HIPAA Compliant Software: A Complete Guide for 2026

March 17, 2026 • Owen Auch

In 2024, the U.S. Department of Health and Human Services settled over $4 million in HIPAA violation penalties — and that was a relatively quiet year. The largest individual fines have exceeded $16 million. These aren’t just fines levied against careless hospitals. Software vendors, billing companies, and even small therapy practices have been caught in the crosshairs.

The common thread? Software that wasn’t built to handle protected health information.

If your organization touches patient data — whether you’re a healthcare provider, an insurance company, a medical billing firm, or a software vendor serving any of them — the software you use needs to be HIPAA compliant. Not “mostly secure.” Not “we encrypt some things.” Actually, verifiably compliant.

This guide covers what HIPAA compliance means for software, the categories of tools that need to meet these standards, and how to decide whether off-the-shelf solutions or custom-built software is the right path for your organization.

What Makes Software HIPAA Compliant

HIPAA compliance isn’t a certification you purchase or a badge a vendor slaps on their marketing page. It’s a set of technical, administrative, and physical safeguards that protect the confidentiality, integrity, and availability of protected health information (PHI).

For software specifically, compliance centers on the HIPAA Security Rule, which applies to electronic PHI (ePHI). Here’s what that means in practice:

Encryption

All PHI must be encrypted both at rest (when stored in a database or on a server) and in transit (when transmitted over a network). This means AES-256 encryption for stored data and TLS 1.2 or higher for data in transit. If patient records are sitting in an unencrypted database — even behind a firewall — you have a compliance problem.

Access Controls

Not everyone in your organization should have access to all patient data. HIPAA requires role-based access controls (RBAC) that limit who can view, modify, or transmit PHI based on their job function. A billing clerk doesn’t need access to clinical notes. A front-desk receptionist doesn’t need access to detailed treatment records.

This also includes unique user identification (no shared logins), automatic session timeouts, and emergency access procedures.

Audit Logging

Every interaction with PHI must be logged. Who accessed what record, when, from where, and what they did with it. These audit trails need to be tamper-proof and retained for at least six years. This isn’t just a “nice to have” security feature — it’s a regulatory requirement that HHS will ask for during an investigation.

Business Associate Agreements (BAAs)

Any vendor that handles PHI on your behalf — your cloud provider, your software vendor, your IT managed services company — must sign a Business Associate Agreement. A BAA establishes that the vendor understands their obligations under HIPAA and accepts liability for breaches on their end.

This is where many organizations trip up. Using a tool that processes patient data without a signed BAA is a violation, even if the tool itself is technically secure.

Data Backup and Disaster Recovery

HIPAA requires that you can recover PHI in the event of a system failure, natural disaster, or cyberattack. This means regular automated backups, tested recovery procedures, and documented disaster recovery plans.

Breach Notification

If a breach occurs, HIPAA mandates specific notification timelines. Affected individuals must be notified within 60 days. If the breach affects more than 500 people, you also need to notify HHS and local media. Your software should support the detection and documentation needed to meet these requirements.

Types of HIPAA Compliant Software

HIPAA compliance isn’t limited to electronic health records. Any software that stores, processes, or transmits PHI needs to meet these standards. Here are the major categories:

EHR/EMR Systems

Electronic health records are the most obvious category. Platforms like Epic, Cerner, and athenahealth are built from the ground up for HIPAA compliance. They handle clinical documentation, patient history, prescriptions, lab results, and care coordination — all within a compliant framework.

For large health systems, EHR selection is a multi-year, multi-million-dollar decision. For smaller practices, cloud-based options like Practice Fusion or DrChrono offer compliant alternatives at lower price points.

HIPAA Compliant Accounting Software

Healthcare organizations have a unique accounting challenge: their financial data is often intertwined with patient data. A billing record ties a patient name to a diagnosis code, insurance claim, and payment amount. That makes your accounting system subject to HIPAA requirements.

Standard accounting tools like QuickBooks or Xero are not HIPAA compliant out of the box — and neither offers a BAA. Healthcare-specific accounting platforms like Kareo (now Tebra), CollaborateMD, and AdvancedMD build compliance into their billing and practice management workflows.

If your organization uses general-purpose accounting software and processes patient billing data through it, you have a gap that needs addressing — either through a compliant alternative or through custom integration that keeps PHI out of non-compliant systems.

CRM Systems for Healthcare

A CRM that tracks patient communications, appointment history, or referral sources may contain PHI. Standard CRMs like HubSpot or Salesforce require specific configurations (and in Salesforce’s case, their Health Cloud edition) to be used in a HIPAA-compliant manner.

The critical question: does your CRM store any information that could identify a patient and their health condition? If yes, you need a HIPAA compliant CRM — or you need to architect your workflows so that PHI stays in compliant systems while your CRM handles only de-identified data.

