A plain language guide to what HIPAA means for engineering teams that handle patient data.
The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that sets standards for protecting sensitive patient health information. The part that matters most for engineering teams is the HIPAA Security Rule (45 CFR Part 164), which defines administrative, physical, and technical safeguards for electronic Protected Health Information (ePHI).
Electronic Protected Health Information (ePHI) is any individually identifiable health information that is created, stored, transmitted, or received electronically. This includes:
If your application stores, processes, or transmits any of this data, HIPAA applies to your code.
The Security Rule defines 14 categories of safeguards. Here are the ones most relevant to software engineering:
164.502Defines when and how protected health information may be used or disclosed. Covered entities must limit use of PHI to the minimum necessary for the intended purpose. Code that exposes patient identifiers (names, SSNs, medical records) in API responses, logs, or error messages violates this standard.
164.312(a)(1)Only authorized users should access ePHI. Implement role-based access, unique user IDs, automatic session timeouts, and emergency access procedures.
164.312(a)(2)(iv)Encrypt ePHI at rest and in transit using industry-standard algorithms (AES-256, RSA). Never hardcode encryption keys in source code.
164.312(b)Record and examine activity in systems that contain ePHI. Log who accessed what, when, and what actions they took. Logs must be tamper-resistant.
164.312(c)(1)Protect ePHI from improper alteration or destruction. Validate data at rest and implement checksums or digital signatures where appropriate.
164.312(d)Verify the identity of anyone seeking access to ePHI. Use strong authentication: passwords plus multi-factor authentication, biometrics, or hardware tokens.
164.312(e)(1)Protect ePHI in transit over electronic networks. Use TLS/HTTPS for all transmissions. Never send ePHI in URL parameters, unencrypted emails, or plaintext logs.
164.310(d)(2)(i)Implement policies and procedures for the final disposition of ePHI and the hardware or media on which it is stored. Code that stores ePHI must include expiration policies, cleanup routines, and proper disposal mechanisms.
164.308(a)(3)Ensure that only authorized workforce members have access to ePHI based on their role. Implement least-privilege access patterns.
164.308(a)(6)Identify, respond to, and mitigate security incidents. Implement monitoring, alerting, and incident response workflows.
Most HIPAA violations in code are not malicious. They're oversights. A developer logs patient data to the console for debugging and forgets to remove it. An API endpoint returns the full patient record when the client only needs the name. A database migration adds a column for SSN without encryption.
These mistakes are easy to make and hard to catch in manual code review, because reviewers are focused on logic and functionality, not regulatory compliance. Automated HIPAA-aware code review catches them at the PR stage, before the code reaches production, before patients are affected, and before the audit.
Any organization that handles ePHI is a covered entity or a business associate. If your company has signed a Business Associate Agreement (BAA) with a healthcare provider, health plan, or clearinghouse, HIPAA applies to your engineering team. This includes SaaS companies, infrastructure providers, analytics platforms, and any vendor that touches patient data.
Complint automates HIPAA-aware code review on every pull request. It reads the diff, retrieves relevant regulatory context, and flags violations with specific CFR citations and suggested fixes. Install the GitHub App and the next PR gets reviewed automatically.
Get Started