25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

HIPAA Compliance for Software Development

Posted By on May 7, 2025

HIPAA compliance for software development is an important consideration for vendors and service providers who intend to develop or provide software for the healthcare and health insurance industries that will be used to create, receive, store, or transmit Protected Health Information. However, software HIPAA compliance is rarely the only consideration.

When software is developed or provided for use in the healthcare and health insurance industries, there are two factors that determine whether HIPAA compliance for software development is necessary. Will the software be used by a HIPAA covered entity or business associate? If so, will the software be used to create, receive, store, or transmit Protected Health Information (PHI)?

If the answer to both of these questions is “yes”, it is then necessary to determine the degree of software HIPAA compliance. For example, if the software has transient access to PHI, it will only be necessary for it to have capabilities that protect the confidentiality, integrity, and availability of PHI in transit, and that support end user compliance with the Administrative Safeguards of the HIPAA Security Rule.

However, if the software has persistent access to PHI, it will be necessary for the vendor or service provider to comply with all applicable HIPAA Administrative Simplification Regulations. These include, but are not limited to, implementing physical HIPAA safeguards, entering into upstream and downstream Business Associate Agreements, and developing a HIPAA compliance program.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The Minimum HIPAA Compliant Software Requirements

The minimum requirements for HIPAA compliant software apply when software has transient access to PHI. In this scenario, the software provides a temporary conduit to PHI, and any access to PHI is incidental to the service being provided. Examples of software that qualify as temporary conduits include data transmission software that uses short-lived tokens which expire when each transaction is complete.

Although vendors of software with transient access to PHI do not qualify as business associates, if the software is used by a HIPAA covered entity or business associate to send, receive, or transmit PHI, the software must meet minimum requirements to fulfil the end user’s HIPAA compliance obligations. These requirements include user authentication controls, access, audit, and integrity controls, and encryption.

In addition, the software may have to support the end user’s compliance with Administrative Safeguards such as log-in monitoring, information system activity reviews, and emergency mode operation planning. The end user may also have other regulatory compliance requirements depending on the functions being performed by the software – for example, if used as part of a CMS Emergency Preparedness Plan.

Business Associate HIPAA Compliance for Software Development

Most software designed for the healthcare and health insurance industries that creates, receives, stores, or transmits PHI has persistent access to data. In these circumstances, the software vendor or service provider qualifies as a HIPAA business associate to the end user and must implement safeguards beyond – but still including – the minimum HIPAA compliant software requirements discussed above.

Physical HIPAA Safeguards

The physical HIPAA safeguards require that any facilities in which HIPAA software development takes place, any facilities in which servers maintain PHI are located, or any facilities in which systems or devices with access to PHI are located are secured from unauthorized access, tampering, or theft. Procedures must also be implemented to validate user access to the facilities and manage the maintenance, removal, and disposal of media and devices.

Business Associate Agreements

As well as entering into Business Associate Agreements with upstream end users (i.e., healthcare organizations), software vendors and service providers must also enter into Business Associate Agreements with downstream subcontractors to whom PHI is disclosed. For example, if the software stores PHI in an Amazon S3 bucket, the software vendor or service provider must also have a Business Associate Agreement in place with Amazon Web Services.

Develop a HIPAA Compliance Program

As a business associate, the software vendor or service provider must develop a HIPAA compliance program that covers its own Administrative Safeguard compliance obligations (i.e., risk assessments, workforce training, data backup, etc.), plus any other applicable areas of HIPAA compliance for software vendors, and any unique requirements of the upstream end user as documented in the upstream Business Associate Agreement.

Other Considerations for Software Vendors and Service Providers

Software vendors and service providers that have had previous experience of HIPAA compliant software development will be aware there is no one-size-fits-all playbook for HIPAA software development. There are many scenarios in which the need to be HIPAA compliant can be circumstance-specific or when additional safeguards must be built into HIPAA compliant software to prevent impermissible disclosures.

Collaborations with In-House Developers

There has been a notable uptick in collaborations between IT consulting companies and in-house software developers to create innovative and customized healthcare solutions while leveraging each party’s strengths. In these cases, the responsibility for software HIPAA compliance can depend on whether the software has transient or persistent access to PHI and the HIPAA knowledge of the IT consulting company.

HIPAA Compliance for mHealth Apps

mHealth apps that are developed on behalf of a HIPAA covered entity are required to fulfil the minimum HIPAA compliant software requirements if PHI is collected by the app and sent directly to end users’ servers. However, if an mHealth app developer has persistent access to PHI, they are required to comply with all applicable HIPAA software development guidelines and enter into a Business Associate Agreement with the end user.

Anonymizing PHI to Use with AI Platforms

AI platforms use vast data sets from multiple sources to train the technology for its intended purpose. One of the risks of using PHI with AI-driven software is that some of the vast data sets used to train the technology likely included “healthcare adjacent data”. PHI data sets used with AI platforms could be compromised by the healthcare adjacent data and, for this reason, the potential anonymization of PHI should be factored into HIPAA compliance for software development.

The Benefits of HIPAA Certification for Software

HIPAA compliance certification for software offers a range of benefits for software vendors and service providers. By achieving a HIPAA certification for software, vendors and service providers send a strong message to healthcare and health insurance organizations that their operations and their software comply with all applicable HIPAA Administrative Simplification Regulations.

With the proposed update to the HIPAA Security Rule likely to be finalized in the near future, many HIPAA covered entities will require their technology partners to have HIPAA compliant solutions. HIPAA compliance certification for software can act as a market differentiator in these circumstances – opening doors to new customers and collaborations. This competitive edge could be especially valuable in a crowded market where trust and data security are key decision factors.

Software vendors and service providers who would like to know more about HIPAA compliance for software development, building HIPAA compliance software, and achieving HIPAA certification for software are advised to seek independent compliance advice. As HIPAA  regulations evolve, having certified HIPAA compliance for software can make it easier for vendors and service providers to adapt to new legal requirements and streamline the due diligence process during sales negotiations.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist