KollGuard
KollGuard AI
Compliance Intelligence
Pillar guide · HIPAA

HIPAA: the developer's pillar guide

HIPAA is the US federal law governing protected health information (PHI). For a software team building healthcare or healthtech, HIPAA is not a checkbox — it's an ongoing program of administrative, physical, and technical safeguards backed by a documented Business Associate Agreement (BAA) chain. This pillar covers what HIPAA actually requires of a software stack in 2026, where the §164 Security Rule citations land, and the specific technical controls auditors look for on Postgres + GitHub + cloud.

  • When HIPAA applies to your product
  • BAA chain: who you need one with, and when
  • §164 Security Rule citations mapped to your stack
  • PHI in code, prompts, and AI workflows
  • HITECH breach notification: what to know
  • Audit prep: OCR audit triggers and documentation

When does HIPAA apply to you?

HIPAA applies to covered entities (most healthcare providers, health plans, clearinghouses) and business associates (vendors who create, receive, maintain, or transmit PHI on behalf of a covered entity). If you are a SaaS that stores or processes patient data on behalf of a clinic, hospital, or insurer — you are almost certainly a business associate.

If you build a wellness app with no clinical relationship, HIPAA likely does NOT apply (but state laws and FTC Act do). When in doubt, ask: is this data flowing to or from a covered entity?

The BAA chain (do this on day one)

You sign a BAA with every covered entity customer. They are protected, you take on HIPAA obligations. You then sign a BAA with every sub-processor that touches PHI: your cloud provider, database host, email provider, error monitoring tool, customer support tool, AI provider.

Sub-processors who will sign a BAA in 2026 include: AWS, GCP, Azure, Supabase (paid plans), MongoDB Atlas (paid), OpenAI (Enterprise/Edu), Anthropic (Enterprise), Sentry (Business tier), Slack (Enterprise+ via EKM), Intercom (HIPAA add-on).

Sub-processors who will NOT sign a BAA (as of 2026): GitHub.com, Vercel Free/Hobby, most Discord/Telegram options, most consumer analytics tools. If PHI touches one of these, you are out of compliance.

§164 Security Rule — the technical map

The HIPAA Security Rule (45 CFR Part 164 Subpart C) is the part that touches your stack. Key citations:

  • §164.308(a)(1) — Risk analysis. Document threats to ePHI annually.
  • §164.308(a)(3) — Workforce access management. Quarterly access reviews + signed offboarding.
  • §164.308(a)(5) — Security awareness + training.
  • §164.312(a)(1) — Access control. Unique user IDs, automatic logoff, encryption.
  • §164.312(a)(2)(iv) — Encryption at rest for ePHI (addressable, treat as required).
  • §164.312(b) — Audit controls. Mechanisms that record access to ePHI.
  • §164.312(c) — Integrity. Mechanisms to detect unauthorized modification.
  • §164.312(d) — Person authentication. MFA, strong passwords, attestation.
  • §164.312(e)(1) — Transmission security. TLS everywhere, period.

PHI in code, prompts, and AI workflows

A few specific exposures auditors increasingly flag in 2026:

  • PHI in test fixtures (real patient names in seed data). Replace with synthetic; document the dataset's provenance.
  • PHI in commit messages or PR descriptions. Pre-commit hooks (gitleaks) catch some; education is the rest.
  • PHI in error monitoring (Sentry breadcrumbs, log lines). Configure scrubbers for known fields.
  • PHI in AI prompts. If you use OpenAI / Anthropic / Gemini on workflows that include patient data, you need an Enterprise tier with a signed BAA AND model-training opt-out.
  • PHI in code-completion tools (Copilot, Cursor). If your code contains hardcoded PHI in any form, the model has seen it.

Breach notification, briefly

If unsecured PHI is acquired or disclosed without authorization, HITECH triggers notification:

  • Notify affected individuals within 60 days.
  • Notify HHS (annually for <500 affected; immediately for ≥500).
  • Notify the media for breaches affecting 500+ residents of any single state.

"Unsecured" means not encrypted to HHS standards. Properly encrypted PHI that is exfiltrated is not a breach. This is why end-to-end encryption + at-rest encryption are massive risk reducers.

Frequently asked

Is GitHub HIPAA compliant?
GitHub.com (the SaaS) does NOT sign a BAA. GitHub Enterprise Server self-hosted on HIPAA-eligible infrastructure CAN. If your code contains PHI today, you are out of compliance regardless of branch protection. See our guide on HIPAA for GitHub-hosted code.
Do I need a HIPAA audit?
No formal certification body audits HIPAA. The Office for Civil Rights (OCR) at HHS conducts random audits and complaint-driven investigations. You need internal documentation that proves compliance — that is what KollGuard helps produce.
What is the penalty for a HIPAA violation?
Tiered: $137–$2.07M per violation (2026 adjusted), up to $2.07M annual cap per category. Willful neglect uncured can result in criminal penalties. Most enforcement actions arise from breaches, not random audits.
Does KollGuard scan for PHI in source code?
KollGuard scans for secrets (PHI exposure vectors), risky branch-protection settings, missing audit signals, and PHI-shaped columns in databases. We do not currently parse source code line-by-line for PHI strings — keep PHI out of code at ingestion time instead.
Can I use OpenAI / Claude for patient workflows?
Yes IF you are on an Enterprise tier with a signed BAA, model-training is opted out, and you log every prompt/response touching PHI. As of 2026, both OpenAI Enterprise and Anthropic Enterprise will sign BAAs. Consumer tiers (ChatGPT Plus, Claude.ai Pro) will not.

Stop reading. Start scanning.

The fastest way to know your HIPAA posture is to run the scan. First scan of each target free.

Start free See pricing