HIPAA compliance for software development: A 7-step checklist

Any app collecting, processing, or storing protected health information (PHI) must be HIPAA-compliant to ensure ongoing operation without regulatory setbacks. This means that if your organization operates in the health tech industry, it must adhere to the requirements mandated by the regulation.

‍

Due to HIPAA’s broad scope and interpretative nature, the requirements may seem challenging without a clear compliance roadmap, leading to inefficient workflows and incomplete adherence to the rules. Vanta's 2025 HIPAA violation survey found that 41% of organizations cite evolving regulations as their top challenge for staying HIPAA compliant.

‍

To help you navigate the process with confidence, our guide covers all you need to know about HIPAA compliance for software development, including:

• How HIPAA applies to your software
• What steps you can take to make your software HIPAA-compliant
• What compliance challenges you should prepare for

‍

How HIPAA affects your software

HIPAA identifies two categories of entities that healthcare software developers can fall under:

1. Covered entities
2. Business associates

‍

Covered entities are individuals, organizations, or institutions that transmit PHI electronically. They’re further split into three categories:

1. Healthcare providers (clinics, doctors, nursing homes, etc.)
2. Health plans (healthcare insurance companies, company health plans, health maintenance organizations, etc.)
3. Healthcare clearinghouses (middlemen between healthcare providers and plans)

‍

A business associate is an individual or entity that isn’t a part of the covered entity but performs HIPAA-regulated activities for a covered entity, or on its behalf. Examples include:

• CPAs working with covered entities
• Independent medical transcriptionists
• Pharmacy benefits managers
• Attorneys with access to PHI

‍

If your software covers the activities performed by covered entities or business associates, it must be HIPAA-compliant. Understanding which category your organization and app fall under is important, as there are slight differences in the requirements.

‍

The rest of this guide will focus primarily on business associates, though covered entities can also take the compliance steps we’ll discuss.

‍

7 steps to making your software HIPAA-compliant

To bring your software closer to full HIPAA compliance, you can take the following steps:

1. Set up secure user authentication
2. Limit access to your systems
3. Ensure data confidentiality, integrity, and availability
4. Outline data disposal policies
5. Create detailed business associate agreements
6. Develop incident response plans
7. Have a contingency plan

‍

Below we’ll discuss the specifics and action items of each step.

‍

{{cta_withimage13="/cta-blocks"}}

‍

Step 1: Set up secure user authentication

According to HIPAA, organizations must “implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”

‍

The regulation doesn’t specify how these procedures should be implemented—a challenge common to many HIPAA requirements. It is up to you to identify and implement the most effective authentication measures to prevent unauthorized access to your software.

‍

Such measures can include:

• Multi-factor authentication: The user must authenticate using two of three attributes, including something they know, are, or have (e.g., password, fingerprint, and/or token)
• System logs: Comprehensive records of system events, like accessing PHI, are explicitly required by HIPAA, so make sure to implement them regardless of the chosen authentication measures
• Biometric authentication: The user obtains access by scanning their biological characteristics (retina, fingerprint, etc.)

‍

These measures should complement standard authentication measures, such as unique usernames and complex passwords. While building your software, focus on implementing both to achieve maximum security.

‍

Step 2: Limit access to your systems

HIPAA’s Privacy Rule requires organizations to minimize access to PHI and ensure it adheres to the so-called minimum necessary requirement. You need to develop policies and procedures that ensure data is only transferred to fulfill a specific purpose and isn’t disclosed more than necessary.

‍

As each organization has a unique data flow, there isn’t a universal set of rules or policies to implement—they depend on your organization’s processes that require data disclosure.

‍

Still, there are three universal steps you can take to ensure adherence to this rule:

1. Identify individuals and categories of individuals that need access to PHI to fulfill their duties
2. Outline the types of PHI and specific information needed for those duties
3. Define conditions under which access to the outlined information is appropriate

‍

After mapping out access to PHI, you should implement stringent access controls and continually monitor all relevant data points and who accesses them.

‍

HIPAA also obligates organizations to develop a clear emergency access procedure, allowing you to obtain PHI in unfavorable scenarios. There aren’t specific guidelines on what the procedure should look like, so you can structure it according to your needs.

‍

Step 3: Ensure data confidentiality, integrity, and availability

Under HIPAA’s Security Rule, an organization must ensure the confidentiality, integrity, and availability of all PHI that a covered entity or business associate creates, transmits, receives, or maintains.

‍

To make this happen, you’ll need to implement multiple technical, administrative, and procedural security measures. The specific measures depend on the following factors:

• Your organization’s size, capability, and complexity
• Your IT infrastructure and the available security capacity
• Likelihood and criticality of PHI-related risks
• The potential cost of security measures

‍

All security measures you implement must be thoroughly documented in written form (including electronic documents). The same applies to all activities related to HIPAA’s mandatory security standards, and their records must be retained for six years from the date of their creation or the last date they were in effect, whichever comes later.

‍

Step 4: Outline data disposal policies

Data disposal is a notable security concern, so HIPAA requires handling it thoroughly and responsibly. Any hardware and media must be removed or deleted in a way that prevents all access to the PHI they contain.

‍

You can outline data disposal policies as you see fit, as long as they ensure that PHI is securely removed and irretrievable. 

