top of page
  • Writer's pictureAppsec360 Team

Building HIPAA-compliant software - #ONE

Building HIPAA-compllaint software

Software development organizations that deal with Protected Health Information (PHI) and/or Electronic Protected Health Information (e-PHI) in the US must take time to understand the Health Insurance Portability and Accountability Act (HIPAA). Even if you are not in the US, it still makes sense to understand the asks of this Act as it helps build systems that will be resilient to external threats and worthy of the trust that individuals put in them.

This post focuses on a high-level overview of the Act itself and includes a short reference checklist to understand what you need to know to get started in case you are in scope of this Act's compliance requirements. In a subsequent post, we will cover what a developer needs to keep in mind to ensure that the product they build is compliant.


HIPAA was enacted in 1996 to protect the privacy and security of patient's health information (PHI) and to ensure that it is properly handled and maintained. The act requires that all entities that handle PHI, including software development houses, comply with a set of standards and requirements known as the HIPAA Privacy, Security, and Breach Notification Rules.

One of the key things that software developers must understand about HIPAA is that it requires that all PHI be kept confidential and secure. As they analyze, design and build systems, and developers must take appropriate steps to protect PHI from unauthorized access, theft, loss, or misuse. This may involve implementing encryption, access controls, audit trails, and other security measures to ensure that PHI is kept secure both in transit and at rest.

Another important aspect of HIPAA that software developers must understand is that it requires that PHI only be used and disclosed for lawful purposes. This means that software developers must understand the types of uses and disclosures of PHI permitted under HIPAA and ensure that their software solutions are designed and implemented in a way that complies with these requirements.

To stay compliant with HIPAA, software developers must also understand the importance of regular security risk assessments and implement appropriate remediation measures in response to identified vulnerabilities. This may involve implementing software patches, updating security policies and procedures, or making other changes to the software solution as needed to maintain compliance with HIPAA.

Reference HIPAA considerations for Architects and Developers - part 1

1) First, determine if the system that you are working on is a “Covered Entity” under HIPAA.

A "Covered Entity" under HIPAA is a type of organization that must comply with the standards and requirements of the Health Insurance Portability and Accountability Act (HIPAA). Covered Entities are defined as:

  1. Health Care Providers: This includes any individual or organization that provides medical or other health services, such as doctors, hospitals, clinics, nursing homes, and mental health facilities.

  2. Health Plans: This includes any individual or organization that provides or pays for the cost of medical care, such as health insurance companies, health maintenance organizations (HMOs), and government programs like Medicare and Medicaid.

  3. Healthcare Clearinghouses: This includes any entity that processes nonstandard health information it receives from another entity into a standard (e.g., electronic) format or vice versa.

2) You have documented Privacy Rule policies and procedures

3) Your system has a Notice of Privacy Practices that you support within the software you are building or has complimentary controls outside the system being built that will provide an equivalent or more compliance.

4) You can attest that your Privacy Rule policies and procedures being followed

5) The Security Rule policies and procedures are documented and enforceable using the system

6) Security Rule policies and procedures are enforceable via Administrative, Physical, and Technical Safeguards

We will continue exploring the checklist and what needs to be done to meet the technology safeguards in a followup post.

1 view0 comments
bottom of page