HIPAA Compliance

HIPAA Compliant Software Development: The 2026 Complete Checklist

The definitive 2026 checklist for building HIPAA compliant software. Covers technical architecture, BAA requirements, encryption, audit logging, and an interactive developer checklist.

TWO44 Team
June 30, 2026
18 min read
1147 views
HIPAA Compliant Software Development: The 2026 Complete Checklist
TWO44 publishes a 2026 HIPAA compliant software development checklist covering technical safeguards, Business Associate Agreements, encryption standards, audit logging, and an interactive developer checklist for healthcare application teams.

Why HIPAA Compliant Software Development Matters in 2026

If your application creates, receives, maintains, or transmits protected health information (PHI), HIPAA compliance is not a feature you bolt on at launch—it is a legal obligation from the first line of code. The Health Insurance Portability and Accountability Act applies to covered entities and their business associates, including software vendors, SaaS platforms, and development agencies building healthcare tools.

In 2026, enforcement has intensified. OCR continues issuing penalties for misconfigured cloud environments, missing Business Associate Agreements (BAAs), and inadequate access controls. Developers who treat HIPAA as a checklist—not a checkbox—build systems that survive audits, win enterprise healthcare contracts, and protect patients.

This guide is the complete developer reference: technical architecture, BAA requirements, the 2026 compliance checklist, and the safeguards every engineering team must implement before handling a single patient record.

What Counts as PHI in Software Development

Protected Health Information is any individually identifiable health information held or transmitted by a covered entity. For developers, PHI includes:

  • Patient names, addresses, phone numbers, and email addresses
  • Medical record numbers, account numbers, and device identifiers
  • Dates related to birth, admission, discharge, or death
  • Diagnoses, treatment plans, prescriptions, and clinical notes
  • Lab results, imaging metadata, and billing codes
  • Biometric identifiers and full-face photographs
  • Any combination that could identify an individual and relate to their health

If your database stores any of the above—even in a JSON blob or log file—you are handling PHI and must implement HIPAA Security Rule safeguards.

HIPAA Security Rule: Three Safeguard Categories

Administrative Safeguards

Policies, procedures, workforce training, risk assessments, and incident response. Engineering teams must document who has access to production PHI, how access is granted and revoked, and what happens during a breach.

Physical Safeguards

Facility access controls, workstation security, and device disposal. For cloud-native teams, this translates to secure developer laptops, encrypted drives, and policies preventing PHI on personal devices.

Technical Safeguards

The developer's primary domain: access controls, audit logging, encryption, integrity controls, and transmission security. Every item in the checklist below maps to a technical safeguard requirement.

Technical Architecture for HIPAA Compliant Applications

A HIPAA-compliant architecture separates concerns so PHI never leaks through the wrong layer. The diagram below shows the reference architecture TWO44 uses for healthcare clients including ABA therapy platforms, telehealth tools, and patient intake systems.

Technical architecture diagram — upload team asset: HIPAA-compliant application layers showing client, API gateway, auth service, encrypted database, audit log store, and BAA-covered third-party integrations.

Layer 1: Client Applications

Web and mobile clients must never store unencrypted PHI in localStorage, sessionStorage, or cookies. Use secure HTTP-only session tokens. Implement automatic session timeout (15–30 minutes of inactivity is standard for healthcare). Disable PHI in client-side error reporting tools unless those tools are covered by a signed BAA.

Layer 2: API Gateway and Authentication

All API endpoints handling PHI require authentication (OAuth 2.0 or JWT with short-lived tokens). Enforce role-based access control (RBAC) at the API layer—not just the UI. Rate limiting and input validation prevent injection attacks that could expose patient records.

Layer 3: Application Services

Business logic runs in isolated services with least-privilege IAM roles. PHI must never appear in application logs, error messages, or debug output. Use structured logging with field redaction. Separate PHI-bearing services from non-PHI services (marketing, analytics) at the network level.

Layer 4: Data Storage

Databases and object storage containing PHI must use AES-256 encryption at rest. Encryption keys must be managed separately (AWS KMS, Azure Key Vault, or equivalent). Backups must be encrypted and access-controlled. Retention policies must align with HIPAA's six-year audit log requirement.

Layer 5: Audit and Monitoring

Every read, write, update, and delete of PHI generates an immutable audit event: user ID, timestamp, action, resource ID, and source IP. Audit logs must be tamper-protected and retained for at least six years. Alert on anomalous access patterns (bulk exports, off-hours access, failed login spikes).

Layer 6: Third-Party Integrations

Every vendor that touches PHI—cloud hosts, email providers, SMS gateways, analytics, payment processors, error trackers—must sign a Business Associate Agreement before receiving any patient data. No BAA means no PHI. Period.

