"HIPAA compliance" is not a feature you add. It is an architectural property you either design in from the start — or spend years retrofitting at escalating cost, risk, and regulatory exposure.
— Foundation · 45 CFR 164.302
Understand What HIPAA Actually Requires of Your System
HIPAA's Security Rule (45 CFR Part 164, Subpart C) defines the technical, administrative, and physical safeguards required for any system that creates, receives, maintains, or transmits electronic Protected Health Information (ePHI). Before writing a line of code, your engineering team must internalize three things most teams get wrong:
⚙️
Technical Safeguards
45 CFR §164.312
Access controls, audit logging, integrity controls, transmission security. The engineering layer — directly implemented in code and infrastructure.
📋
Administrative Safeguards
45 CFR §164.308
Risk analysis, workforce training, contingency planning, BAA management. Process and policy — but must be enforced by system controls your engineering team builds.
🏢
Physical
Safeguards
45 CFR §164.310
Data center controls, workstation access, device media disposal. Largely inherited from your cloud provider — but you must verify and document inheritance.
💡The "addressable vs. required" distinction matters. HIPAA specifications are either Required (must be implemented) or Addressable (must be implemented OR you must document why an equivalent alternative is reasonable and appropriate). Addressable does not mean optional — it means you must make a documented, defensible decision. Engineers who skip addressable specifications without documentation create OCR findings.
— Step One · Data Architecture
Classify Every Data Element Before You Design Your Schema
HIPAA protects Protected Health Information — any individually identifiable health information created or received by a covered entity or business associate. ePHI is PHI in electronic form. The 18 HIPAA identifiers are the legal enumeration, but in engineering practice the classification problem is more nuanced: combinations of non-PHI fields can constitute PHI when combined. Your architecture must classify data at the field level, not the table level.
| Data Class | Examples | HIPAA Treatment | Engineering Control |
|---|---|---|---|
| Direct PHI Identifiers | Name, DOB, MRN, SSN, address, phone, email, biometric | Full ePHI | Encrypted at rest (AES-256), encrypted in transit (TLS 1.2+), access-controlled, audited |
| Clinical Data with Identifier | Diagnosis code + patient_id, Lab result + encounter_id | Full ePHI | Same as above. The linkage makes it ePHI even if diagnosis alone is not. |
| De-identified Data | Age >89 → "90+", geographic region ≥ 20,000 pop, dates shifted | Not PHI (if Expert Determination or Safe Harbor met) | De-identification must be documented and validated. Re-identification risk assessed. |
| Operational Metadata | tenant_id, user_id, timestamps, event types, API logs | Not PHI — unless linked to identifiable patient | Must be designed to not capture PHI. Log scrubbing required. Separate retention policy. |
| Aggregated Analytics | Admission rates, population health metrics, site-level counts | Not PHI if properly aggregated | Minimum cell size ≥ 11 to prevent re-identification. Suppression rules documented. |
Once classified, PHI fields must be tagged at the schema level — not just in documentation. Use column-level classification metadata (many modern databases and data catalogs support this natively) so that access policies, masking rules, and audit logging can be applied systematically rather than manually per query.
Peerbits Services - EHR Integration Services
— Technical Safeguard · §164.312(A)(2)(IV) & §164.312(E)(2)(II)
Encryption Architecture: At Rest, In Transit, and In Use
HIPAA does not mandate a specific encryption standard — but the HHS Guidance on Encryption specifies that NIST-approved encryption renders PHI "unusable, unreadable, or indecipherable" and thus eliminates breach notification obligations when encrypted data is lost or stolen. In practice, this means AES-256 for data at rest and TLS 1.2 or higher for data in transit are the engineering baseline.
Encryption At Rest
Encryption In Transit
Every PHI transmission — API calls, database connections, message queue payloads, inter-service communication, webhook deliveries — must use TLS 1.2 at minimum, TLS 1.3 preferred. Common engineering failures include: internal microservice communication that travels over HTTP inside a VPC (assumed-safe but not compliant), database connections without certificate validation, and third-party integrations that accept self-signed certificates. Enforce TLS at every network hop, not just at the public API boundary.
TLS enforced on public API gateway. Internal services communicate over HTTP within the private subnet. Database connections use sslmode=disable for "performance." Webhook deliveries skip certificate verification. One compromised internal service can read all PHI in plaintext.
mTLS between all internal services. Database connections enforce sslmode=verify-full with pinned CA certificate. Webhook deliveries validate destination TLS certificate. Network policy blocks all port 80 traffic in healthcare namespaces. PHI in motion is always ciphertext.