Telehealth Platforms

The telehealth boom during and after COVID brought HIPAA compliance to the forefront for video communication. Zoom (with their healthcare plan and BAA), Doxy.me, and VSee are examples of platforms built or configured for compliant telehealth.

Regular Zoom, Google Meet, and FaceTime? Not compliant for clinical use, despite the temporary enforcement discretion HHS granted during the pandemic. That discretion has ended.

Survey and Patient Intake Tools

Online forms that collect health information — patient intake questionnaires, symptom assessments, satisfaction surveys — need to be HIPAA compliant. Tools like JotForm (HIPAA plan), Formstack, and IntakeQ offer compliant form builders with BAAs.

Using a standard Google Form or Typeform to collect patient health information is a violation, full stop.

Custom Internal Tools

Many healthcare organizations have internal workflows that don’t fit neatly into any off-the-shelf category. Patient scheduling systems that integrate with multiple facilities. Document processing pipelines that handle insurance claims and medical records. Internal dashboards that aggregate data across departments.

These are the use cases where custom software development makes the most sense. When your workflow is unique, trying to force it into a generic tool often means either compromising on compliance or compromising on functionality.

We build these kinds of systems at Scott Street. For example, AI-powered document processing is a natural fit for healthcare organizations drowning in paperwork — insurance forms, claims, referral documents — but the pipeline has to be built with HIPAA safeguards from day one.

Build vs. Buy for Healthcare Software

This is the question we hear most often from healthcare organizations: should we buy an off-the-shelf HIPAA compliant tool, or build something custom?

The honest answer is that it depends on how standard your workflow is.

When Off-the-Shelf Works

Off-the-shelf is the right choice when:

  • Your needs are common. If you’re a single-location practice that needs an EHR, a patient portal, and basic billing, proven platforms like athenahealth or DrChrono will serve you well. You don’t need custom software for standard clinical workflows.
  • A vendor offers exactly what you need with a BAA. If the tool fits your process and the vendor signs a BAA, you’re covered. Don’t over-engineer the solution.
  • You have limited technical resources. Off-the-shelf tools handle infrastructure, security patches, and compliance updates for you. If you don’t have an IT team to maintain custom software, SaaS is the safer bet.

When Custom Makes Sense

Custom development is worth the investment when:

  • Your workflow spans multiple systems. You need data flowing between your EHR, your billing platform, your CRM, and internal tools — and the integrations either don’t exist or are too limited. Custom integration layers can connect these systems while maintaining compliance at every handoff.
  • Off-the-shelf tools force painful workarounds. If your team is exporting data to spreadsheets, copy-pasting between systems, or maintaining shadow databases to work around software limitations, those workarounds are both inefficient and likely non-compliant.
  • You handle specialized data or workflows. Research institutions, specialty clinics, multi-facility health networks, and healthcare SaaS companies often have requirements that no standard tool addresses. Custom software built to your specifications — with HIPAA compliance baked into the architecture — eliminates the compromise.
  • Scale demands it. Processing thousands of claims, managing multi-location scheduling, or running analytics across large patient datasets can push off-the-shelf tools past their limits.

If you’ve read our breakdown of custom software vs. SaaS, the same framework applies here — with the added constraint that every component touching PHI must meet HIPAA requirements.

Key Features to Look for in HIPAA Compliant Software

Whether you’re evaluating a vendor or scoping a custom build, here’s the checklist:

Encryption at rest and in transit. AES-256 for stored data, TLS 1.2+ for transmitted data. Non-negotiable.

Role-based access controls. Granular permissions tied to job function. No shared accounts. Automatic session timeout after inactivity.

Comprehensive audit trails. Every access, modification, and export of PHI is logged with user identity, timestamp, and action taken. Logs must be tamper-resistant and retained for six years.

Automatic logoff. Sessions terminate after a configurable period of inactivity. This prevents unauthorized access when someone walks away from their workstation.

Data backup and recovery. Automated backups with tested recovery procedures. Point-in-time recovery capability for critical data.

Breach detection and notification support. Monitoring for unauthorized access patterns. Alerting when anomalies are detected. Documentation capabilities that support the mandatory breach notification timeline.

BAA availability. The vendor must be willing to sign a Business Associate Agreement. If they won’t, walk away — regardless of how good the product is.

Data segregation. PHI should be isolated from non-PHI data. In multi-tenant environments, your data should be logically (or physically) separated from other customers’ data.

Common HIPAA Compliance Mistakes

After working with organizations across healthcare and regulated industries, these are the pitfalls we see most often:

Using Non-Compliant Communication Tools

This is the most common violation. Staff communicating about patients via regular email, text messages, Slack, or WhatsApp. Every one of these channels is a potential breach. Patient information needs to flow through encrypted, compliant channels — and your team needs to understand why forwarding a patient’s lab results via personal Gmail is not acceptable.

