Building HIPAA-Compliant Web Apps, A Developer's Guide

HIPAA is one of those compliance frameworks that developers either treat as a vague legal requirement (dangerous) or an impenetrable bureaucratic maze (also dangerous). The reality is more practical: HIPAA has specific technical requirements, and if you're building a US healthcare web application that handles Protected Health Information (PHI), you need to implement them. This guide covers the developer-facing requirements. It is not legal advice, if you're launching a healthcare product, get a HIPAA attorney. But this gives you the technical picture. What Counts as PHI Protected Health Information is individually identifiable health information tied to a person. That means any of the following, combined with health data: Name, address, date of birth, phone number, email Social Security Number, account numbers, certificate numbers Any unique identifier that could identify the individual The common developer mistake: assuming only medical records are PHI. A user's email address combined