Industry Guide
HIPAA-Compliant Software Development Guide
Healthcare software that handles PHI (Protected Health Information) must be HIPAA compliant. BAA, safeguards, audit. Here's what you need.
Table of Contents
PHI & Covered Entities
PHI = health info that identifies a person. Covered entities: providers, plans, clearinghouses. Business associates (you, if you handle PHI) need BAA.
BAA
Business Associate Agreement. Required with covered entity. Defines how you handle PHI. Use HIPAA-compliant vendors (AWS BAA, etc.).
Technical Safeguards
- Encryption at rest and in transit
- Access controls, audit logs
- Authentication (MFA for admin)
- Minimum necessary — access only what's needed
Frequently Asked Questions
Can we use standard cloud hosting?
Yes, with BAA. AWS, GCP, Azure offer HIPAA-eligible services and BAA. Use only those services. See our Healthcare case study.