code/+/trust primary logo full color svg

HIPAA Software

Definition

HIPAA software is any application that creates, receives, maintains, or transmits Protected Health Information (PHI) and must comply with the HIPAA Security Rule''s administrative, physical, and technical safeguards. Healthcare software companies that handle PHI must sign a Business Associate Agreement (BAA) with covered entities -- violations carry fines of $100-$50,000 per violation up to $1.9 million annually.

HIPAA compliance is not a certification -- it is an ongoing operational requirement. The HHS Office for Civil Rights enforces HIPAA through audits, complaints, and breach investigations. The largest HIPAA fines (Anthem: $16M; Community Health Systems: $5M) involve inadequate technical safeguards for PHI at rest and in transit.

Key technical safeguards for HIPAA software

  • Encryption of PHI at rest (AES-256) and in transit (TLS 1.2+)
  • Unique user identification and automatic logoff
  • Audit controls: logs of all access to PHI with user, timestamp, and action
  • Integrity controls: PHI cannot be altered or destroyed without detection
  • Transmission security: end-to-end encryption for all PHI over networks

HIPAA and AI

Using an LLM API (OpenAI, Anthropic) to process PHI requires a BAA with the LLM provider. Both OpenAI and Anthropic offer BAAs for enterprise plans. Sending PHI to a model without a BAA is a HIPAA violation regardless of the model''s security posture. Self-hosted models eliminate the BAA requirement at the cost of significant infrastructure overhead.

Related terms

FedRAMP

FedRAMP (Federal Risk and Authorization Management Program) is the U.S. government''s standardized authorization framework for cloud services sold to federal agencies. A FedRAMP Moderate authorization covers 80% of federal civilian use cases, takes 12-24 months to achieve, and costs $500,000-$2,000,000 -- but unlocks a $100 billion+ federal cloud services market with a single reusable authorization.

ATO (Authority to Operate)

An Authority to Operate (ATO) is the formal approval granted by a federal Authorizing Official that allows a software system to operate within a government environment after completing the NIST Risk Management Framework assessment process. ATOs are required before any federal system goes live and must be continuously maintained -- typically reviewed annually and triggered by significant system changes.

Section 508

Section 508 of the Rehabilitation Act requires all software, websites, and electronic content procured, developed, or used by the U.S. federal government to meet accessibility standards equivalent to WCAG 2.0 Level AA. Non-compliance can disqualify a product from federal procurement and expose agencies to civil rights complaints under the Architectural Barriers Act.

SOC 2

SOC 2 (System and Organization Controls 2) is an auditing standard developed by the AICPA that evaluates a software company''s controls over security, availability, processing integrity, confidentiality, and privacy. A SOC 2 Type II report -- covering 6-12 months of operating effectiveness -- is increasingly required by enterprise buyers and is a de facto procurement requirement for B2B SaaS vendors.

← Back to full glossary

Need help implementing this in your business?

Code and Trust translates AI concepts like hipaa software into working implementations — starting with a workflow audit that shows exactly where it creates ROI.

Schedule AI Audit →