Building software that handles Protected Health Information (PHI) means navigating one of the most complex regulatory frameworks in technology. HIPAA compliance isn't a checkbox — it's an architecture decision, a development practice, a deployment strategy, and an ongoing operational commitment.
This guide covers everything developers and healthcare organizations need to know about building HIPAA-compliant applications in 2026, including the latest Security Rule changes, the technology choices that make compliance easier (or harder), and the outsourcing risks that most organizations underestimate.
Understanding HIPAA: The Three Rules That Matter
HIPAA is not a single regulation — it's a framework of rules, each addressing different aspects of health information protection.
The Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164)
The Privacy Rule governs how PHI can be used and disclosed. Key requirements for software developers:
- Minimum Necessary Standard: Your application should only access the minimum PHI necessary to accomplish its purpose. If your scheduling app doesn't need diagnosis codes, don't request them.
- Patient rights: Patients can request access to their PHI, request amendments, and receive an accounting of disclosures. Your app must support these workflows.
- De-identification: If you need data for analytics or development, you must strip all 18 HIPAA identifiers (Safe Harbor method) or obtain Expert Determination from a qualified statistician.
The Security Rule (45 CFR Part 160 and Subparts A and C of Part 164)
The Security Rule requires administrative, physical, and technical safeguards for electronic PHI (ePHI). This is where software architecture decisions matter most.
Administrative Safeguards:
- Risk analysis and management (annual under the 2026 update)
- Workforce training and security awareness
- Contingency planning (data backup, disaster recovery, emergency mode operations)
- Business Associate Agreements with all vendors handling PHI
Physical Safeguards:
- Facility access controls
- Workstation security
- Device and media controls (disposal, re-use, data backup)
Technical Safeguards:
- Access controls (unique user IDs, emergency access, automatic logoff, encryption)
- Audit controls (hardware, software, and procedural mechanisms to record PHI access)
- Integrity controls (mechanisms to protect ePHI from improper alteration or destruction)
- Transmission security (encryption and integrity controls for ePHI in transit)
- Authentication (verify that a person seeking access to ePHI is who they claim to be)
The Breach Notification Rule (45 CFR Part 160 and Subpart D of Part 164)
If a breach of unsecured PHI occurs:
- Individual notification: Within 60 days of discovery, to each affected individual
- HHS notification: Within 60 days for breaches affecting 500+ individuals; annually for smaller breaches
- Media notification: For breaches affecting 500+ individuals in a single state/jurisdiction
The 2026 HIPAA Security Rule Update
The 2026 update to the Security Rule introduces the most significant changes since the HITECH Act. Key changes affecting software development:
Mandatory Encryption
Encryption is no longer "addressable" — it's required. All ePHI must be encrypted:
- At rest: AES-256 minimum for stored data
- In transit: TLS 1.3 for all network communication
- In use: Consider memory encryption for high-sensitivity applications
Multi-Factor Authentication (MFA)
MFA is now required for all users accessing systems containing ePHI. This means:
- Biometric authentication (Face ID, Touch ID) for mobile apps
- Hardware tokens or authenticator apps for web dashboards
- No SMS-based 2FA (SIM swap vulnerability)
Patch Management Timelines
Organizations must now patch critical vulnerabilities within defined timelines:
- Critical (CVSS 9.0+): Within 15 days
- High (CVSS 7.0-8.9): Within 30 days
- Medium (CVSS 4.0-6.9): Within 90 days
Continuous Monitoring
Annual risk assessments are no longer sufficient. The 2026 rule requires:
- Continuous monitoring of security controls
- Automated vulnerability scanning
- Real-time intrusion detection
- 72-hour incident response activation (down from the previous vague "reasonable" timeline)
Annual Risk Assessments
Risk assessments must now be conducted annually (previously "periodic") and must include:
- Asset inventory of all systems containing ePHI
- Threat identification and vulnerability assessment
- Risk determination with likelihood and impact ratings
- Risk mitigation planning with specific timelines
- Documentation retention for 6 years
Technical Architecture for HIPAA Compliance
HIPAA compliance starts at the architecture level. Bolting security onto an existing application is always more expensive and less effective than building it in from day one.
