logging is one of the most commonly under-implemented HIPAA controls. The regulation requires that you record and examine activity in systems containing PHI. In practice, this means your audit log needs to capture:

  • Who — Authenticated user identity (not just user ID, but enough to uniquely identify a person)
  • What — The specific PHI record accessed, modified, or deleted
  • When — Timestamp with sufficient precision (millisecond-level for most systems)
  • How — The operation type (read, write, export, print, share)
  • From where — Source IP, device identifier, and application context
  • Why — Purpose of use where the system can determine it

A minimal audit log record looks like this:

{
  "event_id": "evt_01HX...",
  "timestamp": "2026-02-16T14:23:11.847Z",
  "actor": {
    "user_id": "usr_abc123",
    "email": "provider@clinic.org",
    "role": "physician",
    "session_id": "sess_xyz789"
  },
  "resource": {
    "type": "patient_record",
    "record_id": "pt_def456",
    "facility_id": "fac_ghi789"
  },
  "action": "read",
  "purpose_of_use": "treatment",
  "source_ip": "10.0.1.45",
  "user_agent": "Mozilla/5.0 ...",
  "result": "success"
}

Critical implementation requirements:

  • Audit logs are append-only. The application user cannot delete or modify audit records. Use a separate write-only connection or a dedicated audit service.
  • Audit logs are separate from application logs. Mixing them makes audits difficult and creates risk that log rotation or deletion touches audit records.
  • Audit logs are retained for six years. This is a specific HIPAA documentation requirement. Architect your storage with this retention window in mind.
  • Audit logs are themselves PHI-adjacent. They may contain information that reveals PHI existence. Protect them accordingly.

PHI Data Flows: Designing Systems That Minimize Exposure

Every system that handles PHI should have a documented data flow diagram. Not as a compliance artifact — as an engineering tool. Knowing exactly where PHI enters, where it is stored, how it moves, and where it exits is the foundation of a defensible architecture.

The Principle of PHI Minimization

Before designing a feature, ask: does this component actually need PHI, or does it only need a pseudonymous identifier?

A scheduling system does not need a patient's full medical history to book an appointment. It needs a patient identifier, a provider, and a time slot. The clinical record system can be queried separately, under stricter controls, only when a clinician is actively rendering care.

PHI minimization in practice:

  • Tokenization — Replace PHI fields with non-sensitive tokens in operational systems. The token mapping lives in a separate, access-controlled store.
  • De-identification — For analytics, reporting, and ML training data, de-identify records to the Safe Harbor or Expert Determination standard before they leave the PHI boundary.
  • Data masking — In non-production environments (development, staging, QA), PHI should be masked or replaced with synthetic data. Developers should never need real PHI to do their work.

Where PHI Leaves Your System

Outbound PHI flows are where many organizations have the least visibility. Common unintended PHI exits:

  • Third-party analytics and error tracking — If your error monitoring SDK captures request bodies or user context, it may be capturing PHI. This requires either a BAA with your monitoring vendor or ensuring PHI is scrubbed before it reaches those systems.
  • Log aggregation — Application logs that include request parameters or response payloads may contain PHI. Structured logging with explicit field exclusions is safer than unstructured log strings.
  • Client-side data — React Query caches, localStorage, browser session storage — all of these can hold PHI. Design your frontend state management to hold PHI only as long as needed and to clear it on logout or session expiry.
  • PDF generation and file exports — Export pipelines are often an afterthought. Every generated document containing PHI needs to be accounted for, stored securely, and its access logged.

BAA Obligations and What They Mean for Your Stack

A Business Associate Agreement is a contractual requirement, not a technical control — but your vendor choices determine which BAAs you can obtain, and a BAA cannot be obtained from every vendor.

Who Needs a BAA

Any vendor, service provider, or contractor that creates, receives, maintains, or transmits PHI on your behalf is a Business Associate and requires a BAA. In a modern SaaS application, this list is longer than most teams initially expect:

  • Cloud infrastructure provider (AWS, Azure, GCP — all offer BAAs)
  • Database hosting (e.g., RDS, managed PostgreSQL services)
  • Authentication provider (Auth0, Okta, Cognito — check BAA availability per tier)
  • Error monitoring and observability (Datadog, Sentry — BAAs are available but often require enterprise tiers)
  • Email delivery (if PHI is included in transactional email)
  • AI and LLM providers (this is where most health tech teams have the largest gap)

The AI/LLM BAA Problem

If you are integrating AI into a healthcare application, you need to understand which AI providers offer BAAs and under what conditions.

AWS Bedrock offers a BAA under its standard AWS HIPAA compliance program. Azure OpenAI Service offers a BAA through the Microsoft Products and Services Agreement. OpenAI's consumer API does not offer a BAA and should not be used with PHI. Anthropic's API does not currently offer a BAA for the standard tier.

This is not a comprehensive or permanent list — BAA availability changes as providers update their commercial terms. But the principle is stable: if PHI will be sent to or processed by a service, that service needs a BAA before you write the first line of integration code.

The architectural implication is that your AI integration layer needs to distinguish between what is and is not PHI. If your RAG system retrieves clinical documents to answer a query, those documents may be PHI. If you are sending them to an LLM, that LLM provider needs a BAA. If no BAA is available, you need an architecture that de-identifies or synthesizes the context before it leaves your HIPAA boundary.

