Healthcare software teams face a difficult balancing act: move fast enough to deliver value, but carefully enough to protect patient data. HIPAA violations can cost up to $2.1 million per violation category per year, and the reputational damage often exceeds the fines.
The good news? Modern tooling makes compliance automation achievable. The challenge is knowing what to automate and what requires human judgment.
Understanding HIPAA's Technical Requirements
HIPAA's Security Rule establishes three categories of safeguards: administrative, physical, and technical. For software teams, the technical safeguards demand the most attention.
The Four Technical Safeguard Standards
The HHS Security Rule defines four technical safeguard standards:
- Access Control - Implement technical policies to allow only authorized persons to access ePHI
- Audit Controls - Implement mechanisms to record and examine activity in systems containing ePHI
- Integrity Controls - Implement policies to protect ePHI from improper alteration or destruction
- Transmission Security - Implement measures to guard against unauthorized access during transmission
Each standard has required and addressable implementation specifications. "Addressable" doesn't mean optional—it means you must implement equivalent measures if the specification isn't reasonable for your environment.
HIPAA Technical Safeguard Standards
"Covered entities must assess whether each addressable implementation specification is a reasonable and appropriate safeguard in its environment." — HHS HIPAA Security Rule Guidance
Access Control: Beyond Basic Authentication
Access control is where most healthcare applications start—and where many stop too soon. HIPAA requires more than username and password.
Required: Unique User Identification
Every user accessing ePHI must have a unique identifier. This seems obvious, but shared accounts remain common in healthcare settings. Your system must:
- Assign unique identifiers to every user
- Prevent credential sharing through technical controls
- Associate all actions with specific user IDs
Required: Emergency Access Procedures
Systems must allow access to ePHI during emergencies. This creates tension with security controls. The solution is a documented "break glass" procedure:
// Example: Emergency access with mandatory audit trail
interface EmergencyAccessRequest {
userId: string;
patientId: string;
emergencyType: 'life_threatening' | 'facility_emergency' | 'system_failure';
justification: string;
timestamp: Date;
}
async function requestEmergencyAccess(request: EmergencyAccessRequest): Promise<AccessGrant> {
// Log the emergency access request immediately
await auditLog.critical('EMERGENCY_ACCESS_REQUESTED', {
...request,
requiresReview: true,
reviewDeadline: addHours(new Date(), 24)
});
// Grant temporary elevated access
const grant = await accessControl.grantTemporary({
userId: request.userId,
scope: 'emergency_read',
expiresIn: '4h',
requiresJustificationReview: true
});
// Notify compliance team
await notifications.sendToComplianceTeam({
type: 'emergency_access_granted',
details: request,
grantId: grant.id
});
return grant;
}
The key principle: emergency access should be easy to use but impossible to hide.
Addressable: Automatic Logoff
Sessions containing ePHI should terminate after inactivity. The implementation depends on your application type:
- Web applications: Server-side session timeout plus client-side warnings
- Mobile apps: Background timeout with biometric re-authentication
- Desktop applications: Screen lock integration with OS-level controls
A 15-minute timeout is common, but adjust based on clinical workflow requirements. Forcing re-authentication during a patient encounter creates workarounds that reduce security.
Addressable: Encryption and Decryption
Encryption of data at rest is addressable, not required—but it's effectively required in practice. The cost of implementing encryption is far lower than the cost of defending a breach involving unencrypted data.
Audit Controls: Building a Trustworthy Record
Audit logs are your compliance evidence. When OCR investigates a breach, they'll examine your audit trail. Incomplete logs suggest incomplete security.
What to Log
At minimum, log these events for any system handling ePHI:
| Event Category | Specific Events |
|---|---|
| Authentication | Login success, login failure, logout, session timeout |
| Authorization | Access granted, access denied, privilege escalation |
| Data Access | View, create, update, delete, export, print |
| Configuration | User changes, permission changes, system settings |
| Security | Password changes, MFA enrollment, failed access attempts |
How to Log
Audit logs must be tamper-evident. If an attacker can modify logs after the fact, they're useless for forensics.
Best practices for audit log integrity:
- Write once, read many - Use append-only storage or immutable log services
- Hash chains - Each log entry includes a hash of the previous entry
- External timestamping - Use a trusted time source, not the local system clock
- Separation of duties - Developers who write code shouldn't control production logs
// Example: Tamper-evident audit log entry
interface AuditEntry {
id: string;
timestamp: string; // ISO 8601 from trusted time source
previousHash: string; // SHA-256 of previous entry
eventType: string;
userId: string;
resourceType: string;
resourceId: string;
action: string;
outcome: 'success' | 'failure';
metadata: Record<string, unknown>;
hash: string; // SHA-256 of this entry (excluding hash field)
}
function createAuditEntry(
event: Omit<AuditEntry, 'id' | 'timestamp' | 'previousHash' | 'hash'>,
previousEntry: AuditEntry | null
): AuditEntry {
const entry: Omit<AuditEntry, 'hash'> = {
id: generateUUID(),
timestamp: getTrustedTimestamp(),
previousHash: previousEntry?.hash ?? 'GENESIS',
...event
};
return {
...entry,
hash: sha256(JSON.stringify(entry))
};
}
Retention Requirements
HIPAA requires documentation retention for six years. Your audit logs should follow the same standard—or longer if state law requires it.
Plan for log storage costs. A busy healthcare application can generate gigabytes of audit data daily. Consider:
- Tiered storage (hot/warm/cold)
- Compressed archives for older logs
- Searchable indexes for recent data
Integrity Controls: Protecting Data Accuracy
Healthcare decisions depend on accurate data. A corrupted lab result or modified medication list could harm patients.
Electronic Mechanisms to Corroborate Data Integrity
Implement checksums or digital signatures for critical data:
// Example: Data integrity verification for patient records
interface PatientRecord {
id: string;
data: PatientData;
version: number;
lastModified: string;
modifiedBy: string;
integrityHash: string;
}
function verifyIntegrity(record: PatientRecord): boolean {
const expectedHash = computeHash({
id: record.id,
data: record.data,
version: record.version,
lastModified: record.lastModified,
modifiedBy: record.modifiedBy
});
return expectedHash === record.integrityHash;
}
// Run integrity checks on read
async function getPatientRecord(id: string): Promise<PatientRecord> {
const record = await database.get(id);
if (!verifyIntegrity(record)) {
await auditLog.critical('INTEGRITY_VIOLATION', { recordId: id });
throw new IntegrityError('Patient record failed integrity check');
}
return record;
}
Version Control and Change Tracking
Maintain complete history of changes to clinical data:
- Who made the change
- When it was made
- What the previous value was
- Why the change was made (when clinically relevant)
This isn't just compliance—it's good clinical practice. Seeing how a diagnosis evolved helps providers make better decisions.
Transmission Security: Protecting Data in Motion
Data transmitted over networks must be protected from interception and modification.
Encryption in Transit
TLS 1.2 or higher is the minimum standard. TLS 1.3 is preferred for new implementations.
Configuration matters as much as the protocol version:
# Example: Strong TLS configuration for healthcare applications
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# HSTS - tell browsers to always use HTTPS
add_header Strict-Transport-Security "max-age=63072000" always;
API Security
Healthcare APIs require additional protections beyond standard TLS:
- Mutual TLS (mTLS) - Both client and server present certificates
- API keys with rotation - Unique keys per integration partner
- Request signing - Prevent replay attacks
- Rate limiting - Protect against enumeration attacks
For FHIR APIs and healthcare data exchange, follow the SMART on FHIR authorization framework.
Washington State: DSHS, DDA, and ProviderOne Integration
For healthcare software operating in Washington State, federal HIPAA requirements are just the starting point. State-specific systems add additional compliance layers.
Washington State Healthcare System Integration
DSHS Compliance Requirements
The Washington State Department of Social and Health Services (DSHS) administers healthcare programs including Medicaid. Software interfacing with DSHS systems must meet their security requirements, which often exceed baseline HIPAA.
Key DSHS technical requirements:
- Background checks - Developers with access to production data may require clearance
- Data use agreements - Formal contracts specifying permitted uses
- Incident reporting - 24-hour notification requirements for security incidents
- Annual assessments - Regular security evaluations
DDA Billing Software Requirements
The Developmental Disabilities Administration (DDA) has specific requirements for billing and service documentation software:
- Service authorization verification
- Provider qualification tracking
- Individualized service plan compliance
- Encounter documentation with required fields
Software must validate that billed services match authorized services and that providers are qualified to deliver them.
Electronic Visit Verification (EVV)
The 21st Century Cures Act requires EVV for Medicaid-funded personal care and home health services. Washington State implemented EVV through integration with the ProviderOne system.
EVV Required Data Elements
EVV systems must capture:
| Data Element | Description |
|---|---|
| Service recipient | Who received the service |
| Service provider | Who provided the service |
| Service type | What service was provided |
| Date of service | When the service was provided |
| Location | Where the service was provided |
| Start/end time | Duration of the service |
ProviderOne Integration
ProviderOne is Washington's Medicaid Management Information System. Integration requires:
- Trading partner agreement - Formal enrollment as a data exchange partner
- X12 transaction support - Standard healthcare EDI formats (837, 835, 270/271)
- Real-time eligibility - Verify coverage before service delivery
- Claim submission - Electronic billing with proper formatting
// Example: ProviderOne eligibility check (simplified)
interface EligibilityRequest {
subscriberId: string;
dateOfService: string;
serviceType: string;
providerId: string;
}
interface EligibilityResponse {
eligible: boolean;
coverageType: string;
limitations: string[];
priorAuthRequired: boolean;
}
async function checkEligibility(
request: EligibilityRequest
): Promise<EligibilityResponse> {
// Build X12 270 transaction
const transaction = buildX12_270(request);
// Submit to ProviderOne
const response = await providerOneClient.submitTransaction(transaction);
// Parse X12 271 response
return parseX12_271(response);
}
Testing ProviderOne integrations requires access to their test environment. Plan for a 4-8 week certification process before production access.
Automating Compliance Monitoring
Manual compliance checks don't scale. Automation catches issues before they become violations.
Continuous Compliance Scanning
Integrate security scanning into your CI/CD pipeline:
# Example: GitHub Actions workflow for compliance checks
name: Compliance Checks
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Dependency vulnerability scan
run: npm audit --audit-level=high
- name: SAST scan
uses: github/codeql-action/analyze@v3
- name: Secret detection
uses: trufflesecurity/trufflehog@main
with:
path: ./
- name: HIPAA configuration check
run: ./scripts/hipaa-config-check.sh
Runtime Monitoring
Production systems need continuous monitoring:
- Access pattern anomalies - Alert on unusual data access
- Failed authentication spikes - Detect brute force attempts
- Data export monitoring - Track bulk downloads
- Configuration drift - Detect unauthorized changes
Regular Risk Assessments
HIPAA requires periodic risk assessments. Automate what you can:
- Vulnerability scanning (weekly)
- Penetration testing (annual, minimum)
- Access review (quarterly)
- Policy review (annual)
Document everything. The assessment itself is evidence of compliance.
Common Compliance Failures
Learn from others' mistakes. These issues appear repeatedly in OCR enforcement actions:
1. Insufficient Access Controls
Problem: All staff can access all patient records.
Solution: Implement role-based access control (RBAC) with minimum necessary permissions. A billing clerk doesn't need access to clinical notes.
2. Missing Audit Logs
Problem: No record of who accessed what data.
Solution: Log every access to ePHI. Make logs tamper-evident and retain for six years.
3. Unencrypted Devices
Problem: Stolen laptop contains unencrypted patient data.
Solution: Encrypt all devices. Use MDM to enforce encryption policies.
4. Inadequate Training
Problem: Staff click phishing links or share passwords.
Solution: Regular security training with healthcare-specific scenarios. Test with simulated phishing.
5. No Incident Response Plan
Problem: Breach occurs and no one knows what to do.
Solution: Document and practice incident response procedures. Include breach notification timelines (60 days for HIPAA, 24 hours for some state requirements).
Key Takeaways
-
HIPAA technical safeguards are automatable - Access control, audit logs, integrity checks, and encryption can all be built into your development process
-
Washington State adds requirements - DSHS, DDA, and ProviderOne integration have compliance needs beyond federal HIPAA
-
Audit logs are your evidence - Invest in tamper-evident, comprehensive logging from day one
-
Compliance is continuous - Automate scanning, monitoring, and risk assessment
-
Document everything - OCR investigations succeed or fail based on documentation
Building Compliant Healthcare Software
Healthcare compliance isn't a checkbox exercise—it's an ongoing commitment to protecting patient data while enabling better care delivery.
PEW Consulting specializes in building HIPAA-compliant healthcare platforms, including systems integrated with Washington State's DSHS, DDA, and ProviderOne. Our team has delivered solutions achieving 99.97% uptime while maintaining full compliance with federal and state requirements.
Schedule a compliance consultation to discuss your healthcare software needs.
Sources
- HHS HIPAA Security Rule
- HHS HIPAA Enforcement
- CMS Electronic Visit Verification
- Washington HCA ProviderOne
- SMART on FHIR
Related reading: The $100 Billion Problem: Why Federal Agencies Still Run on COBOL