HIPAA (Health Insurance Portability and Accountability Act) requires that any system handling Protected Health Information (PHI) implements specific technical safeguards. For engineering teams, HIPAA is not about checking boxes — it’s about building systems where patient data is encrypted at rest and in transit, access is logged and auditable, and breaches are detectable within hours, not months.
What Qualifies as PHI
| PHI Category | Examples |
|---|
| Direct identifiers | Name, SSN, email, phone, address, DOB |
| Medical records | Diagnoses, prescriptions, lab results, imaging |
| Financial data | Insurance IDs, billing records, claims |
| Biometric data | Fingerprints, voiceprints, retinal scans |
| Device identifiers | IP addresses, serial numbers, device IDs |
Key rule: If data can identify a patient AND relates to their health/payment, it’s PHI.
Technical Safeguards (§ 164.312)
| Requirement | Implementation |
|---|
| Access control | Unique user ID, emergency access, auto-logoff, encryption/decryption |
| Audit controls | Record and examine all PHI access |
| Integrity controls | Protect PHI from improper alteration/destruction |
| Authentication | Verify the identity of anyone accessing PHI |
| Transmission security | Encrypt PHI in transit |
Encryption Requirements
| Context | Requirement | Implementation |
|---|
| Data at rest | AES-256 or equivalent | Database-level encryption + application-level for sensitive fields |
| Data in transit | TLS 1.2+ | Enforce HTTPS, reject HTTP, HSTS headers |
| Backups | Encrypted | Encryption keys separate from backup storage |
| Removable media | Encrypted | BitLocker, FileVault, or equivalent |
| Key management | Separate from data | AWS KMS, Azure Key Vault, HashiCorp Vault |
Application-Level Encryption
PHI fields encrypted at application layer:
patient_name → AES-256-GCM encrypted blob
ssn → AES-256-GCM encrypted blob
diagnosis → AES-256-GCM encrypted blob
Non-PHI fields stored in plaintext:
patient_id (UUID, no meaning without lookup)
created_at
record_type
Keys rotated annually, old keys retained for decryption
Access Control Architecture
| Control | Implementation |
|---|
| Authentication | MFA required, session timeout 15 min idle |
| Authorization | Role-based access control, minimum necessary |
| Unique user IDs | No shared accounts, service accounts individually provisioned |
| Emergency access | Break-glass procedure with mandatory after-action review |
| Auto-logoff | Session expires after 15 minutes of inactivity |
Minimum Necessary Principle
| Role | PHI Access |
|---|
| Receptionist | Name, DOB, insurance ID |
| Nurse | Medical records, vitals, medications |
| Doctor | Full medical record |
| Billing specialist | Name, insurance, diagnosis codes (no clinical notes) |
| IT admin | System logs only (no PHI in logs) |
| Developer | De-identified data only (no production PHI) |
Audit Logging Requirements
| Event | Fields to Log |
|---|
| PHI view | User, patient ID, timestamp, data accessed |
| PHI modify | User, patient ID, timestamp, fields changed |
| PHI export | User, patient ID, timestamp, format, destination |
| Login success | User, timestamp, IP, device |
| Login failure | Attempted user, timestamp, IP |
| Access grant/revoke | Admin, target user, role, timestamp |
| System config change | Admin, setting, old value, new value |
Log Protection
| Requirement | Implementation |
|---|
| Immutability | Write-once storage (S3 Object Lock, Azure Immutable Blob) |
| Retention | 6 years minimum |
| Access control | Only compliance team can read audit logs |
| Integrity | Hash chain or WORM storage to detect tampering |
Development Environment Controls
| Control | Requirement |
|---|
| No production PHI in dev/test | Use de-identified or synthetic data |
| De-identification | Remove all 18 HIPAA identifiers, or use Safe Harbor method |
| Developer workstations | Full disk encryption, screen lock, endpoint protection |
| Code repositories | No PHI in code, configs, or test fixtures |
| CI/CD | No PHI in build logs, test output, or artifacts |
Breach Detection and Response
| Response Phase | Timeline | Action |
|---|
| Detection | Real-time | Automated alerting on anomalous PHI access |
| Assessment | < 24 hours | Determine if breach occurred, scope impact |
| Containment | Immediate | Revoke access, isolate affected systems |
| Notification | ≤ 60 days | Notify affected individuals, HHS, media (if > 500) |
| Documentation | Ongoing | Complete breach log for 6-year retention |
Anti-Patterns
| Anti-Pattern | HIPAA Risk | Fix |
|---|
| PHI in application logs | Unauthorized disclosure via log aggregation | Strip PHI from logs, use patient IDs only |
| Shared database accounts | No individual accountability | Named service accounts with least privilege |
| Production data in dev | PHI exposed to unauthorized developers | De-identify or use synthetic data |
| Email containing PHI | Unencrypted transmission | Secure messaging portal, never PHI in email body |
| No audit log review | Cannot detect unauthorized access | Automated anomaly detection + quarterly manual review |
| Backup encryption key with backup | If backups stolen, encryption is useless | Separate key management from backup storage |
Checklist
:::note[Source]
This guide is derived from operational intelligence at Garnet Grid Consulting. For healthcare compliance engineering, visit garnetgrid.com.
:::
Jakub Dimitri Rezayev
Founder & Chief Architect • Garnet Grid Consulting
Jakub holds an M.S. in Customer Intelligence & Analytics and a B.S. in Finance & Computer Science from Pace University. With deep expertise spanning D365 F&O, Azure, Power BI, and AI/ML systems, he architects enterprise solutions that bridge legacy systems and modern technology — and has led multi-million dollar ERP implementations for Fortune 500 supply chains.
View Full Profile →