HIPAA Compliance Checklist for Healthcare Software in 2025

HIPAA violations can cost up to $1.5 million per incident. This checklist covers the technical safeguards every healthcare software product must implement — and the common mistakes that get teams audited.

1. Encryption at Rest and in Transit

All PHI must be encrypted using AES-256 at rest and TLS 1.3 in transit. This includes databases, file storage, backups, and logs. Self-managed databases must use transparent data encryption (TDE). Cloud-managed databases should have encryption enabled by default.

2. Access Control and Authentication

Implement role-based access control (RBAC) with principle of least privilege. Every user action on PHI must be tied to a unique user identity. Multi-factor authentication is mandatory for all accounts with PHI access. Session timeouts should not exceed 15 minutes of inactivity.

3. Audit Logging and Monitoring

HIPAA requires you to log every access, modification, and deletion of PHI. Logs must be immutable, time-stamped, and retained for 6 years. Implement real-time alerting for anomalous access patterns — such as a nurse accessing records outside their unit.

4. Business Associate Agreements (BAAs)

Every vendor that handles PHI on your behalf — cloud providers, analytics tools, email services — must sign a BAA. AWS, Azure, and Google Cloud will sign BAAs. Most SaaS tools will not. We maintain a vetted vendor list for healthcare clients.

5. Data Backup and Disaster Recovery

HIPAA requires a documented disaster recovery plan with regular testing. Backups must be encrypted, geographically distributed, and restorable within your documented RTO. We recommend daily automated backups with monthly restore drills.

6. Common Mistakes That Trigger Audits

Storing PHI in unencrypted S3 buckets. Using production data in staging environments. Sending PHI over unencrypted email. Failing to revoke access for terminated employees. Skipping penetration testing. Each of these has resulted in six-figure fines.