Data Classification
Before writing any code, classify your data:
| Classification | Examples | Requirements |
|---|---|---|
| PHI | Patient names, diagnoses, medications, lab results | Full HIPAA controls |
| De-identified | Aggregated statistics, anonymized datasets | Verify 18 identifiers removed |
| Operational | User accounts, app settings, logs without PHI | Standard security practices |
| Public | Marketing content, documentation | No special requirements |
Encryption Implementation
At rest:
- Database: Enable Transparent Data Encryption (TDE) or application-level encryption
- File storage: Server-side encryption with customer-managed keys (SSE-CMK)
- Mobile: iOS Data Protection (Complete Protection class for PHI)
- Backups: Encrypt all backups with separate key management
In transit:
- API communication: TLS 1.3 with certificate pinning for mobile apps
- WebSocket connections: WSS (WebSocket Secure) only
- Internal services: Mutual TLS (mTLS) between microservices
- Email: Never send PHI via unencrypted email
Key management:
- Use AWS KMS, Azure Key Vault, or HashiCorp Vault
- Rotate encryption keys annually
- Separate keys per tenant in multi-tenant architectures
- Document key management procedures
Access Control Architecture
Role-Based Access Control (RBAC):
| Role | Access Level | Example Permissions |
|---|---|---|
| Patient | Own records | View vitals, update profile, message provider |
| Nurse | Assigned patients | View/update vitals, document assessments |
| Physician | Department patients | Full clinical access, prescribe, order tests |
| Admin | System-wide | User management, configuration, audit reports |
| Developer | No PHI access | Logs (without PHI), metrics, synthetic test data |
Implementation requirements:
- Unique user identifiers (no shared accounts)
- Automatic session timeout (configurable per role)
- Emergency access ("break the glass") with mandatory documentation
- Access review and recertification quarterly
Audit Logging
The Security Rule requires audit trails for all ePHI access. Your logging must capture:
- Who: User identity (unique ID, not just username)
- What: Action performed (read, create, update, delete)
- When: Timestamp with timezone
- Where: IP address, device identifier, geographic location
- Which: Specific records accessed (patient ID, data type)
- Why: Clinical context or access justification (for break-the-glass events)
Audit logs must be:
- Tamper-evident (append-only, cryptographically signed)
- Retained for minimum 6 years
- Reviewed regularly for suspicious patterns
- Available for HHS investigation
Why Your Technology Stack Matters: Elixir Phoenix for Healthcare
The technology you choose for your healthcare backend directly impacts your HIPAA compliance posture. We build healthcare applications on Elixir Phoenix for specific, technical reasons.
The BEAM VM: Built for Systems That Cannot Fail
Elixir runs on the BEAM (Bogdan/Bjorn's Erlang Abstract Machine), originally designed by Ericsson for telecom infrastructure requiring extreme reliability. Ericsson's AXD301 switch, running over 2 million lines of Erlang code, achieved 99.9999999% uptime (nine nines) over a 20-year period.
This architecture provides healthcare-specific benefits:
Process isolation eliminates cascading failures:
Each patient session, API request, and background task runs as its own lightweight BEAM process (~2KB memory). If one process crashes — bad data from a faulty device, unexpected input format, transient network error — only that process is affected. All other patient sessions continue uninterrupted.
Compare this to a Node.js server where an unhandled exception crashes the entire process, disconnecting all patients. Or a Java application where a thread pool exhaustion blocks the entire application.
Per-process garbage collection protects real-time data:
The BEAM performs garbage collection per-process, pausing only the affected process for microseconds. Traditional runtimes (JVM, .NET, V8) perform stop-the-world GC pauses that can freeze all connections for hundreds of milliseconds. When displaying real-time cardiac rhythm data or processing vital sign alerts, that pause matters.
Supervision trees provide automatic recovery:
OTP supervision trees monitor processes and restart them automatically on failure. A supervisor can be configured to:
- Restart only the failed process (
one_for_one) - Restart all related processes (
one_for_all) - Restart the failed process and all processes started after it (
rest_for_one)
This means your healthcare application self-heals without human intervention, without paging anyone at 3 AM, and without any visible impact on other users.
