How to Build HIPAA Compliant Software: A Step-by-Step Guide

[]
min read

You have a healthcare app idea, a working prototype, or maybe a signed pilot customer, and now someone just asked if it's HIPAA compliant. Building HIPAA compliant software is not a checkbox you tick at launch. It touches your architecture, your vendor contracts, your access controls, and how you handle every byte of patient data from day one. Get it wrong and you risk fines, lost deals, or a breach that ends the company before it starts.

This guide walks through what compliance actually requires, not the vague legal summaries you find elsewhere. You'll learn how to classify protected health information (PHI), what technical safeguards auditors expect, and how to document your risk assessments so you can prove compliance instead of just claiming it.

We built this from the same integration challenges our team at SoFaaS solves daily: connecting apps to Epic, Cerner, and other EHRs without letting security slip. Whether you're building from scratch or adding EHR connectivity to an existing product, you'll get a practical, step-by-step path to compliant software, plus pointers on where a managed platform can remove the heaviest lifting so your team can focus on the product itself.

What HIPAA compliance actually requires from your software

HIPAA itself never mentions software. The law was written in 1996, long before SaaS existed, and it speaks in terms of "covered entities" and "business associates" handling health information. When you're building HIPAA compliant software, you're really implementing the technical, physical, and administrative safeguards spelled out in the HIPAA Security Rule and Privacy Rule, then proving you did it. That distinction matters because it means there's no single certification or badge you can buy. Compliance is a state you maintain, verified through documentation, audits, and your own risk assessments.

The three safeguard categories you must implement

The HHS Security Rule organizes requirements into three buckets, and your software touches all three even if some fall on your company's HR or facilities team rather than your codebase.

  • Administrative safeguards: risk assessments, workforce training, designated security officers, and written policies for how PHI gets accessed and handled.
  • Physical safeguards: control over the actual servers, workstations, and devices that touch PHI, including data center access if you're self-hosting.
  • Technical safeguards: the part developers care about most, covering access controls, encryption, audit logs, and transmission security baked into the application itself.

HIPAA compliance is a maintained state, not a one-time badge you earn at launch.

Required vs addressable specifications

Inside the Security Rule, each safeguard is labeled either "required" or "addressable." This trips up a lot of teams because "addressable" sounds optional. It's not. Addressable means you must implement it unless you document a reasonable alternative or explain why it's not applicable to your environment. Encryption of PHI at rest, for example, is addressable, but in practice nearly every auditor and business partner expects it as a baseline. Skipping it without a documented justification is a red flag in any audit.

What auditors and partners actually check

When a hospital's security team or a potential enterprise customer reviews your software, they're not reading the statute. They're checking for specific, concrete evidence that your architecture and processes hold up. Expect questions like these:

- Is PHI encrypted in transit (TLS 1.2+) and at rest (AES-256)?
- Can you produce an audit log showing who accessed a specific patient record and when?
- Do you have unique user accounts with role-based access, not shared logins?
- Is there a signed Business Associate Agreement (BAA) covering this integration?
- What's your documented incident response plan if PHI is exposed?
- Do you have a current risk assessment on file, updated within the last 12 months?

If you can't answer these with specifics, not intentions, you're not compliant yet, regardless of how secure you believe your system is.

Why

Step 1. Map your PHI data flows and compliance scope

Before you write a line of security code, you need a clear picture of where protected health information (PHI) enters, moves through, and leaves your system. Skipping this step is the number one reason teams miss safeguards later, because you can't protect data you haven't tracked. Mapping your data flows also defines your compliance scope, which tells you exactly which parts of your stack need HIPAA-grade controls and which don't.

Step 1. Map your PHI data flows and compliance scope

Identify every place PHI touches your system

Start by listing every component that stores, processes, or transmits patient data, not just your primary database. Teams routinely forget log files, backup snapshots, analytics tools, and support ticket systems that accidentally capture patient names or medical record numbers.

  • Application databases and caches
  • File storage and backups (including cloud snapshots)
  • Third-party APIs and EHR connections (Epic, Cerner, Allscripts, etc.)
  • Logging, monitoring, and analytics pipelines
  • Email, chat, or support tools your team uses to discuss patient issues

If PHI can land somewhere, assume it eventually will, and plan controls for that spot.