‍

Examples of activities and processes that make this happen include:

• Burning, shredding, or pulverizing paper records containing PHI so that they’re unintelligible and impossible to reconstruct
• Clearing, purging, or destroying media containing PHI using dedicated software or processes like disintegration or incineration
• Using disposal vendors to destroy PHI included in prescription bottles 

‍

Before disposal, organizations need to establish a secure location for media awaiting destruction—these can be locked bins or shredding containers. These areas should be clearly labeled and accessible to authorized personnel only.

‍

{{cta_withimage13="/cta-blocks"}}

‍

Step 5: Create detailed business associate agreements

As a software developer, you might be a covered entity’s business associate or collaborate with associates to build specific aspects of your solutions. In either case, you must familiarize yourself with business associate agreements (BAAs) and the HIPAA standards applicable to them.

‍

Covered entities and business associates must always enter into a written contract, the contents and extent of which largely depend on the partnership specifics. Still, some universal elements of a BAA include:

• Required and permitted use and disclosure of PHI by the business associate
• A clause preventing the business associate from using or disclosing PHI beyond what is agreed upon in the contract
• Requirements for business associates to implement the standards from HIPAA’s security rule and implement the necessary data safeguards
• Requirements for business associates to perform activities involving PHI in accordance with HIPAA’s Privacy Rule and meet the same regulatory obligations as the covered entity

‍

Step 6: Develop incident response plans

One of HIPAA’s key requirements is related to effective incident responses. The regulation obligates organizations to develop and implement policies and procedures that address security incidents in a way that minimizes their effects.

‍

To make this happen, you need a comprehensive incident response plan that serves the following purposes:

• Early detection of security threats
• Rapid containment and resolution of incidents
• Efficient incident documentation and reporting

‍

Achieving all of the above requires your plan to encompass the following components:

• Roles and responsibilities of personnel in the event of a security incident
• Contact information of everyone involved in the response
• Response policies and procedures
• Communication and reporting plan
• Standardized incident protocols for common attacks specific to the organization

‍

If you’re a business associate, you’re required to report any data breach to the covered entity within 60 days of becoming aware of it. Besides the details about the incident, the report must also include the identity of individuals affected by the breach, enabling the covered entity to take appropriate reporting steps.

‍

Step 7: Have a contingency plan

Cybersecurity incidents aren’t the only threat to PHI, so HIPAA’s Security Rule requires contingency plans to address other notable risks. While an incident response plan primarily focuses on cyberattacks, a contingency plan has a broader scope and aims to protect data from:

• System failure
• Vandalism
• Natural disasters

‍

Due to its scope, a contingency plan places more emphasis on physical data security than on the online environment. By combining it with a solid incident response plan, you can safeguard data from most major threats.

‍

HIPAA prescribes five elements of a contingency plan:

1. Data backup plan
2. Disaster recovery plan
3. Emergency mode operation plan
4. Testing and revision procedures
5. Applications and data criticality analysis

‍

The first three elements are classified as required, which means they must be implemented without exception. The other two are “addressable,” meaning you must only implement them if they’re appropriate and reasonable for your specific organization. If not, you need to document the reasons for this and implement equivalent measures instead.

‍

Developing HIPAA-compliant software: Common challenges

Due to its extensive scope, some of the most common obstacles you might encounter when implementing HIPAA include:

• Lack of direction and clarity: While HIPAA outlines its requirements clearly, implementation specifics lack the direction to simplify compliance. The regulation leaves considerable room for guesswork, which can slow down your development cycles and result in inadequate adherence.
• Laborious implementation and review processes: Defining and executing the relevant controls and procedures can require considerable time, even after understanding HIPAA's implementation specifics. It might also involve substantial legwork unless you automate your compliance workflows.
• Inefficient evidence collection: You must maintain sufficient evidence of the existence and effectiveness of HIPAA-related controls, which can be burdensome if you rely on disparate documentation systems and data sources.
• Real-time compliance monitoring: HIPAA requires software to maintain transparent logs of PHI and its modifications. However, continuously maintaining and reviewing these logs can strain system performance and burden stakeholders with manual oversight. Ideally, your software should support granular, automated logging that enables a standardized, repeatable audit process for continuous compliance.

‍

Most of these challenges can be avoided by leveraging software-supported compliance. This can help you meet HIPAA’s requirements faster and with fewer resources.

‍

{{cta_testimonial11="/cta-blocks"}} 

‍

Make your software HIPAA-compliant with Vanta

Vanta is an end-to-end trust management solution that automates up to 85% of the evidence collection necessary to demonstrate HIPAA compliance. It streamlines your compliance to improve workflow efficiency and save your security and compliance teams more time.

‍

The platform does this through a dedicated HIPAA product, which helps you ensure adherence to HIPAA requirements across the development cycle. The product comes with various helpful features, such as:

• Technical and personal guidance for meeting HIPAA requirements
• Streamlined inventory management
• Automated access reviews
• Policy builder with HIPAA-specific templates

‍

Schedule a custom HIPAA product demo to see these features in action and to learn precisely how they help software developers achieve and maintain HIPAA compliance.

‍

{{cta_simple18="/cta-blocks"}}

‍

A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.