If you’re building apps that touch healthcare, you're probably already thinking about HIPAA. Or at least you should be.
But here's the thing: most people treat HIPAA like a checklist. Add HTTPS, toss in a privacy policy, and call it secure. That’s how bad products get built, and how companies end up in real trouble.
This post isn’t for compliance officers. It’s for developers and founders who want to build HIPAA-compliant apps that actually work. These are real-world lessons from apps that handle protected health information (PHI), and how to build with security from day one.
What Even Counts as PHI?
Start here. If you don’t understand what you’re protecting, nothing else matters.
Protected Health Information (PHI) is any health-related data that can be tied to an individual. This includes:
- Name + health status
- Email + appointment history
- A blood pressure reading tied to a date and a user ID
If it’s health data and can be linked to a person, it’s PHI. Your app needs to treat it like gold.
1. Encrypt Everything
Encryption is your first defense. It's not optional.
Use TLS 1.2 or higher for every request. No exceptions. TLS (Transport Layer Security) protects data while it's moving between your app and your server. Think of it as a secure tunnel. It makes sure that no one else can see or change what’s being sent while it’s in motion.
In simple terms:
TLS 1.2 is like whispering a secret through a secure pipe—no one can eavesdrop, and no one can tamper with the message.
At rest:
Use AES-256 to encrypt stored data. AES stands for Advanced Encryption Standard, and 256 refers to the key length—256 bits. It’s the encryption banks use. Even if someone gets access to your database file, they still won’t be able to read it without the key.
Think of it like this:
AES-256 is your digital vault. Without the key, you’re not getting in.
Example:
const client = new Client({
connectionString: process.env.DATABASE_URL,
ssl: { rejectUnauthorized: true }
});
And don’t log PHI. Ever. Not even in dev. Not in prod. Just don’t.
2. Minimize What You Collect
Just because you can store data doesn’t mean you should.
- Avoid collecting sensitive fields you don’t need
- Set automatic expiration on short-term records
- Purge stale data regularly (and log that you did it)
If your database got leaked today, how much of that data would you actually regret storing?
3. Lock Down Access with Roles
Everyone should not have access to everything.
Set clear access levels and enforce them across your app and API.
Example pattern:
if (!user.canAccess(record.ownerId)) {
return res.status(403).send('Not allowed');
}
Audit these checks. Test them. Don’t assume that just because your UI hides something, your API is safe.
4. Log Everything (The Right Way)
HIPAA requires you to track who accessed what and when.
Set up real audit logs for:
- Reads and writes to PHI
- Logins
- Permission changes
Keep logs separate from your main database. Encrypt them. And make sure someone actually reviews them regularly.
5. Use Hosting Providers That Sign a BAA
If your cloud provider won’t sign a Business Associate Agreement (BAA),they’re not HIPAA-compliant.
Options that do support BAAs:
- AWS (with signed BAA)
- Azure
- Google Cloud
- Aptible (HIPAA-first hosting)
HIPAA compliance is a shared responsibility. If your vendor isn’t onboard, it doesn’t matter how careful your code is.
6. Dev and Staging Aren’t Safe by Default
Too many apps get burned by leaking real data in staging environments.
- Never use real patient data in dev
- Lock staging behind password or SSO
- Turn off analytics and third-party tracking
- Use unique credentials and storage buckets for every environment
If staging isn’t locked down, it becomes the easiest target.
7. Educate Your Team and Your Clients
This part gets ignored, but it matters.
- Your engineers need to know what counts as PHI
- Your support team needs to avoid discussing patient data in Slack
- Your clients need to understand what “HIPAA-compliant” actually means
Compliance isn’t just technical. It’s also about behavior. Write it down. Review it quarterly. Keep everyone aligned.
HIPAA doesn’t have to be a blocker. But you can’t treat it like a bolt-on either.
You need to design for it. Build for it. And review your choices like someone’s job depends on it - because it does.
Start simple. Encrypt everything. Set access controls. Log what matters. Pick the right infrastructure. Don’t guess. And never treat healthcare datalike regular data.
If you're building a HIPAA-compliant app and want someone who’s been through it to look over your setup, we’re here to help.
- Written by Karly Lamm
Looking for Midwest-Based Developers for Your Business?
Open up new opportunities, grow revenue and improve user experience with Aviron Software. Based in St. Louis with USA programmers & QA specialists, Aviron can help your business whether on web, mobile apps or desktop software development. Get in touch via hello@avironsoftware.com or contact us.
Do you prefer to text? Send a text over to (314) 541-3446 to setup a time to discuss growing your business through software.
