HIPAA for Developers: The Safeguards That Actually Touch Your Code

HIPAA, translated for people who write code
Most HIPAA guidance is written for compliance officers, not engineers. But a large share of the HIPAA Security Rule lands squarely on the systems you build and operate. If your app touches electronic protected health information (ePHI) — names tied to health data, medical records, claims, appointment details — these requirements are yours to implement. Here is the part that matters to your codebase.
The Security Rule in one sentence
The Security Rule asks you to protect the confidentiality, integrity, and availability of ePHI through administrative, physical, and technical safeguards. Administrative and physical safeguards are mostly policy and facilities work. The technical safeguards are where developers live. Note one important nuance: each safeguard is labeled either required or addressable. Addressable does not mean optional — it means you either implement it, or document a reasoned justification and an equivalent alternative. Skipping it silently is not a valid choice.
Access control
Every user and system that touches ePHI needs a unique identifier, and access should be scoped to the minimum necessary. In practice this means:
- Unique user identification (required): no shared logins, no generic
adminaccount used by five people. Each actor is individually attributable. - Role-based or attribute-based authorization enforced server-side. Client-side gating is a UX convenience, never a control.
- Automatic logoff (addressable): session timeouts so an unattended terminal does not leave ePHI exposed.
- Emergency access procedure (required): a break-glass path to data when normal systems are down.
If you run multi-tenant Postgres, this is exactly where row-level security earns its keep — enforcing that tenant A can never read tenant B's rows, at the database layer rather than in application code alone.
Audit controls
The rule requires mechanisms to record and examine activity in systems that contain ePHI. Translated: you need audit logs that capture who accessed what, when, and from where — and you need to be able to review them. This is not just login events. Reads of sensitive records matter, because unauthorized viewing is a breach even when nothing is changed. Design your logging so that access to a patient record is a first-class, queryable event, not something buried in an application log you rotate away after a week.
Integrity
Integrity controls protect ePHI from improper alteration or destruction (addressable mechanisms to authenticate that data has not been changed). Practically: checksums or hashes on stored records, database constraints, and append-only patterns for anything that must not be silently rewritten. Tamper-evident, hash-chained audit logs are a strong way to demonstrate integrity of the audit trail itself.
Transmission security
ePHI in motion must be protected against interception. The two named specifications are integrity controls and encryption, both addressable. In modern practice there is no good justification for not encrypting: TLS 1.2 or higher on every external connection, and ideally on internal service-to-service traffic too. Terminate TLS properly, disable legacy ciphers, and do not let ePHI ride over plaintext internal hops because "it's just the private network."
Encryption at rest
Encryption of stored ePHI is addressable, which surprises people. But there is a powerful incentive to do it: encrypted data that is lost or stolen may fall under the breach-notification safe harbor, meaning it is not treated as a reportable breach. Full-disk and database-level encryption are table stakes; manage your keys with a real KMS, not a config file.
What this means Monday morning
You do not need to become a lawyer. You need unique identities, server-side least-privilege authorization, meaningful access logging, integrity protection, TLS everywhere, and encryption at rest — each either implemented or explicitly justified. A compliance scanner like KollGuard can map these technical safeguards to concrete checks against your actual infrastructure, so "addressable" becomes a documented decision instead of a gap someone finds during an audit.
Get new posts by email
SOC 2, HIPAA, post-quantum readiness, and the engineering behind continuous compliance. No spam, unsubscribe anytime.
