Vladimir Tutov July 1st, 2020

HIPAA Compliance Web Development – Tips to Use and Pitfalls to Avoid

With the development of artificial intelligence and technologies to analyze big data, the value of this information has increased greatly. So have the opportunities for its use by scammers.

Sensitive data is the biggest target for hackers of all types, and because of this, confidential medical records are considered even more valuable than credit card and bank account information. Especially if you have something like a student bank account.

If you plan to design a website, application, or Internet of Things (IoT) technology that will collect and store confidential health records of your users, then HIPAA rules are a major consideration. In this article, we will explain the issues in more detail and help you avoid problems.

HIPAA Rules and Sensitive Data

If you plan to create a technical solution for a company in the field of medicine and/or health, then the Health Insurance Portability and Accountability Act (HIPAA) regulations must be followed. HIPPA defines the procedure for storing, processing, and deleting data to ensure sensitive medical information collected through sites and applications stays secure. This means that your web development project must meet the criteria to be considered HIPAA compliant.

Health information has the greatest value on the black market, which can make it difficult to detect the theft of medical information. Your ability to protect the personal information of your users is a direct indicator of the site’s reputation and the basis for trust with the client.

In comparison, when fraudsters hack your credit card, you will know about it once you review your statement or when the card issuer’s fraud department alerts you. But in the case of health information, the patient may never suspect that his or her sensitive data has landed in the hands of criminals. This information can be used to illegally purchase prescription drugs, traffic drugs and commit organ transplant fraud,  or to blackmail a person whose information has been stolen. One of the primary tasks of the site developer is to protect this data by handling it in accordance with the standards.

How to Make Your Website or App HIPAA Compliant

Below are the basic HIPPA requirements for sites that store sensitive medical data.

SSL Protection 

A Secure Sockets Layer (SSL) certificate for the site is how one can recognize that the personal data of users on the site is protected. The absence of this certificate is the reason why a browser displays a warning about an insecure connection, which leads to user distrust. Some web surfers leave the site as quickly as possible fearing that hackers can gain access to data stored on their personal computers using an open connection. As for the healthcare industry, the absence of such a certificate is a big mistake because the site will run afoul of HIPAA regulations, and users will be hesitant to store their data in a place where it can be compromised.

Full Data Encryption

This requirement means that all data that you store in the cloud must also be fully encrypted. That means you need to choose your cloud provider with the utmost care to ensure that sensitive data is protected.  You need to choose a reliable host that adheres to HIPAA requirements and takes Protected Health Information (PHI) seriously.

Full Data Backup

If your site, application, or device works with sensitive medical data, you must have copies of the data, and it must be stored in an even more reliable place with stronger encryption than the original source.

Permanent Data Deletion

There is a flip side of the coin: as soon as the storage of personal client information is no longer necessary (for example, when the client no longer uses your services), you must immediately get rid of all the information related to the person. It’s not enough to just click the delete button. The information should be deleted correctly so the server does not store traces of it to make it impossible to restore personal data that is no longer relevant to your business.

HIPAA Compliance Officer

If your company works with medical data of a type that allows patient identification,  you need to constantly monitor the database it is stored in and verify compliance with the HIPPPA requirements. As with any regulation, changes to HIPAA laws are also possible, especially with further development of big data technologies and machine learning. Unfortunately, hackers are coming up with more and more new methods of tricking security systems. Therefore, it is better to hire a responsible person whose primary task will be to monitor changes in legislative regulations and immediately make appropriate suggestions to strengthen security measures on the site.

Limited Access

The human factor must also be taken into account. Both the user interface and back end of your site should be designed in a way that only the users have access to their data, and only one administrator (the most trusted person possible) has access to the administrative panel of the site and the information stored. Moreover, both users and the administrator need to change passwords as often as possible. This is a general security requirement, but practice shows that this action has saved data from theft on many occasions.


The procedure for working with data and ensuring its security is one of the most important requirements for creating IT solutions in the healthcare sector. That is why it makes sense to choose developers and vendors who have a clear understanding of the HIPAA guidelines. For example, the Archer Software team can help you with the implementation of such a solution with all the necessary data protection standards.

Photo by Martha Dominguez de Gouveia on Unsplash

Vladimir Tutov

Head of R&D, PMP, Archer Software. Vladimir is an experienced project and product manager with a technical background, having delivered 30+ software development projects using modern frameworks and approaches: PMBoK, Scrum, Kanban, SAFe, Lean Startup, Design Thinking, Management 3.0.

Leave a Reply

Your email address will not be published. Required fields are marked *