No BAA with Software Vendors

You can use a perfectly secure tool and still be in violation if there’s no BAA in place. Many mainstream SaaS products are technically capable of handling PHI securely, but the vendor won’t sign a BAA — which means they’re not accepting HIPAA obligations and you’re exposed. Always check BAA availability before onboarding any tool that will touch patient data.

Poor Access Controls

The “everyone has admin access” approach is surprisingly common in smaller healthcare organizations. When the same login credentials are shared across a team, or when every user has full access to every patient record, you’re violating the minimum necessary standard — the principle that employees should only access the PHI they need to do their jobs.

No Audit Trail

Some organizations implement security controls but skip the logging. Without audit trails, you can’t demonstrate compliance during an HHS investigation, you can’t detect unauthorized access patterns, and you can’t identify the scope of a breach if one occurs. An audit trail isn’t just a technical feature — it’s your legal defense.

Shadow IT in Healthcare

Staff downloading unapproved apps to “make their jobs easier” is a real problem. A nurse using a personal note-taking app to track patient follow-ups. A billing clerk storing claim information in a personal Dropbox. An office manager using a free scheduling tool that has no BAA. These well-intentioned shortcuts create compliance gaps that are invisible until something goes wrong.

Frequently Asked Questions

What software is HIPAA compliant?

Software is HIPAA compliant when it implements the technical safeguards required by the HIPAA Security Rule — encryption, access controls, audit logging, and backup procedures — and the vendor signs a Business Associate Agreement. Major compliant platforms include EHR systems like Epic and athenahealth, telehealth tools like Doxy.me, and healthcare billing platforms like Tebra. General-purpose tools like Zoom, Google Workspace, and Microsoft 365 offer HIPAA-compliant tiers with BAAs, but only on specific paid plans with proper configuration.

How do I make my software HIPAA compliant?

Start with a security risk assessment to identify where PHI is stored, transmitted, and accessed in your systems. Then implement the required safeguards: encrypt all PHI at rest and in transit, set up role-based access controls, enable comprehensive audit logging, configure automatic session timeouts, and establish backup and disaster recovery procedures. Document your policies, train your staff, and ensure every vendor handling PHI has a signed BAA. For custom software, these requirements need to be part of the architecture from day one — retrofitting compliance is significantly more expensive than building it in.

Does HIPAA apply to software developers?

Yes, if the developer has access to PHI during development, testing, or maintenance. Any company that creates, receives, maintains, or transmits PHI on behalf of a covered entity is a business associate under HIPAA. This means software development firms building healthcare tools must sign BAAs with their clients, implement security practices in their development process (no PHI in test environments unless properly secured), and train their team on HIPAA requirements. At Scott Street, we treat HIPAA compliance as an architectural requirement, not an afterthought.

What is the penalty for HIPAA non-compliance?

Penalties are tiered based on the level of negligence. Tier 1 (unaware of violation): $100-$50,000 per incident. Tier 2 (reasonable cause): $1,000-$50,000 per incident. Tier 3 (willful neglect, corrected): $10,000-$50,000 per incident. Tier 4 (willful neglect, not corrected): $50,000 per incident minimum. Annual maximums for each tier range from $25,000 to over $2 million. Criminal penalties can include fines up to $250,000 and imprisonment. Beyond penalties, breaches trigger mandatory notification costs, potential lawsuits, and reputational damage that can be far more expensive than the fines themselves.

Is cloud software HIPAA compliant?

Cloud software can be HIPAA compliant, but it isn’t by default. The cloud provider (AWS, Google Cloud, Azure) must sign a BAA and the infrastructure must be configured correctly — encryption enabled, access controls set, logging active, data residency requirements met. All three major cloud providers offer HIPAA-eligible services and BAAs. However, the responsibility is shared: the cloud provider secures the infrastructure, but you’re responsible for configuring your application, managing access, and ensuring your code handles PHI correctly. Using a HIPAA-eligible cloud service does not automatically make your application compliant.

Building Healthcare Software That Passes Audit

If your organization is dealing with PHI and your current software stack has compliance gaps — non-compliant tools, missing BAAs, manual workarounds that expose patient data — those gaps represent real risk. Not hypothetical risk. The kind that shows up in an HHS investigation or a data breach notification.

The path forward depends on your situation. Sometimes it’s as simple as upgrading to a compliant tier of tools you already use and getting BAAs signed. Sometimes it requires replacing non-compliant systems entirely. And sometimes — when your workflows are complex, span multiple systems, or don’t fit standard tools — it means building custom software with HIPAA compliance engineered into the foundation.

At Scott Street, we build custom software for healthcare organizations and other regulated industries. We’ve worked with companies processing sensitive data at scale, building the kind of secure, compliant systems that pass audit scrutiny. If your team is struggling with compliance gaps in your software stack, we can help you figure out the right approach.

Schedule a call to discuss your healthcare software needs — or get a free project estimate to understand what a compliant solution would look like for your organization.

Related reading: