Checklist to create a HIPAA compliant software

Being aware of the vulnerability of health information, the US government passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996. These laws require organizations that handle health information to make certain privacy and security measures and inform patients when the privacy and security of their personal information are in danger. In this article, we are going to reveal the main HIPAA compliance checklist that healthcare businesses need to go through before starting their practice.

Checklist to create a HIPAA compliant software by UppLabs

Originally, this article was published on UppLabs blog by Tonya Smyrnova.

New technologies, from electronic medical records and medical devices to mobile and web applications, are enabling doctors to improve patient health and save lives. These technologies allow medical experts to collect more information to study patient records. Such technologies and associated data are constantly interacting, sharing health information through developing complex systems, increasing risks, and vulnerabilities. Doctors are no longer the only custodians of sensitive health information.


The Health Insurance Portability and Accountability Act controls two essential branches — the HIPAA Privacy and Security Rules for use and disclosure of Protected Health Information (PHI). The information consists of :

  • medical voice records,
  • analysis tests,
  • scanned organs,
  • diagnoses,
  • addresses of patients and has to be highly protected from fraudulent actions and disclosing data to the public.

HIPAA compliance implicates accomplishing the requirements of the Health Insurance Portability and Accountability Act of 1996, its consequent amendments, and any related legislation such as HITECH (Health Information Technology for Economic and Clinical Health).

Ask UppLabs about HIPAA-compliant healthcare software


Before we start, let’s clarify some main terms that we are going to use in this article:

  • PHI (Protected Health Information) — protected health information in accordance with the Privacy Rule contains any information that may be transmitted or stored by one of the subjects covered by the Law.
  • ePHI (Electronic protected health information) — refers to individually identifiable health information.
  • HITECH (Health Information Technology for Economic and Clinical Health) — part of the American Recovery and Reinvestment Act (ARRA) of 2009 that creates reasons related to health care information technology.
  • HHS (Health and Human Services) — The U.S. Department of Health and Human Services protects the health of all Americans and provides essential human services.
  • OCR (Optical character recognition or optical character reader) is the electronic or mechanical conversion of images of typed, handwritten, or printed text into machine-encoded text.

So, what exact steps need to be taken in order to become HIPAA compliant?

Contact UppLabs

There are 4 rules that you will need to explore:

  1. HIPAA Privacy Rule — protection of the transmitted data.
  2. HIPAA Security Rule — protecting databases and data for security reasons.
  3. HIPAA Enforcement Rule — indicates enforcement procedures and procedures for punishments.
  4. HIPAA Breach Notification Rule — requires health care providers to notify individuals about health information breaches.

The HIPAA compliance can be applied to such business associates as IT consultant, law office, a software company, accounting services, and companies that are responsible for building hardware medical devices, deal with healthcare providers and have direct access to ePHI.

Let’s look closer at each Rule.


Given that the consumer loses control over the data at several levels, the question is who has access to the data and how to control it. There is a simple rule: access to ePHI should be limited to those who need this data. This rule can be challenging if the cloud provider stores data in multiple locations (where there are other employees or contracts with third parties). The growing number of sides involved means more people are able to access ePHI in the cloud, which leads to increasing the risk of data security breaches.

The Privacy Rule:

  • expects the implementation of relevant safeguards in order to protect the privacy of Personal Health Information;
  • established limits and conditions on the use of the patients’ information without their authorization;
  • provides patients (or their representatives) with rights over their health information.

According to the Privacy Rule, Covered Entities have to reply to patient access requests within 30 days.

The rule also includes several recommendations to Covered Entities, like:

  • Provision of relevant training to employees to ensure they know what information can be shared outside a company.
  • Maintenance of the PHI integrity and the individual identifiers of patients.
  • Getting written permission of patients to use their information.

The full content of the HIPAA Privacy Rules can be found on the Department of Health & Human Services website.


The HIPAA Safety Rule addresses compliance requirements for healthcare providers. This includes the requirement and guidelines for appropriate

  • Administrative,
  • Physical and
  • Technical Safeguards to ensure the confidentiality, integrity, and security of Protected Health Information.

In this way, the Security Rule consists of 3 parts:

  1. Administrative Safeguards
  2. Physical Safeguards
  3. Technical Safeguards

All 3 parts include relevant specifications. Some of them are required (must be implemented), and others are addressable (must be implemented if it is appropriate).