— Technical Safeguard · §164.312(A)(1)
Access Control: Zero Trust Architecture for PHI Systems
The traditional healthcare security model — perimeter-based, VPN-secured, implicit trust inside the network — is dead. Zero Trust Architecture (ZTA) is the required posture for any healthcare system operating in cloud or hybrid environments: never trust, always verify, regardless of network location. Every request to access PHI must be authenticated, authorized, and logged — including requests from internal services.
A HIPAA-compliant access control system for healthcare has four mandatory layers:
-
Authentication — who are you? Multi-factor authentication (MFA) is required for all workforce members accessing ePHI. TOTP or hardware FIDO2 keys are acceptable. SMS-based MFA is not recommended (SIM-swapping risk). Federated identity via SAML 2.0 or OIDC is required for enterprise client SSO. Session tokens must expire — 8-hour maximum for clinical users, 1-hour for administrative users with PHI access.
-
Authorization — what can you access? Role-Based Access Control (RBAC) scoped to the minimum necessary standard. The HIPAA Minimum Necessary Rule (§164.514(d)) requires that access to PHI be limited to the minimum necessary to accomplish the intended purpose. A billing clerk must not access clinical notes. A front-desk user must not see lab results. These are not UI restrictions — they are query-layer enforcement rules.
-
Context — under what circumstances? Break-glass access (emergency override of normal access controls with automatic alerting and post-hoc review) must be architected, not improvised. Time-of-day restrictions, location-based policies, and device compliance checks are increasingly expected in enterprise healthcare contracts and OCR investigations.
-
Audit — what did you access? Every PHI access event must be logged, attributed, and retained. Covered in Section 5 below.
HIPAA §164.514(d)
Peerbits Services - SMART on FHIR App Development
— Technical Safeguard · §164.312(b)
Audit Logging: HIPAA-Compliant Activity Tracking at Every Layer
HIPAA's Audit Controls standard (§164.312(b)) requires "hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI." In practical engineering terms: you need immutable, complete, attributable logs of every PHI access event — and the ability to produce them for a specific user, patient, or time range on demand.
A HIPAA-grade audit logging architecture captures events at four distinct layers, because no single layer captures everything:
Application Layer — PHI read/write events, login/logout, role changes
Required - §164.312(b)
API Gateway Layer — all inbound requests with JWT identity, status codes
Required - §164.312(c)(2)
Database Layer — query-level logging for all tables containing PHI columns
Addressable - §164.312(b)
Infrastructure Layer — cloud trail, VPC flow logs, KMS key usage events
Addressable - §164.312(b)
Every audit log entry must include: who (authenticated user identity, not username — the UUID that links to your IAM system), what (resource type and resource identifier — never the PHI content itself), when (UTC timestamp with millisecond precision), from where (source IP, user agent, device identifier), and outcome (success, failure, reason for failure). Logs must be immutable — write-once, no delete, no modify — and retained for a minimum of six years per the HIPAA retention requirement.
🚨Common engineering failure: Storing audit logs in the same database as application data, accessible to the same application user. This means a compromised application credential can delete its own audit trail. Audit logs must be forwarded to a separate, write-only sink (AWS CloudTrail Lake, Azure Monitor with immutability policy, WORM-configured S3 bucket) before the request completes. Log forwarding must be synchronous for PHI access events — not async fire-and-forget.
- Administrative Safeguard · §164.308(B)
Business Associate Agreement Architecture: BAA Beyond the PDF
A Business Associate Agreement is the legal contract between a HIPAA Covered Entity (hospital, health plan, healthcare provider) and any vendor who creates, receives, maintains, or transmits PHI on their behalf. As the healthcare software company, you are the Business Associate — and you need a BAA with every customer who uses your system to process PHI, plus a BAA with every subprocessor (cloud provider, monitoring tool, support platform) that may touch PHI in the course of providing your service.
The engineering implication of BAAs that most teams miss: your BAA obligations constrain your architecture choices. If your BAA permits PHI to be stored only in US regions and your multi-tenant architecture doesn't enforce data residency at the tenant level, you are in BAA breach for any tenant whose data leaves the agreed region. If your BAA prohibits PHI from appearing in support logs and your logging configuration includes request bodies, you are in breach every time a support engineer reviews a log.
-
BAA inventory is machine-readable and actively maintained. Every subprocessor with potential PHI access is documented. When you add a new vendor — a new APM tool, a new logging service, a new payment processor — your BAA review process is triggered before that service touches any PHI-capable environment.
-
Cloud provider BAA is in place and covers all services you use. AWS, Azure, and GCP all offer BAAs — but not all services under each provider are HIPAA eligible. AWS HIPAA eligible services list must be reviewed before deploying any PHI workload on a new AWS service. Using a non-eligible service to process PHI — even incidentally — is a BAA violation.
-
BAA terms are enforced in code, not just in contract. Data residency restrictions → enforced by tenant configuration and infrastructure policy. PHI-exclusion-from-logs obligations → enforced by log scrubbing middleware. Subprocessor notification requirements → triggered by your vendor management system, not manual process.
-
Customer BAA execution gates PHI access. No tenant accesses PHI-capable features until BAA execution is recorded in your compliance registry and confirmed. This is a hard technical gate, not a sales process checkbox.
— Administrative Safeguard · §164.308(A)(1)
Risk Assessment: Making It a Living Engineering Process
HIPAA's Security Management Process standard requires covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. The regulation specifies "accurate and thorough" but gives no methodology — which gives engineering teams flexibility, and which most engineering teams use as an excuse to produce a compliance document that is outdated the day it's published.
A living HIPAA risk assessment for a software product is not a PDF. It is a set of continuously updated artifacts:
Risk assessment completed by compliance team once at certification, stored as a PDF, reviewed annually by auditors who weren't involved in building the system. New features added without risk assessment updates. Threat landscape ignored between reviews.
Threat model updated in the same PR as architectural changes. Dependency CVE monitoring automated (Dependabot, Snyk). Penetration test results tracked as engineering backlog items. Risk registry lives in version control alongside source code. Annual external assessment supplements, not replaces, continuous practice.
Covered entities and business associates must implement policies and procedures to prevent, detect, contain, and correct security violations — including conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.
45 CFR §164.308(A)(1)(II)(A) — Risk Analysis (Required)
Peerbits services - Patient Engagement Systems
— Technical Safeguard · §164.312(C)(1)
Integrity Controls: Ensuring PHI Is Never Silently Modified
HIPAA's Integrity standard requires mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner. In engineering terms: your system must be able to detect and prove that a PHI record has not been tampered with since it was created or last legitimately modified. This goes beyond encryption — a malicious actor with database write access can modify encrypted records without decrypting them, and without an integrity mechanism, the modification is undetectable.
Practical integrity controls for healthcare systems include: HMAC-based record signatures (each record carries an HMAC generated at write time using a signing key; any modification invalidates the HMAC), append-only data patterns for clinical records (new versions are created; the original is never updated in place), and database-level audit triggers that capture before/after states for all writes to PHI tables. Combined with immutable audit logging, these controls provide a chain of evidence that satisfies both HIPAA's integrity requirement and the evidentiary standards of a breach investigation.
— Administrative Safeguard · §164.308(A)(6)
Incident Response Architecture: HIPAA Breach Notification by Design
HIPAA's Breach Notification Rule (45 CFR Part 164, Subpart D) requires covered entities to notify affected individuals within 60 days of discovering a breach involving more than 500 individuals. Business Associates must notify covered entities within 60 days of discovering a breach. This clock starts at discovery — not at confirmation. If your incident response process takes 30 days to confirm whether a breach occurred, you have 30 days left to notify. If it takes 45 days, you have 15.
HIPAA breach notification by design means your incident response architecture answers the four breach qualification questions automatically, not through manual investigation:
-
Was PHI involved? Your system should be able to answer within hours, not days, because PHI is tagged at the field level (Section 2), access is logged by resource type and patient identifier (Section 5), and your data classification schema maps every log event to a PHI status automatically.
-
How many individuals were affected? Your audit log architecture gives you a precise count of affected patient identifiers from the incident time window — not an estimate. The difference between 499 and 501 individuals determines whether you notify HHS within 60 days or within 60 days via annual summary. Know this number precisely.
-
Was the PHI encrypted? If yes, and the encryption meets NIST standards, the Safe Harbor exception may eliminate notification obligations entirely. This determination is automatic if your encryption status is documented per-field in your data classification schema.
-
What was the probability of compromise? The 4-factor risk assessment (nature and extent of PHI, identity of unauthorized person, whether PHI was acquired, extent to which risk has been mitigated) must be documented within days of discovery. Pre-built incident response runbooks that guide investigators through this assessment reduce the time from days to hours.
