HIPAA Compliance Basics for Healthcare Software
HIPAA — the Health Insurance Portability and Accountability Act — sets federal standards for protecting sensitive patient health information. Any software used to create, store, manage, or transmit Protected Health Information (PHI) must be configured with HIPAA requirements in mind.
This guide covers the essentials healthcare organizations need to understand when evaluating and deploying clinical software.
What Is Protected Health Information (PHI)?
PHI is any information that identifies a patient and relates to their health condition, healthcare services, or payment for those services. This includes:
- Names, dates of birth, addresses
- Medical record numbers and account numbers
- Clinical notes, diagnoses, and treatment histories
- Lab results and imaging
- Billing and insurance information
- Any other data that could identify a specific individual in a healthcare context
Electronic PHI (ePHI) is PHI stored or transmitted digitally — which covers virtually all data in a modern EMR system.
The Three HIPAA Rules
Privacy Rule
Sets standards for who can access PHI and under what circumstances. Covered entities (providers, health plans, clearinghouses) and their business associates must implement policies limiting PHI access to authorized personnel with legitimate need.
Security Rule
Establishes specific safeguards for ePHI. The Security Rule requires:
*Administrative safeguards*: Policies and procedures for managing ePHI security, including workforce training, access management, and incident response.
*Physical safeguards*: Controls for physical access to systems that store ePHI — server locations, workstation security, device controls.
*Technical safeguards*: Technology controls including access control (unique user IDs, automatic logoff), audit controls (activity logging), integrity controls, and transmission security (encryption).
Breach Notification Rule
Requires covered entities to notify patients, HHS, and sometimes media when unsecured PHI is breached.
Business Associate Agreements (BAA)
When a covered entity shares PHI with a vendor — including software providers — that vendor becomes a Business Associate and must sign a Business Associate Agreement (BAA).
The BAA specifies:
- What PHI the associate can access
- Permitted uses of that PHI
- Required safeguards
- Obligations in the event of a breach
If your EMR software provider cannot or will not sign a BAA, do not use their system for patient data.
AJP Systems supports BAA execution as part of enterprise healthcare onboarding.
Practical HIPAA Requirements for EMR Software
When evaluating EMR software for HIPAA compliance, verify:
- Access controls: Unique user IDs and password requirements; role-based access limiting each user to their authorized data
- Audit logging: Records of all PHI access, creation, modification, and deletion with timestamps and user identification
- Encryption: Data encrypted in transit (HTTPS/TLS) and at rest (AES-256 or equivalent)
- Automatic session timeout: Sessions end after defined inactivity periods
- Backup and recovery: Regular encrypted backups with tested recovery procedures
- Breach response: Documented incident response procedures
What HIPAA Compliance Is Not
HIPAA does not certify software. There is no government-issued "HIPAA certified" designation. When vendors claim "HIPAA certification," they are either referring to third-party audits of their security practices or overstating their compliance posture.
The compliance responsibility is shared: the software provider implements technical safeguards, and the healthcare organization configures and uses the system according to HIPAA requirements.