The Administrative Safeguards include policies and procedures that combine the Privacy Rule and the Security Rule together. They are important elements of a HIPAA compliance checklist and imply measures to protect ePHI. They include:

  • Risk assessments — required
  • Risk management policy — required
  • Contingency plan — required
  • Restricting third-party access — required
  • Training employees to be secure — addressable
  • Testing of contingency plan — addressable
  • Reporting security incidents — addressable

The Physical Safeguards mean physical access to ePHI irrespective of its location, whether it is a remote data center, the cloud, or servers. They include:

  • Policies for the Use of Workstations — required
  • Policies and Procedures for Mobile Devices — required
  • Facility Access Control — addressable
  • Inventory of Hardware — addressable

The Technical Safeguards concentrate on the technology that protects PHI and controls access to it. The standards of the Security Rule do not require the knowledge of the specific technologies and include:

  • Means of Access Control — required
  • Activity Log and Audit Controls — required
  • Encryption and Decryption — addressable
  • Authentication of ePHI — addressable
  • Transmission Security — addressable


The HIPAA Enforcement Rule covers investigations, procedures, and penalties for hearings. The rule controls and processes the penalties for those who failed to comply with HIPAA regulations and sets the necessary procedures for the breach investigation. The fine can reach from $1.5 million to $100. According to the HIPAA Journal, the most common violations are the following:

  1. Misuse and unauthorized disclosure of patients’ records.
  2. No protection in place for patient records.
  3. Patients unable to access their records
  4. Disclosing to third-parties more than the minimum necessary protected health information.
  5. No administrative or technological safeguards for electronically protected health information.


The Breach Notification Rule enables healthcare providers to notify their patients when there occurs a breach of unsecured PHI. The Rule also has the right to notify the media and public if the breach affects more than 500 patients.

Breach notifications should include the following information:

  • The unauthorized person who accessed the PHI or to whom the disclosure was made.
  • The nature of the PHI involved, including the types of personal identifiers.
  • The information includes whether the PHI was actually acquired or viewed.
  • The extent to which the risk of damage can be reduced.


There is also one kind of rule that is worth mentioning — The Omnibus Rules.

The HIPAA Omnibus Rule was introduced to address a number of other areas that had been omitted by previous updates to HIPAA. It modifies and clarifies definitions, procedures, and policies and expands the HIPAA compliance checklist to cover Business Associates and their subcontractors. Subcontractors are persons to whom a business partner delegates the performance of a function, work, or service for a HIPAA-covered organization or other business partners.

These rules change the definition of a business partner, improve the security and privacy of PHI, place direct responsibility on business partners, change the damage threshold in the Breach Notification Rule, and clarify the content of the business partner agreement. In the promulgated final rules, the most important point for cloud providers and consumers is that OCR’s jurisdiction extends to business partners and their subcontractors to ensure compliance with the law.


Download a summary of the main points of the HIPAA Compliant Rules, a healthcare software solution containing ePHI should follow!

Download HIPAA compliant checklist


For more than 6 years we’ve been providing complex and sophisticated medical and healthcare software solutions, integrations with medical devices and software. We are experts in HIPAA compliance.

We provide business and software development support during the COVID-19 pandemic.

UppLabs is proficient in:

  • Data management solutions for hospitals and clinics
    We create highly reliable systems to support interactive communication between doctors, patients, and medication suppliers to improve the quality of healthcare.
  • Development of HIPAA-compliant and secure software
    We have huge experience with compliance and security regulations in the healthcare industry.
  • VR and AR healthcare software development
    UppLabs deliver end-to-end virtual, augmented, and mixed healthcare reality solutions for all popular devices.
  • Complex system integration with medical devices and medical software
    UppLabs uses the best cloud-based platforms like Google, Amazon, Microsoft, and the best world practices to build secure and reliable solutions for our clients.
  • Custom healthcare web and mobile applications’ development for:
    - Symptoms identification and analysis systems that automatically connect users with a particular doctor;
    - Staff and patient management systems in clinics;
    - Health monitoring systems;
    - Doctors’ marketplace;
    - Online consultation systems.

Ask UppLabs about the experience of working with top-notch digital healthcare solutions!

Ask about healthcare software development!

Developing secure and compliant software for Fintech, Healthcare and Real Estate. For tech businesses eager to be #1 in their niche.