Common Mistakes That Cause HIPAA Failures in Software

These are the patterns we see most often when reviewing healthcare application architectures:

Broad database access credentials. The application service account has read/write access to the entire database, including all PHI tables. When that credential is compromised — through a misconfigured environment, a leaked secret, or an SSRF vulnerability — the entire PHI store is exposed. Instead: least-privilege database credentials, scoped to the minimum required tables and operations for each service.

PHI in URLs and query parameters. Patient IDs, record identifiers, or any PHI appearing in URL paths or query strings will end up in web server access logs, browser history, and HTTP referer headers. Use POST bodies for PHI, or use opaque identifiers that cannot be reverse-mapped without authenticated database access.

Shared sessions without proper isolation. Multi-tenant systems where session state or cache entries are not fully isolated by tenant. This is a standard software engineering problem, but the consequence in healthcare is PHI cross-contamination between organizations.

Logging PHI in application logs. Structured logging is good. Logging request bodies, response payloads, or user objects that contain PHI is not. Every logging call that touches user-supplied data needs to go through a sanitization function that strips PHI fields before writing.

Missing automatic session termination. HIPAA requires automatic logoff. Workstations left logged in with an active clinical session are a physical and technical risk. The implementation is straightforward — an inactivity timer that terminates the session after a configurable interval — but it is frequently omitted from initial builds.

Treating development environments as outside scope. Development and staging environments that use real PHI are HIPAA in scope. Using production database snapshots for local development, without de-identifying the data first, exposes PHI on developer workstations that are rarely subject to the same controls as production infrastructure.

Insufficient encryption key management. Encrypting the database but storing the encryption key in the same AWS account, in an environment variable, or in the same secrets manager instance as the application credentials — this is encryption theater. Key management needs to be a distinct architectural concern, with access to keys separated from access to the encrypted data.

What a Compliant Architecture Review Looks Like

When we work with engineering teams on HIPAA compliant app development, the starting point is a structured review of the existing or proposed system design — not a compliance checklist, but an architecture conversation.

A useful review covers:

  • PHI inventory — What data qualifies as PHI, where it is created in the system, where it is stored, and every path by which it moves or exits
  • Access control model — How users are authenticated, how authorization decisions are made, and whether the model supports minimum necessary access in practice
  • Audit log completeness — What is currently logged, whether it is sufficient to reconstruct the history of any PHI record, and whether the log store is adequately protected
  • Encryption posture — Encryption at rest and in transit, key management, and whether encryption is applied at the right layer for your threat model
  • Third-party data flows — Every vendor that touches PHI, whether BAAs are in place, and whether the data minimization principle is applied before PHI reaches external services
  • AI integration risk — If AI is part of the system, how PHI is handled within the AI pipeline, which providers are in scope, and what guardrails are in place

The output is a clear picture of where the architecture is solid and where there are gaps — with specific, prioritized recommendations for addressing them. It is not a certification and it is not a legal opinion. It is an engineering assessment.

If your team is building a healthcare application and you want a structured review of your architecture before you go further, that is the conversation we are set up to have.

Frequently Asked Questions

Does HIPAA require a specific encryption standard?

HIPAA does not mandate a specific algorithm, but it references NIST guidance, and in practice AES-256 for data at rest and TLS 1.2 or higher for data in transit are the accepted standards. The more important question is often not which algorithm you use but how you manage the keys — who controls them, how they are rotated, and what happens when they are compromised.

What is the difference between required and addressable HIPAA specifications?

Required specifications are mandatory — you must implement them. Addressable specifications must be implemented if reasonable and appropriate given your organization's risk assessment, or you must document why an equivalent alternative was used instead. Addressable does not mean optional. During an audit or breach investigation, you will be expected to demonstrate that you considered each addressable specification and made a documented, defensible decision.

Can we use a HIPAA compliant cloud provider and consider ourselves covered?

No. A cloud provider offering a BAA and HIPAA-eligible services means the shared responsibility model applies — the provider is responsible for the physical infrastructure and some platform controls, but you are responsible for everything you build on top of it. Your application access controls, audit logging, encryption key management, and secure coding practices are entirely your responsibility regardless of what your cloud provider does.

Do we need a BAA with our AI or LLM provider?

Yes, if PHI will be sent to or processed by that provider. This includes PHI used as context in prompts, PHI retrieved from your knowledge base and passed to a model, or PHI included in documents that are analyzed by the model. Review each AI provider's BAA availability before integrating them into a system that handles PHI. If a BAA is not available, you need an architecture that prevents PHI from reaching that provider.

How long do audit logs need to be retained?

HIPAA requires that documentation of policies, procedures, and actions be retained for six years from the date of creation or the date when it was last in effect — whichever is later. For audit logs specifically, six years is the required retention window. Architect your log storage with this in mind: cold storage for older logs is acceptable, but retrieval needs to be practical if you are ever audited or investigating an incident.

Build Healthcare Software That Is Defensible, Not Just Documented

The difference between healthcare applications that survive audits and those that do not is not usually the legal documentation — it is the engineering. Systems that log the right things, scope access correctly, keep PHI out of places it should not be, and handle third-party integrations with appropriate controls are genuinely more defensible than systems that rely on compliance documents to paper over architectural gaps.

If you are building a HIPAA compliant application and want an architecture review from engineers who work in this space, start with a conversation. If you are specifically evaluating AI capabilities within a HIPAA-compliant framework, our healthcare AI consulting practice works through exactly these design decisions.

The engagement is structured and time-bounded — a focused review to understand your systems, constraints, and goals, with clear deliverables. No pitch deck, no vague roadmap. If we are a fit, you will know exactly what the next steps look like.