Classify your compliance role

Once you know where data lives, determine whether you're a covered entity or a business associate under HIPAA. Most software vendors serving healthcare clients fall into the business associate category, which means you're contractually and legally on the hook for safeguarding any PHI you touch on a covered entity's behalf. This classification shapes which safeguards apply directly to you versus which your customer's compliance team owns.

Document the data flow diagram

Regulators and enterprise security reviewers will ask for a data flow diagram, so build one now rather than scrambling later. Draw every system from the list above, show the direction data moves, and mark which connections are encrypted and which systems store PHI at rest versus just passing it through. Keep this diagram updated every time you add an integration or a new EHR connector, because an outdated map is worse than no map. Teams that use a managed integration layer like SoFaaS often find this step simpler, since the EHR connection points are already documented and scoped for them.

Step 2. Set up secure authentication and access controls

Once you know where PHI lives, the next question is who can touch it. Access controls are the technical safeguard auditors scrutinize hardest, because weak authentication is how most breaches actually happen. Shared logins, generic admin accounts, and password-only access are the fastest way to fail a security review, so this step deserves real engineering time, not a quick library install.

Build role-based access from day one

Give every user a unique account tied to a specific role, and design permissions around the minimum data that role needs to do its job. A billing clerk doesn't need to see clinical notes, and a support agent doesn't need full medical history. Role-based access control (RBAC) should map directly to job function, not convenience.

  • Unique credentials per user, no shared or generic accounts
  • Roles scoped to minimum necessary PHI access
  • Automatic deprovisioning when someone leaves or changes roles
  • Periodic access reviews, at minimum quarterly

Shared logins are the single fastest way to fail a HIPAA security review.

Implement OAuth 2.0 for EHR connections

Any integration touching Epic, Cerner, or another EHR should run through SMART on FHIR's OAuth 2.0 flow, which handles patient consent and token-based access instead of storing raw credentials. A minimal authorization request looks like this:

GET /authorize?
 response_type=code&
 client_id=YOUR_CLIENT_ID&
 redirect_uri=https://yourapp.com/callback&
 scope=patient/*.read launch/patient&
 aud=https://ehr.example.com/fhir

Handling token refresh, revocation, and scope management correctly is where most in-house builds stumble, since a single misconfigured scope can expose more PHI than intended. This is exactly the layer SoFaaS manages for you, so your team isn't reinventing OAuth handling for every new EHR.

Enforce session and credential hygiene

Sessions should expire after a reasonable idle period, typically 15 to 30 minutes for anything touching PHI, and multi-factor authentication should be mandatory for any account with administrative or clinical data access. Passwords alone are addressable under the Security Rule, but every serious auditor treats MFA as required in practice. Verify these controls extend to every environment, including staging and any internal admin tool your engineers use to debug production data.

Step 3. Encrypt data and lock down your infrastructure

Access controls decide who can reach your data, but encryption decides what happens if someone gets around those controls anyway. Every piece of PHI, whether it's sitting in a database or moving across a network, needs to be unreadable to anyone without the right keys. This step is where a lot of teams cut corners because encryption feels like a solved problem, but the details of how you implement it are exactly what auditors dig into.

Step 3. Encrypt data and lock down your infrastructure

Encrypt data at rest and in transit

Use AES-256 for anything stored on disk, including primary databases, backups, and file storage, and use TLS 1.2 or higher for every connection carrying PHI, internal or external. Don't assume your cloud provider's default settings cover you. Confirm encryption is actually enabled on each resource, not just available.

  • Database-level encryption for all PHI-containing tables
  • Encrypted backups and snapshots, not just live systems
  • TLS enforced on every API endpoint, including internal service-to-service calls
  • Encrypted storage for any file uploads containing patient documents or images

Encryption you forgot to enable protects nothing, so verify every resource, don't assume the default.

