16 February 2026HIPAA is a United States federal regulation that governs how protected health information must be handled. If your LIMS, ELN or data management system touches patient data for US-based healthcare organisations, you need to understand what HIPAA actually requires and what happens when you get it wrong.
This guide breaks down what data needs protection, which technical controls are mandatory and how to build compliant systems.
Part 1: Understanding what HIPAA protects
Protected Health Information (PHI)
HIPAA protects individually identifiable health information - any data that relates to someone's health condition, healthcare services or payment for those services when it can be linked to a specific person.
The "individually identifiable" part matters. Health data becomes PHI when you can connect it to a person through names, medical record numbers, Social Security numbers, dates related to care, geographic data smaller than a state, device identifiers, biometric data or any unique identifying code.
Lab software typically handles PHI when it processes patient samples, stores test results linked to patient IDs or manages clinical data for research involving identifiable subjects.
When HIPAA applies to your Lab Software
HIPAA applies to covered entities (healthcare providers, health plans, clearinghouses) and their business associates. If you build software for a diagnostic lab, research facility or clinical lab that handles PHI, you are a business associate. This means you must sign a Business Associate Agreement (BAA), implement HIPAA's technical safeguards and report breaches according to federal timelines.
Cloud providers (AWS, Azure, Google Cloud) will sign BAAs for their infrastructure, but your application code, configurations and processes remain your responsibility.
Part 2: Technical safeguards that matter
HIPAA's Security Rule breaks Technical Safeguards into two types of controls: Required and Addressable. "Required" means mandatory. "Addressable" means you must implement it if reasonable and appropriate or document an equivalent alternative. Treat addressable as required unless you have a documented reason not to.
Access Controls
- Unique User Identification Required
Every person who uses the system needs a unique identifier. Shared accounts like "lab_user" or "admin" violate HIPAA. Your authentication system must assign unique usernames, prevent username reuse after termination, and track actions to specific individuals. - Emergency Access Procedures Required
Systems need a documented process for accessing ePHI during emergencies when normal authentication is unavailable. This typically means break-glass credentials with audit trails. - Automatic Logoff Addressable
Sessions should terminate after inactivity. Common timeouts are 15-30 minutes for systems handling sensitive data. - Encryption and Decryption Addressable
Data must be encrypted at rest and in transit. Use TLS 1.2 or higher for transmission. For data at rest, use AES-256 or equivalent. Encryption keys must be managed separately from the encrypted data.
Audit Controls Required
HIPAA requires mechanisms to record and examine access to ePHI: who accessed what data, when, what actions they took, and from where.
Logs must be tamper-evident, retained according to organisational policy (typically 6-7 years), and regularly reviewed for unauthorised access.
Build audit logging into your data model from the start. Retrofitting audit trails is expensive and error-prone. Consider database triggers, event sourcing patterns, or dedicated audit tables that capture changes automatically.
Logs should capture authentication attempts, data access and modifications (including old value, new value, who changed it, when, and why), permission changes, and system configuration changes.
Integrity Controls Addressable
Implement mechanisms to confirm that ePHI has not been altered inappropriately: checksums or hashes for critical data, digital signatures for documents, version control, and validation routines that detect corruption.
Transmission Security Addressable
Protect ePHI during electronic transmission: use HTTPS with TLS 1.2+ for all web traffic, encrypt data before sending via email or file transfer, use VPNs or secure channels for system-to-system communication, and validate certificates.
Part 3: Administrative and physical safeguards
Risk Assessment Required
HIPAA requires periodic risk assessments to identify threats to ePHI. This is not paperwork for auditors. It is a useful exercise that helps prioritise security investments.
A risk assessment should identify where ePHI exists, map data flows, identify potential threats, evaluate existing controls and determine residual risk and mitigation priorities. Document findings and use them to drive security decisions.
Incident Response Required
You must have documented procedures for responding to security incidents: how to detect and report suspected breaches, who investigates and makes decisions, how to contain and remediate incidents, and when to notify affected individuals and regulators. Practice your incident response before you need it.
Part 4: When things go wrong
Breach notification requirements
A breach is unauthorised access, use or disclosure of PHI that compromises its security or privacy. HIPAA requires notification when unsecured PHI is breached.
For breaches affecting fewer than 500 individuals:
- Notify affected individuals within 60 days of discovering the breach
- Notify HHS by the end of the calendar year in which breaches were discovered (annual reporting)
For breaches affecting 500 or more individuals:
- Notify affected individuals within 60 days
- Notify HHS without unreasonable delay (within 60 days of discovery)
- Notify prominent media outlets in affected states
What makes PHI "secured": If PHI is encrypted using HIPAA-specified methods and the encryption keys were not compromised, a breach of encrypted data may not trigger notification requirements. Encryption is your best defense against breach notification obligations.
Penalties
HIPAA violations carry serious consequences:
Civil penalties: range from $145 to over $2 million per violation depending on the level of culpability. Willful neglect that goes uncorrected results in the highest tier of penalties.
Criminal penalties: knowing violations can result in fines up to $250,000 and ten years imprisonment for violations with intent to profit or cause harm.
Beyond regulatory penalties, breaches damage reputation and trigger lawsuits. Industry reports show healthcare data breaches among the costliest across all sectors, often exceeding $10 million in total costs. For early-stage companies, a major breach can be existential.
Part 5: Practical implementation
Building HIPAA compliant systems
If you are designing lab software that will handle PHI, start with architecture decisions: plan for encryption at rest and in transit from day one, design audit logging as a first-class feature, implement role-based access control, build authentication that supports unique user identities, and design secure session management with automatic timeout.
Implement defense in depth by layering multiple security controls, assuming any single control can fail, monitoring continuously for anomalies, and testing security regularly. Document everything. Maintain security policies and procedures, document risk assessments and mitigation plans, keep evidence of compliance activities, and update documentation as systems change. Auditors and clients will ask for evidence of your security posture.
Working with regulated customers
If you sell software to healthcare organizations, expect detailed security questionnaires during procurement. Be prepared to provide documentation of your HIPAA capabilities, evidence of security testing, your incident response procedures, details on data handling and storage, and information about subcontractors who may access PHI.
Support customer validation by providing sandbox environments for testing, offering documentation packages, giving advance notice of changes, and maintaining your own validation evidence.
Ongoing compliance
HIPAA compliance requires ongoing attention: review and update risk assessments annually, conduct security testing regularly, train new employees and refresh existing training, review access permissions quarterly, monitor audit logs for anomalies, keep systems patched, and test incident response procedures.
Budget 10-15% of your initial security investment annually for maintenance and updates.
Key Takeaways
HIPAA compliance comes down to three things:
- Know what data you are protecting. Understand when information qualifies as PHI and where it lives in your system.
- Implement the required controls. This means unique user IDs, comprehensive audit trails, encryption, and access controls. These are not optional.
- Document your approach. Risk assessments, policies, training records, and incident response plans prove you take compliance seriously.
The organisations that handle HIPAA well treat it as a design constraint, not an afterthought. They build security into architecture decisions, automate compliance where possible, and maintain evidence of their work.
If your lab software handles PHI, HIPAA compliance is not something you can skip or fake. Auditors will find gaps. Clients will ask detailed questions. Breaches will expose weaknesses. Build it right from the start.
Need help designing HIPAA-compliant lab software? We have built systems for diagnostic labs, biotech companies, and research organisations that handle sensitive health data. Get in touch to discuss your requirements.
