What are my options for developing a HIPAA compliant application?

When building a HIPAA compliant application, your non-technical team should worry about HIPAA’s administrative requirements. Developers should focus on the physical and technical aspects of the HIPAA Security Rule.


There are three main paths for building a HIPAA compliant application):

  • Decide that you’re not going to have PHI in your system and don’t need to worry about HIPAA compliance. This is the easiest choice, but remember, there’s no safe harbor with HIPAA. Just because you may not intend to handle PHI doesn’t opt you out of HIPAA compliance requirements.
  • Decide that you’ll build out the compliance requirements yourself. Many of the safeguards are standard parts of today’s apps, login, auto-logout, etc. You can build many of these as part of your core infrastructure. Others are not so easy to build and maintain.
  • You outsource your HIPAA compliance. Using a service like TrueVault you are guaranteed compliance with the technical and physical safeguard requirements by storing any PHI in the cloud in TrueVault’s secure data store.