Manage your encryption keys properly

Encryption is only as strong as your key management. Store keys in a dedicated service like AWS KMS or Azure Key Vault rather than hardcoding them in application code or environment files checked into version control. Rotate keys on a defined schedule and restrict who can access or export them, since a leaked key defeats encryption entirely.

Segment and harden your network

Lock down your infrastructure so PHI-handling systems sit behind restrictive firewall rules and network segmentation, separate from public-facing components that don't need direct data access. Limit database access to specific application servers rather than opening it broadly, and disable any unused ports or default credentials that come with cloud instances.

Layer Control Why it matters
Storage AES-256 encryption Protects data if disks or backups are exposed
Transit TLS 1.2+ Prevents interception between services
Keys Managed key vault, rotation Limits blast radius of a leaked credential
Network Segmentation, firewall rules Contains breaches to a smaller surface

Getting infrastructure right takes real engineering time, and it's a big reason healthcare teams lean on a platform like SoFaaS, which runs on SOC 2 Type II compliant infrastructure with encryption and segmentation already built in, so you're not architecting this layer from scratch for every new integration.

Step 4. Add audit logging, incident response, and BAAs

Encryption and access controls stop most problems, but HIPAA still expects you to prove what happened if something goes wrong. That means capturing every touch of PHI in an audit log and having a tested plan for the day a breach actually occurs. Auditors and enterprise partners will ask for both, and "we'll figure it out if it happens" is not an answer that passes a security review.

Log every access to PHI

Your audit log needs to answer who accessed what, when, and from where, for every record containing patient data. Skip generic application logs and build a dedicated audit trail that can't be edited or deleted by the same users it's tracking.

  • User ID, timestamp, and action for every PHI read, write, or export
  • Source IP or device for each access event
  • Immutable storage, separate from your primary application database
  • Retention of at least six years, matching HIPAA's documentation requirement

An audit log you can't produce on demand is the same as having no audit log at all.

Build an incident response plan before you need one

Write down exactly what happens the moment someone suspects a breach: who gets notified, how you contain the exposure, and how you determine whether it meets the threshold for HHS breach notification rules. Test this plan with a tabletop exercise at least annually, because a plan nobody has practiced tends to fall apart under real pressure. Assign a specific person as your security officer, since HIPAA requires someone accountable by name, not just a policy document sitting in a shared drive.

Get signed BAAs with every vendor touching PHI

Any vendor that stores, processes, or transmits PHI on your behalf, cloud hosting providers, EHR integration platforms, analytics tools, needs a signed Business Associate Agreement (BAA) before you send them a single record. No BAA means you're liable for whatever that vendor does with the data, and missing one is an instant red flag in any partner or hospital security review.

Here's what to check before you sign:

- Does the BAA name the specific services covered?
- Are breach notification timelines and responsibilities defined?
- Does it cover subcontractors the vendor uses (fourth parties)?
- Is there a clause for data return or deletion at contract end?

SoFaaS provides a signed BAA as part of its managed EHR connections, which removes one more contract negotiation from your launch checklist.

building hipaa compliant software infographic

Keeping your software compliant as it grows

Compliance doesn't freeze once you launch. Every new feature, EHR connection, or hire changes your risk profile, so treat these four steps as a recurring cycle, not a one-time project. Revisit your data flow map when you add an integration, re-run access reviews when your team changes, and update your risk assessment at least annually. Auditors and enterprise customers will keep asking the same hard questions years from now, and you need current answers, not launch-day snapshots.

Growing a healthcare product while maintaining every safeguard yourself pulls engineering time away from the product itself. That's the gap a managed platform is built to close, handling the EHR connections, OAuth flows, and infrastructure security so your team isn't rebuilding compliance work for every new integration. If you're ready to add SMART on FHIR connectivity without carrying that burden alone, launch your SMART on FHIR app in a couple of steps with VectorCare's SoFaaS platform.

Read More

HL7 FHIR: What It Is and How It Works

By

6 Best Home Health Agency Software Options in 2026

By

Health Information Exchange: What It Is And How It Works

By

Clinical Decision Support: What It Is And How CDS Works

By

The Future of Patient Logistics

Exploring the future of all things related to patient logistics, technology and how AI is going to re-shape the way we deliver care.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.