Skip to content
lazy devs
5 min readLazy Devs

Building HIPAA-conscious software: what it actually means for your app

A plain-language guide for non-lawyer founders: what counts as PHI, the engineering practices that support HIPAA, what it does not magically require, and the honest framing nobody else gives you.

SecurityArchitecture

You have an idea for a health product. Somewhere between the pitch deck and the first line of code, someone says the word "HIPAA," and the room goes quiet. Suddenly you are reading dense legal pages at midnight, convinced that one wrong configuration will land you in court, and wondering whether you need a certification, a special server, or a lawyer on retainer before you can write a single endpoint.

Take a breath. HIPAA is far less mysterious than the panic around it suggests. It is a set of rules about how a particular kind of sensitive data is handled, and almost all of the engineering it implies is the same careful work you would want in any serious product anyway. The trap is not the rules themselves. It is misunderstanding what they ask of you, and then either over-building or under-building because nobody explained it in plain words. So let us do that.

First, the honest framing

We will say this clearly because too many vendors will not: a development team cannot make you "HIPAA compliant," and nobody is "HIPAA certified." There is no government badge to earn and no checkbox a contractor can tick on your behalf. Compliance is an organisational state involving your policies, your staff, your contracts, and your software together, and it is judged over time, not granted on launch day.

What a good engineering team can do is build software that supports your compliance. We can design the system so that access is controlled, data is encrypted, every record view is logged, and PHI does not leak into places it should not. That is real, valuable work. But the honest model is that we build alongside your compliance and legal people, not instead of them. Anyone who promises to make you compliant single-handedly is either confused or selling you something. The good news is that the part we own, the technical part, is concrete and very doable.

What actually counts as PHI

Most of the fear comes from not knowing where the regulated zone starts and ends. Protected health information, PHI, is health information that can be tied to a specific person. The "tied to a person" part matters as much as the "health" part.

A few examples make the line clearer:

  • This is PHI: a patient's name next to their diagnosis, an appointment that reveals someone is seeing an oncologist, a lab result attached to a record, a message from a patient describing symptoms, even an IP address or device ID bundled with health details.
  • This is usually not PHI: your marketing site, a blog post, aggregate statistics with no way to single anyone out, or a contact form that only collects a name and "I'd like a demo."

The practical move is the same one we recommend for any healthtech web app: draw a hard boundary around PHI and keep as little of your system inside it as you can. The smaller that zone, the smaller everything that follows, your cost, your testing burden, your risk surface. A scheduling feature that stores who is seeing which specialist is inside the boundary. A pricing page is not. Separating them is the single highest-leverage decision you will make.

The engineering practices that support it

Here is the part founders find reassuring: the technical work breaks down into a handful of well-understood practices, none of them exotic.

Data minimisation. The safest data is the data you never collected. Before you store a field, ask whether you actually need it. Every piece of PHI you hold is something you have to protect, log access to, and account for. Collecting less is not laziness; it is the cleanest form of risk reduction there is.

Encryption at rest and in transit. Data should be encrypted on the wire (HTTPS everywhere, no exceptions) and encrypted on disk in your database and file storage. On modern infrastructure this is mostly a configuration setting rather than a project, but it has to actually be switched on and verified, not assumed.

Access control that is real and server-side. "Logged in" is not an access rule. A nurse, a billing clerk, and a patient should see different slices of the same record, and those rules must be enforced on the server where the user cannot tamper with them. This is the kind of thing a solid security checklist keeps you honest about, and it is worth deciding the rules with whoever owns the clinical workflow before you write them.

Audit logging you cannot bypass. You need a record of who viewed which patient's data, when, and from where. The mistake is bolting this on at the end. Design it into your data access layer so that every read of PHI flows through one place that logs it, and a new feature added next year cannot quietly skip it. That single architectural choice does more for you than any amount of after-the-fact policing.

BAAs with every vendor that touches PHI. A business associate agreement is a contract that makes a vendor legally responsible for protecting the PHI you send them. Every system in the PHI path needs one: your database host, file storage, email provider, error tracker, analytics. Plenty of popular tools simply will not sign one, and you want to learn that on day one, not three weeks before a pilot. This shapes your stack as much as any technical decision, which is why we factor it into API and backend engineering from the start.

What HIPAA does NOT magically require

Equally important is what the rules do not demand, because over-building is its own expensive mistake.

You do not need a sprawling microservices architecture. A well-structured monolith with a clean PHI boundary is more than adequate for most early-stage products, and easier to reason about, which itself makes it safer. You do not need a custom-built compliance platform. You do not need to host on some special, eye-wateringly expensive "HIPAA server", the major cloud providers will sign a BAA for their eligible services, and that is the same infrastructure everyone else uses. And a "HIPAA-eligible hosting" badge is not a finish line; it covers the floor, not your application code. Your app can still leak PHI through an over-broad API response or a logged URL on perfectly compliant infrastructure.

The reflex to over-engineer usually comes from fear. But complexity you do not need is just more surface to secure, more code to test, and more places for a leak to hide. Build the boundary, then keep the inside of it as simple and boring as you can.

How to work with your compliance people

Because the technical and the organisational halves have to meet, the best results come from treating your compliance or legal advisor as part of the build, not a gate at the end. Bring them the questions engineering raises: which vendors are we sending PHI to, what does our access matrix look like, how long do we keep records. Bring engineering the answers: who is allowed to see what, what has to be logged, what cannot be stored at all.

This is exactly where a short technical consulting engagement earns its keep. A few days mapping your PHI flow and your vendor list before you commit to an architecture will save you from the most expensive outcome in this whole space: discovering the boundary was in the wrong place after the system is built, and paying to do it twice.

The takeaway

HIPAA-conscious software is not a dark art, and it is not a certification you buy. It is a clear boundary drawn around the data that identifies real people's health, a short list of solid engineering practices inside that boundary, signed paperwork with every vendor in the path, and an audit trail you cannot route around. Do less where you can, encrypt and log where you must, and keep the regulated zone small.

And remember the honest framing: we build software that supports your compliance, working alongside the people who own the legal and organisational side. We will not promise to make you compliant, because no engineering team truthfully can. What we will do is hand you a system designed so the technical part is solid, and explain every choice in plain English.

If you are building something in health and want a clear-eyed read on your architecture before you lock it in, tell us what you are working on. That is the good kind of lazy: getting the boundary right once so you never pay to move it later.

Related service

API & Backend Engineering

Secure, well-documented APIs that scale.

Learn more

Keep reading

4 min read

Web development for insurance and insurtech

Quote-and-bind flows, agent and policyholder portals, and rating integrations, built by a team that treats sensitive data and compliance as engineering, not paperwork.

SecurityAPI
4 min read

Software for construction and field-service teams still stuck on paper

How trades, construction, and field-service businesses move off whiteboards and spreadsheets to job scheduling, mobile apps for crews, offline support, quoting, and photo capture.

ArchitectureBackend

Want this built right?

This is the work we do every day. Tell us what you are building and we will show you exactly how we would ship it.

Start a project

hello@lazydevsagency.com