⚠️Pen testing is not optional at scale. HIPAA's risk analysis requirement encompasses penetration testing — though not explicitly mandated, OCR investigation patterns strongly expect evidence of regular penetration testing for large systems. Annual third-party penetration tests plus quarterly internal automated scanning (SAST, DAST, dependency audit) is the defensible posture for healthcare SaaS platforms processing PHI at scale.
— Operational Safeguard · §164.308(a)(7)
Contingency Planning: Availability Is a HIPAA Requirement
HIPAA's Contingency Plan standard requires covered entities and BAs to have policies and procedures for responding to an emergency or other occurrence that damages systems containing ePHI. In engineering terms: your disaster recovery and business continuity plan must ensure PHI is available when needed and recoverable after an incident — at defined SLAs, tested regularly, and documented demonstrably.
The five required components of a HIPAA contingency plan, with their engineering implementations:
| HIPAA Requirement | Regulation | Engineering Implementation | Test Frequency |
|---|---|---|---|
| Data Backup Plan | §164.308(a)(7)(ii)(A) | Automated daily encrypted backups. PHI encrypted with tenant KMS keys. Off-region backup replica. Backup integrity verified weekly via automated restore test. | Weekly automated |
| Disaster Recovery Plan | §164.308(a)(7)(ii)(B) | Documented RTO/RPO per tier. Automated failover for production workloads. DR runbooks version-controlled alongside infra code. DR environment kept warm, not cold. | Quarterly tabletop + annual full DR drill |
| Emergency Mode Operations | §164.308(a)(7)(ii)(C) | Minimal-mode operation plan: read-only PHI access during outage. Break-glass credential procedures documented. Clinical-facing features prioritized over admin features in degraded mode. | Annual simulation |
| Testing & Revision Procedures | §164.308(a)(7)(ii)(D) | Chaos engineering in staging environment. Automated backup restore verification. Quarterly DR tests with documented results. Plan revised after every incident and annually otherwise. | Quarterly |
| Application Criticality Analysis | §164.308(a)(7)(ii)(E) | Data flows mapped to business criticality. PHI-bearing systems classified as Tier 1 (highest recovery priority). Dependencies between clinical, billing, and analytics systems documented. | Annual review |
Peerbits Services - Revenue Cycle Management Software Development
— AI + Modern Stack · Emerging Requirements
Building AI Features Into HIPAA-Ready Healthcare Systems
AI features in healthcare — clinical decision support, ambient documentation, diagnostic assistance, predictive analytics — introduce new HIPAA engineering challenges because AI models are data processors. Any AI model trained on, fine-tuned with, or inferencing against PHI must be covered by your HIPAA compliance architecture. The key engineering obligations for AI in healthcare systems are:
-
LLM API calls containing PHI require a BAA with the model provider. If you are sending patient notes, lab results, or any PHI-containing text to an external LLM API (OpenAI, Anthropic, Azure OpenAI, AWS Bedrock), that API provider must sign a BAA with you. Not all providers offer BAAs for all service tiers. Verify before integration, not after deployment.
-
PHI must not appear in AI model training data without explicit authorization. Using production PHI to fine-tune or train models requires patient authorization, or the data must be de-identified per HIPAA Safe Harbor or Expert Determination before use. Synthetic data generation (using tools like Synthea, or privacy-preserving techniques like differential privacy) is the defensible approach for model training in most healthcare contexts.
-
AI inference results on PHI are themselves PHI. An AI model's output — "this patient has a 73% predicted readmission risk" — linked to an identifiable patient is ePHI. It must be stored, accessed, and audited under the same controls as the underlying clinical data.
-
Explainability and audit requirements for clinical AI. AI-generated clinical recommendations that influence care decisions may be subject to additional documentation requirements under FDA Software as a Medical Device (SaMD) regulations and the ONC's information blocking rules. HIPAA compliance is necessary but not sufficient for clinical AI features.
Peerbits Services - AI Clinical Scribe
Build HIPAA by Design, Not HIPAA by Retrofit
Every week you operate a healthcare system with unclosed HIPAA gaps is a week of regulatory exposure, breach liability, and OCR investigation risk. Peerbits has helped over 60 healthcare technology companies — from seed-stage digital health startups to enterprise EHR vendors — design and implement HIPAA-compliant system architectures that survive real audits, real OCR investigations, and real enterprise procurement security reviews.
Our HIPAA Architecture Assessment is a 5-day engagement that delivers a written compliance gap report scored against all 45 CFR §164 technical and administrative safeguards, a prioritized engineering remediation roadmap, and a readiness scorecard you can share with enterprise customers and auditors.
Book Free HIPPA Assessment