Business Associate Agreements (BAA): What Developers Must Know

A BAA is a legally binding contract between a covered entity (or business associate) and a vendor that will create, receive, maintain, or transmit PHI on their behalf. Without a signed BAA, transmitting PHI to that vendor is a HIPAA violation.

Who Needs a BAA?

  • Cloud infrastructure: AWS, Azure, Google Cloud (must enable HIPAA-eligible services)
  • Database and hosting: Managed PostgreSQL, MongoDB Atlas, Supabase (if HIPAA-eligible tier)
  • Communication: Twilio (healthcare), SendGrid (with BAA), transactional email providers
  • Authentication: Auth0, Okta, Firebase (if handling PHI-adjacent data)
  • Monitoring and logging: Datadog, Sentry, LogRocket—only if they receive PHI in logs
  • Payment processing: Stripe (healthcare), if billing data includes PHI
  • Your development agency: TWO44 signs BAAs with every healthcare client we build for

BAA Checklist for Engineering Teams

  1. Inventory every third-party service that receives, stores, or processes PHI
  2. Verify each vendor offers a BAA (not all SaaS tools do—Slack free tier, standard Google Analytics, and most CRMs do not)
  3. Execute the BAA before sending any PHI to the vendor
  4. Configure only HIPAA-eligible services (signing an AWS BAA does not make every AWS service compliant)
  5. Document BAA execution dates and renewal schedules
  6. Include subcontractor flow-down requirements in your own BAAs if you are a business associate

Common BAA Mistakes

  • Using Google Analytics 4 on pages that collect patient information without a HIPAA-compliant analytics alternative
  • Routing error reports to Sentry with PHI in stack traces
  • Storing patient documents in Dropbox or Google Drive personal accounts
  • Using Twilio standard SMS for appointment reminders containing diagnosis or provider names

Interactive HIPAA Software Development Checklist (2026)

Use this checklist during architecture review, sprint planning, and pre-launch security audits. Every item must be verified before production PHI enters the system.

Planning and Governance






Business Associate Agreements





Encryption






Access Controls







Audit Logging





Application Security







Workforce and Training




Request a TWO44 HIPAA architecture review — our healthcare engineering team will walk through this checklist against your current build.

HIPAA Compliance Tool Comparison (2026)

Every vendor in your stack must either sign a BAA or stay outside the PHI boundary. Use this comparison when selecting infrastructure, authentication, monitoring, and communication tools for healthcare applications.

Tool / VendorBAA AvailableHIPAA-Eligible TierBest ForCommon Mistake
AWSYes (AWS Artifact)140+ services (RDS, S3, ECS, Lambda, KMS)Production healthcare apps, ABA platforms, telehealthAssuming all AWS services are covered after signing BAA
Microsoft AzureYes60+ services (App Service, Azure SQL, Blob, Key Vault)Microsoft 365 shops, enterprise healthcareUsing non-eligible services for PHI storage
Google CloudYes (GCP services)40+ services (Cloud SQL, GCS, GKE, Cloud KMS)Analytics-heavy clinical platformsExporting PHI to BigQuery without eligible config
Auth0 / OktaYes (healthcare plans)Enterprise tier with BAAStaff authentication with MFA and SSOUsing developer/free tier for PHI-adjacent apps
TwilioYes (Healthcare edition)Programmable SMS/Voice with BAAAppointment reminders without clinical content in SMSStandard Twilio SMS for messages containing diagnosis
SendGridYes (Pro+ with BAA)Transactional email onlyPassword resets, non-PHI notificationsIncluding patient names or clinical details in email subject lines
Datadog / SentryYes (enterprise BAA)With PHI redaction configuredApplication monitoring without PHI in logsShipping stack traces containing patient names to error trackers
Google Analytics 4NoNot HIPAA-eligibleMarketing pages with zero PHI collectionGA4 on patient intake or portal pages
SupabaseYes (Team/Enterprise)HIPAA add-on on eligible plansStartups needing managed PostgreSQL quicklyFree tier or self-hosted without BAA for PHI
FirebaseLimitedNot recommended for PHI at scaleNon-PHI features (push notifications config)Storing patient records in Firestore without BAA

For ABA-specific hosting decisions, see our HIPAA cloud hosting comparison for ABA therapy apps. For app-level implementation, read HIPAA compliant app development with our interactive developer checklist.

Technical Safeguards: Implementation Details

Encryption in Transit

Enforce HTTPS across the entire application. Use HSTS headers. Disable SSLv3, TLS 1.0, and TLS 1.1. For API-to-API communication, use mTLS or signed JWT tokens. Never send PHI via unencrypted email or standard SMS.

Encryption at Rest

Enable transparent data encryption (TDE) on managed databases. Encrypt S3 buckets and blob storage containing PHI. Ensure encryption is enabled by default—not opt-in. Document key rotation procedures.

