HIPAA for Developers
A practical guide to HIPAA compliance for developers building healthcare apps. What you need to build, what to avoid, and where most apps fail.
What Counts as Protected Health Information (PHI)?
PHI is any health information combined with one of 18 identifiers that can link it to an individual. Health data alone isn't PHI—it becomes PHI when tied to a person. These are the 18 identifiers:
If you remove all 18 identifiers following the Safe Harbor method, the data is considered de-identified and HIPAA no longer applies.
The Five HIPAA Rules That Affect Your Code
Privacy Rule
Governs who can access PHI and under what circumstances. Defines the 18 identifiers that make health data 'protected.'
Security Rule
Requires administrative, physical, and technical safeguards to protect electronic PHI (ePHI).
Breach Notification Rule
Requires notification within 60 days of discovering a breach. Over 500 affected individuals triggers media notification.
Minimum Necessary Rule
Only the minimum amount of PHI needed for a task should be used or disclosed.
Business Associate Agreement (BAA)
Any vendor that handles PHI on your behalf must sign a BAA. This includes your cloud provider, database host, and email service.
Technical Safeguards You Must Implement
Unique user IDs, emergency access procedures, automatic logoff, encryption/decryption of ePHI.
Record and examine access to ePHI. Log who accessed what, when, and from where. Retain logs for 6 years.
Protect ePHI from improper alteration or destruction. Implement checksums, version history, or write-once audit logs.
TLS 1.2+ for all data in transit. Encrypt ePHI in emails, API calls, and file transfers. No PHI over unencrypted channels.
Addressable (not required, but you must document why if you skip it). In practice, always encrypt. Use AES-256 for database fields containing PHI.
Verify identity of anyone accessing ePHI. Multi-factor authentication is strongly recommended. Password policies must meet NIST 800-63B.
"Addressable" doesn't mean optional. It means you must implement the safeguard or document why an alternative is equally effective.
Common HIPAA Mistakes in Vibe-Coded Apps
- •Using free-tier databases without a BAA (Supabase free, Firebase Spark, free Postgres hosts)
- •Logging PHI to console.log or application monitoring tools without redaction
- •No audit trail—HIPAA requires logging every access to PHI for 6 years
- •Storing PHI in client-side state (localStorage, cookies, or Redux) where it persists on the device
- •No automatic session timeout—HIPAA requires idle sessions to be terminated
- •Sending PHI via email or SMS without encryption (e.g., appointment reminders with diagnosis info)
Check Your App's Security Posture
HIPAA requires technical safeguards including encryption, access controls, and audit logging. VAS scans for vulnerabilities that could lead to PHI exposure—a core HIPAA concern.
Get Starter Scan — $5VAS identifies security vulnerabilities that could put PHI at risk. For a full HIPAA risk assessment, work with a qualified compliance consultant.
Frequently Asked Questions
Does HIPAA apply to my app?
If your app creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a covered entity (healthcare provider, health plan, or healthcare clearinghouse), yes. This includes patient portals, telehealth apps, appointment scheduling with health data, fitness apps that share data with doctors, and mental health platforms. If you only handle de-identified data with all 18 identifiers removed, HIPAA does not apply.
What are the penalties for HIPAA violations?
Fines range from $100 to $50,000 per violation, up to $1.5 million per violation category per year. There are four tiers: Tier 1 (didn't know) $100-$50K, Tier 2 (reasonable cause) $1K-$50K, Tier 3 (willful neglect, corrected) $10K-$50K, Tier 4 (willful neglect, not corrected) $50K. Criminal penalties can include up to 10 years imprisonment for intentional misuse of PHI.
Can I use Supabase or Firebase for a HIPAA app?
Yes, but only on plans that include a Business Associate Agreement (BAA). Supabase offers BAAs on Team and Enterprise plans. Google Cloud (Firebase) offers BAAs but you must explicitly request and sign one. Free tiers do not include BAAs. You also need to configure the platform correctly—enable encryption, set up proper RLS policies, and disable features that might expose PHI (like Supabase's dashboard data viewer for non-admin users).
Do I need to encrypt everything?
Encryption in transit (TLS) is required. Encryption at rest is 'addressable'—meaning you must either implement it or document why you didn't and what alternative safeguard you use instead. In practice, always encrypt at rest. The cost and complexity are minimal compared to the risk. Use AES-256 for PHI fields and ensure your database and backups are encrypted.
What's a Business Associate Agreement (BAA)?
A BAA is a contract between a covered entity and any vendor that handles PHI on their behalf. It requires the vendor to safeguard PHI, report breaches, and comply with HIPAA. You need BAAs with your cloud provider, database host, email service (if sending PHI), analytics tools (if they can access PHI), and any other third-party service that touches patient data. No BAA = you can't use that service for PHI.
How long do I need to keep audit logs?
HIPAA requires you to retain documentation for 6 years from when it was created or last in effect. This includes policies, audit logs, risk assessments, and BAAs. Your audit logs should record who accessed PHI, what was accessed, when, and from what location/device.
Last updated: February 25, 2026