HIPAA Engineering Controls
Implement HIPAA technical safeguards for electronic protected health information. Covers access controls, audit logging, encryption at rest and in transit, data backup, integrity controls, and the patterns that make healthcare software HIPAA-compliant.
HIPAA (Health Insurance Portability and Accountability Act) applies to covered entities and business associates that handle electronic Protected Health Information (ePHI). Violations carry fines up to $1.5 million per category per year, plus potential criminal penalties. Engineering teams must implement the Technical Safeguard standards specified in the Security Rule.
HIPAA Technical Safeguards
Access Control (§164.312(a)):
Required:
☐ Unique user identification (no shared accounts)
☐ Emergency access procedure
☐ Automatic logoff after inactivity
☐ Encryption and decryption of ePHI
Audit Controls (§164.312(b)):
Required:
☐ Record and examine access to ePHI
☐ Hardware, software, and procedural mechanisms
☐ Audit logs retained for 6 years minimum
Integrity (§164.312(c)):
Required:
☐ Mechanism to authenticate ePHI
☐ Protect ePHI from improper alteration or destruction
☐ Electronic signatures where applicable
Person/Entity Authentication (§164.312(d)):
Required:
☐ Verify identity of person/entity seeking access
☐ Multi-factor authentication recommended
Transmission Security (§164.312(e)):
Required:
☐ Protect ePHI during transmission
☐ Encryption of ePHI in transit (TLS 1.2+)
☐ Integrity controls during transmissionImplementation
class HIPAACompliantService:
"""Service that handles ePHI with required safeguards."""
def __init__(self):
self.audit_logger = AuditLogger()
self.encryptor = FieldLevelEncryption(key_from_kms=True)
# Access Control: Every access to ePHI is authenticated + authorized
def get_patient_record(self, user: AuthenticatedUser, patient_id: str):
# Verify user has role-based access
if not user.has_permission("patient:read"):
self.audit_logger.log_access_denied(user, patient_id, "patient:read")
raise AccessDenied("Insufficient permissions for ePHI access")
# Verify user has need-to-know for this patient
if not self.is_care_team_member(user.id, patient_id):
self.audit_logger.log_access_denied(user, patient_id, "care_team_check")
raise AccessDenied("Not a member of patient's care team")
# Fetch and decrypt ePHI
encrypted_record = self.db.get_patient(patient_id)
record = self.encryptor.decrypt_fields(encrypted_record, [
"ssn", "diagnosis", "medications", "notes",
])
# Audit log: WHO accessed WHAT and WHEN
self.audit_logger.log_access(
who=user.id,
what=f"patient_record:{patient_id}",
when=datetime.utcnow(),
action="READ",
fields_accessed=["demographics", "diagnosis", "medications"],
source_ip=user.ip_address,
)
return record
# Encryption at Rest: Field-level encryption for ePHI
def store_patient_record(self, user: AuthenticatedUser, record: dict):
# Encrypt sensitive fields before storage
encrypted = self.encryptor.encrypt_fields(record, [
"ssn", "diagnosis", "medications", "notes",
])
# Store with integrity hash
encrypted["integrity_hash"] = self.compute_integrity_hash(encrypted)
self.db.save_patient(encrypted)
self.audit_logger.log_access(
who=user.id,
what=f"patient_record:{record['patient_id']}",
action="WRITE",
)Audit Log Requirements
class HIPAAAuditLogger:
"""Immutable audit trail for all ePHI access."""
def log_access(self, who, what, action, **kwargs):
entry = {
"timestamp": datetime.utcnow().isoformat(),
"user_id": who,
"resource": what,
"action": action, # READ, WRITE, DELETE, EXPORT
"source_ip": kwargs.get("source_ip"),
"user_agent": kwargs.get("user_agent"),
"fields_accessed": kwargs.get("fields_accessed", []),
"outcome": kwargs.get("outcome", "SUCCESS"),
}
# Write-once storage (cannot be modified or deleted)
self.immutable_store.append(entry)
# Retention: HIPAA requires 6 years minimum
# Do NOT set TTL on audit logsAnti-Patterns
| Anti-Pattern | Consequence | Fix |
|---|---|---|
| Shared service accounts | Cannot audit individual access | Unique user IDs for every person |
| ePHI in application logs | Logs become ePHI storage (must protect) | Strip ePHI from all logs |
| No encryption at rest | Breach = immediate HIPAA violation | AES-256 at minimum, field-level preferred |
| Audit logs modifiable | Cannot prove compliance | Append-only, immutable audit storage |
| No BAA with cloud provider | Using cloud without BAA = violation | BAA required before storing ePHI |
HIPAA compliance is binary — you are either compliant or you are not. There is no “mostly HIPAA-compliant.” Every ePHI touch point must have access controls, encryption, and audit logging.