Access Controls and RBAC

Define roles aligned with job functions: admin, clinician, billing, read-only auditor. Map each API endpoint and UI screen to required roles. Test that users cannot escalate privileges. Implement break-glass emergency access with mandatory post-access review.

Audit Controls

Log format should include: timestamp (UTC), user ID, action type, resource identifier (not full PHI), source IP, and outcome (success/failure). Store logs in a separate, write-once system. Never log full patient names, SSNs, or clinical content.

Integrity and Transmission Security

Use checksums or digital signatures for critical clinical data. Implement optimistic locking on patient records to prevent silent overwrites. Validate SSL certificates on all outbound connections to third-party APIs.

Common Developer Mistakes That Cause HIPAA Violations

  • Logging PHI: Stack traces, debug logs, and analytics events containing patient names or MRNs
  • Missing BAAs: Using AWS without enabling the BAA, or sending data to vendors without agreements
  • Client-side PHI storage: Caching patient records in localStorage for "performance"
  • Over-privileged access: Every developer having production database access indefinitely
  • No session timeout: Sessions persisting for days on shared clinic workstations
  • Skipping risk assessments: Deploying new PHI workflows without evaluating security impact
  • Test data in production: Using real patient records in staging or development environments

HIPAA Penalties: What Non-Compliance Costs

OCR classifies violations into four tiers based on culpability:

  • Tier 1 (unknowing): $100–$50,000 per violation, up to $1.5M per year
  • Tier 2 (reasonable cause): $1,000–$50,000 per violation, up to $1.5M per year
  • Tier 3 (willful neglect, corrected): $10,000–$50,000 per violation, up to $1.5M per year
  • Tier 4 (willful neglect, not corrected): $50,000 per violation, up to $1.5M per year

Beyond fines, breaches trigger mandatory notification to HHS, affected patients, and sometimes media. Reputational damage and loss of payer contracts often exceed the regulatory penalties.

How TWO44 Builds HIPAA Compliant Software

TWO44 specializes in healthcare technology for ABA therapy centers, telehealth platforms, and clinical intake systems. Our engineering process embeds compliance from sprint zero:

  • Architecture reviews against the checklist above before writing production code
  • HIPAA-eligible cloud configuration (AWS/Azure) with documented BAA coverage
  • Automated security testing in CI/CD pipelines
  • Audit logging and RBAC built into every healthcare platform we deliver

Explore our ABA therapy software platform, read our technical requirements guide, or book a consultation to discuss your healthcare application.

Conclusion

HIPAA compliant software development in 2026 demands a security-first architecture: encryption everywhere, RBAC on every endpoint, comprehensive audit logging, and signed BAAs with every vendor touching PHI. Use the interactive checklist above during every phase of your build. The cost of building compliance in from day one is far lower than retrofitting after an OCR investigation.

Frequently Asked Questions

Yes. Any developer building software that creates, receives, maintains, or transmits protected health information (PHI) must implement HIPAA Security Rule safeguards. Covered entities and business associates are legally required to protect ePHI with administrative, physical, and technical controls.

PHI is any individually identifiable health information held or transmitted by a covered entity. It includes patient names, dates of birth, medical record numbers, diagnoses, treatment notes, prescriptions, insurance details, and any data that can identify a patient and relate to their health.

Developers must implement encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access controls, unique user identification, audit logging of all PHI access, integrity controls, automatic session timeout, and secure transmission protocols. These are mandatory under the HIPAA Security Rule.

A BAA is a contract between a covered entity and a vendor that creates, receives, maintains, or transmits PHI on their behalf. Every cloud host, email provider, analytics tool, SMS gateway, and error tracker handling PHI must sign a BAA before receiving patient data. No BAA means no PHI.

Common mistakes include logging PHI in application logs or error messages, using third-party services without a signed BAA, storing PHI in unencrypted client-side storage, failing to implement session timeouts, granting all developers permanent production access, and skipping regular security risk assessments.

Yes. Any vendor that stores, processes, or transmits PHI on your behalf must sign a Business Associate Agreement. Major providers like AWS, Azure, and Google Cloud offer BAA-eligible services, but signing a BAA alone does not make your configuration compliant—you must configure services correctly.

HIPAA requires audit logs documenting access to ePHI to be retained for at least six years. Logs must be protected from tampering and should capture who accessed what data, when, and from where, including failed access attempts.

Use TLS 1.2 or higher for all data in transit with HTTPS enforced across the application. Encrypt all databases and file storage containing PHI at rest using AES-256 or equivalent. Manage encryption keys separately from encrypted data and hash passwords with bcrypt or Argon2.

OCR penalty tiers range from $100–$50,000 per violation depending on culpability, with annual caps up to $1.5 million per violation category. Willful neglect not corrected carries the highest penalties. Breach notification to HHS and affected individuals is required within 60 days.