HIPAA

HIPAA establishes national standards for the protection of Protected Health Information (PHI) — any data that can identify a patient and relates to their health condition, treatment, or payment. For software companies handling health data, HIPAA compliance requires encryption at rest and in transit, access controls with audit logging, Business Associate Agreements (BAAs) with all vendors who touch PHI, and breach notification procedures. HIPAA violations carry penalties up to $1.5 million per violation category per year. Building HIPAA-compliant software requires architectural decisions from day one — data isolation, audit trails, and access controls can't be bolted on after the fact.