Hot code upgrades for zero-downtime patches:
The BEAM supports hot code swapping — updating running code without stopping the application. For healthcare systems that cannot schedule maintenance windows (24/7 telemedicine, ICU monitoring), this means security patches deploy without interrupting active patient sessions.
Phoenix LiveView: PHI Stays Server-Side
Phoenix LiveView provides rich, interactive UIs with a critical HIPAA advantage: PHI never lives in client-side JavaScript state.
In a traditional React or Vue application, patient data is fetched via API, stored in Redux/Zustand, cached in the browser, and rendered client-side. That means PHI exists in browser memory, potentially in localStorage, and in any client-side error reporting tools.
With LiveView:
- The server renders HTML and sends it over a persistent WebSocket connection
- The browser receives rendered HTML, not raw data
- State changes trigger minimal HTML diffs sent over the wire
- No client-side data store to secure, encrypt, or clear
This significantly simplifies HIPAA compliance for web dashboards, provider portals, and patient-facing interfaces.
Real-Time Telemedicine with elixir-webrtc
For HIPAA-compliant telemedicine video, we use elixir-webrtc, a native Elixir WebRTC implementation. Each peer connection runs as an isolated BEAM process, and the Membrane framework provides server-side media pipelines for encrypted session recording — all within the same application, without external media servers that would need separate BAA coverage.
The Outsourcing Problem: HIPAA and Offshore Development
One of the most significant — and most overlooked — HIPAA compliance risks is where your development team is located.
The Core Legal Problem
HIPAA follows the PHI, not geography. If a US covered entity stores, accesses, or transmits PHI overseas, HIPAA obligations still attach. However, HIPAA does not have explicit extraterritorial reach for enforcement.
The dangerous gap: The legal obligation exists, but the enforcement mechanism does not cross borders.
HHS Office for Civil Rights (OCR) has untested jurisdiction over foreign entities. Healthcare compliance attorneys note that OCR "probably wouldn't go after an offshore company unless it was phenomenally egregious." All risk remains on the US covered entity. If an offshore business associate breaches data, the covered entity is "on the hook." A covered entity could be "out of luck if the vendor is located in a lawless jurisdiction."
Business Associate Agreement Enforcement
Under the HIPAA Omnibus Rule (2013), any entity handling PHI on behalf of a covered entity must execute a BAA. This includes offshore development teams who may access staging environments containing real or poorly de-identified patient data.
The enforcement reality:
- BAAs signed with entities in many developing nations are effectively unenforceable in foreign courts
- No requirement exists for vendors to disclose that they use offshore resources — a domestic vendor may sub-contract to offshore teams without disclosure
- HIPAA penalties fall on the covered entity regardless of where the breach occurred: fines from to ,000 per violation, annual maximums of .5 million per category
Data Sovereignty Conflicts
| Region | Law | Conflict with HIPAA |
|---|---|---|
| EU (GDPR) | Stricter cross-border transfer restrictions | GDPR's broad personal data definition conflicts with HIPAA's narrower PHI scope. The EU-US Data Privacy Framework does not fully address health-specific requirements |
| China (PIPL) | Strict data localization | Directly contradicts HIPAA's allowance for international transfers |
| India | Proposed data protection bill | Creates compliance dilemma for US entities using Indian development teams |
| Russia (152-FZ) | Domestic storage required | Effectively prevents using Russian teams for PHI-adjacent work |
Developer PHI Access: The Hidden Risk
Offshore development teams frequently need access to data that looks like production data for testing and debugging. HIPAA requires:
- Test environments must never contain raw PHI
- Use synthetic data or properly de-identified data (Safe Harbor: strip 18 identifiers)
- If production data is necessary for debugging, it requires formal approval, isolated environments, and immediate deletion after use
- Every developer with PHI access must be covered by a BAA and trained on HIPAA
When an offshore team has VPN access to a staging environment with real patient data, that constitutes PHI access. Every developer must be covered.
Breach Notification Across Jurisdictions
HIPAA requires breach notification within 60 days. But:
- GDPR requires 72-hour notification to supervisory authorities
- PIPL has its own timeline
- An offshore vendor may face conflicting obligations about who to notify first
Our Approach: Domestic Development Only
At Of Ash and Fire, all healthcare development is performed by US-based engineers under direct BAA coverage. We:
- Never use offshore subcontractors for PHI-adjacent work
- Use only synthetic test data in development environments
- Maintain comprehensive audit trails for every system access
- Provide full transparency into our development team and infrastructure
Business Associate Agreement Checklist
Every vendor that touches PHI needs a BAA. Common vendors that require BAAs:
- Cloud infrastructure (AWS, Azure, GCP)
- Database hosting provider
- Email service (if sending PHI-containing messages)
- SMS/notification service (if messages contain PHI)
- Analytics platform (if tracking health-related events)
- Error monitoring/logging service (if logs could contain PHI)
- Video conferencing provider (for telemedicine)
- Payment processor (if processing health-related payments)
- Customer support platform (if support agents access PHI)
- Backup and disaster recovery provider
Critical: A BAA is required even if the vendor claims they "don't look at" your data. The obligation is triggered by access capability, not actual access.
Development Best Practices
Secure Development Lifecycle
- Requirements: Identify PHI touchpoints, compliance requirements, and threat model
- Design: Architecture review with security focus, HIPAA control mapping
- Development: Secure coding standards, no PHI in logs, encrypted connections
- Testing: Synthetic data only, penetration testing, HIPAA compliance scan
- Deployment: Encrypted pipelines, infrastructure-as-code, minimal access
- Operations: Continuous monitoring, incident response plan, regular audits
Common Development Mistakes
Logging PHI: Never log patient names, diagnoses, or other identifiers. Log patient IDs that can be cross-referenced through audited channels.
Hardcoded credentials: Use environment variables or secrets management. Never commit credentials, API keys, or encryption keys to source control.
Overly permissive access: Developers should never have production PHI access. Use synthetic data for development and testing.
Missing audit trails: Every PHI access must be logged. This includes read operations, not just writes.
Insufficient session management: Sessions must timeout after inactivity. Implement proper session invalidation on logout.
Compliance Testing and Validation
Pre-Launch Checklist
- Encryption at rest verified (AES-256 minimum)
- Encryption in transit verified (TLS 1.3)
- MFA implemented for all user roles
- RBAC implemented and tested
- Audit logging capturing all required fields
- Session timeout configured per role
- Automatic logoff on inactivity
- Emergency access ("break the glass") procedure documented
- Data backup and recovery tested
- Incident response plan documented
- Penetration test completed (within last 12 months)
- BAAs executed with all vendors
- Risk assessment documented
- Workforce training completed
- Privacy notice published
Ongoing Compliance
- Annual risk assessment (required under 2026 update)
- Quarterly access reviews
- Monthly vulnerability scanning
- Continuous monitoring of security controls
- Annual penetration testing
- Workforce training updates when policies change
- BAA review when vendors change or renew
Cost of HIPAA Compliance
HIPAA compliance typically adds 15-25% to development costs. Here's where that investment goes:
| Component | Estimated Cost | Frequency |
|---|---|---|
| Security architecture design | ,000-,000 | One-time |
| Encryption implementation | ,000-,000 | One-time |
| Audit logging system | ,000-,000 | One-time |
| Penetration testing | ,000-,000 | Annual |
| Risk assessment | ,000-,000 | Annual |
| Compliance monitoring tools | -,000/month | Ongoing |
| BAA management | ,000-,000 | Annual |
| Workforce training | ,000-,000 | Annual |
Compare this to the cost of non-compliance:
- Average healthcare data breach cost: .93 million (IBM, 2025)
- HIPAA penalties: -,000 per violation, up to .5M per category per year
- Criminal penalties: Up to ,000 and 10 years imprisonment
- Reputational damage: Incalculable
Getting Started
Building HIPAA-compliant applications requires expertise in both healthcare regulations and secure software architecture. Our discovery process helps healthcare organizations map compliance requirements to technical implementation.
Whether you're building a patient portal, telemedicine platform, clinical decision support tool, or medical device software, contact us to discuss how we can build a HIPAA-compliant solution with the fault tolerance and real-time capabilities that healthcare demands.