HIPAA-Compliant Software Development: The Complete Engineering Checklist

Why Another HIPAA Checklist?

Most HIPAA guides are written by lawyers for lawyers. This one is written by engineers who have shipped EHR integrations, telehealth platforms, and clinical analytics systems — and have been through real audits.

We've built HIPAA-compliant systems that process 2.5 million medication decisions daily. The checklist below is what we actually use — not theory, but production-tested practice.

1. Encryption at Rest

All Protected Health Information (PHI) stored in your database must be encrypted. This is non-negotiable.

What we implement:

• AES-256 encryption for all PHI columns (not just the database volume)
• Field-level encryption for the most sensitive data (SSN, diagnosis codes)
• Key management via AWS KMS or Azure Key Vault — never store keys alongside data
• Encrypted backups with separate key rotation schedules

// Example: Field-level encryption with AWS KMS
import { KMSClient, EncryptCommand, DecryptCommand } from '@aws-sdk/client-kms';

const kms = new KMSClient({ region: 'us-east-1' });

export async function encryptPHI(plaintext: string): Promise<Buffer> {
  const { CiphertextBlob } = await kms.send(
    new EncryptCommand({
      KeyId: process.env.KMS_PHI_KEY_ID,
      Plaintext: Buffer.from(plaintext),
    }),
  );
  return Buffer.from(CiphertextBlob!);
}

2. Encryption in Transit

Every network hop that carries PHI must be encrypted.

• TLS 1.2 minimum, TLS 1.3 preferred
• Certificate pinning for mobile apps communicating with healthcare APIs
• Internal service-to-service communication must also use TLS (not just external-facing endpoints)
• WebSocket connections carrying PHI must use WSS, never WS

3. Audit Logging

Every access to PHI must be logged. Every modification, every view, every export.

Required log fields:

• Who accessed the data (user ID, role, IP address)
• What data was accessed (record ID, field names)
• When (timestamp with timezone)
• Why (action context: "viewed patient record", "exported report")
• From where (application, device type, session ID)

interface AuditLogEntry {
  userId: string;
  userRole: string;
  action: 'view' | 'create' | 'update' | 'delete' | 'export';
  resourceType: string;
  resourceId: string;
  fieldsAccessed: string[];
  ipAddress: string;
  userAgent: string;
  timestamp: string;
  sessionId: string;
}

4. Access Controls (RBAC)

Role-based access control is not optional in HIPAA systems. Implement the principle of minimum necessary access.

Key patterns:

• Define roles that map to clinical workflows (physician, nurse, admin, billing)
• Each role gets access only to the PHI fields they need
• Implement break-the-glass procedures for emergency access (logged and reviewed)
• Re-authenticate for sensitive operations (viewing full SSN, exporting data)

5. Automatic Session Management

Sessions containing PHI must have strict lifecycle management:

• Auto-logout after 15 minutes of inactivity (configurable per deployment)
• Session tokens must be invalidated server-side on logout
• Concurrent session limits (prevent credential sharing)
• Session binding to IP address or device fingerprint

6. Unique User Identification

Every person accessing the system must have a unique identifier. No shared accounts, no generic "admin" logins.

• Multi-factor authentication required for all users accessing PHI
• Password policies: minimum 12 characters, complexity requirements
• Account lockout after 5 failed attempts
• Integration with healthcare identity providers (Active Directory, SAML for hospital SSO)

7. Data Integrity Controls

Ensure PHI hasn't been improperly altered or destroyed:

• Database-level checksums on PHI records
• Version history for all PHI modifications (soft deletes, never hard deletes)
• Integrity verification on backup restoration
• Digital signatures on exported documents (PDF/A with embedded signatures)

8. Transmission Security

Beyond TLS, specific transmission patterns require additional controls:

• HL7 FHIR APIs must validate OAuth 2.0 SMART on FHIR scopes
• Direct messaging (healthcare email) requires S/MIME or equivalent
• File transfers containing PHI must use SFTP, never FTP
• API rate limiting to prevent bulk data exfiltration

9. Business Associate Agreements (BAA) for Infrastructure

Every third-party service that touches PHI needs a BAA:

• Cloud provider (AWS, Azure, GCP — all offer HIPAA BAAs)
• Database hosting
• Email/notification services
• Monitoring and logging platforms
• CDN providers (if serving PHI-adjacent content)

10. Incident Response Plan

Not a checklist item you build once — this is a living process:

• Documented breach notification procedures (72-hour window for HHS notification)
• Automated alerts for anomalous PHI access patterns
• Quarterly breach simulation exercises
• Post-incident review process with engineering involvement

The Horizon Dynamics Approach

We've applied this checklist across healthcare platforms processing millions of daily transactions. The key insight: HIPAA compliance is not a feature you add — it's an architectural decision you make on day one.

Every system we build for healthcare clients starts with this checklist baked into the architecture. Not as an afterthought, not as a compliance checkbox, but as a fundamental engineering constraint that shapes every design decision.

If you're building a healthcare product and need engineering partners who've been through real audits, we should talk.