ℐ've stood on both sides of the curtain. I've been the healthcare worker frantically trying to access patient data through a system designed by someone who clearly never set foot in a hospital. And I've been the developer building healthcare tech, suddenly understanding why every nurse I've ever worked with has trust issues with software.
Here's the uncomfortable truth: Most developers building healthcare tech have never worked in healthcare. They understand encryption and APIs, but they don't understand why a nurse might need to pull up patient info mid-code blue, or why "just add another step for security" might literally cost someone their life.
HIPAA compliance isn't just a checklist. It's about protecting real people at their most vulnerable—and doing it in a way that doesn't turn clinicians into data entry clerks or create so much friction that workarounds become the norm.
So let's talk about the 7 things developers consistently get wrong—and how to fix them.
Mistake #1: Thinking HIPAA Is Just About Encryption
What developers think: "We encrypt data at rest and in transit. We're HIPAA compliant!"
What that actually means: You've checked one box out of dozens.
Yes, encryption is critical. But HIPAA is about all Protected Health Information (PHI)—not just what's in your database. That includes:
- Data in logs (are you logging patient names? You shouldn't be)
- Error messages displayed to users (don't expose PHI in error text)
- Email notifications ("Your appointment with Dr. Smith is confirmed" might be fine; "Your HIV test results are ready" is not)
- Third-party integrations (every vendor you send data to needs a BAA—Business Associate Agreement)
- Backups (are your backups encrypted? Are they being properly destroyed when no longer needed?)
"HIPAA compliance is like an iceberg. Encryption is the visible tip. The real work is what's underneath."
Mistake #2: Over-Engineering Access Controls
What developers think: "Security = more authentication steps!"
What clinicians experience: A system so locked down it's unusable in emergencies.
I've watched nurses need to access a patient's allergy list during a code blue—a literal life-or-death moment—and get blocked by a system requiring:
- Password login
- Two-factor authentication
- Reason for access
- Manager approval
By the time the system granted access, the moment had passed. The nurse used a workaround (asked someone else who was already logged in). Your "secure" system just became less secure because it was too cumbersome.
The fix: Role-based access control (RBAC) that balances security with usability. Emergency access pathways with audit trails. Yes, log everything—but don't make critical information inaccessible when seconds matter.
Mistake #3: Ignoring Audit Trails
What developers think: "We have user authentication. That's enough."
What HIPAA requires: Comprehensive audit trails showing who accessed what, when, and why.
Here's why this matters: When a celebrity gets admitted to your hospital, you will have staff trying to peek at their chart. When there's a data breach, you need to know exactly what was compromised. When a patient complains about a privacy violation, you need receipts.
What to log:
- Every access to PHI (who, what, when)
- Failed login attempts
- Data exports or downloads
- Changes to permissions
- System configuration changes
- Any emergency access overrides
What NOT to log: The actual PHI itself. "User Jane accessed patient 12345's chart" is fine. "User Jane accessed John Smith's HIV diagnosis" is a HIPAA violation waiting to happen.
Mistake #4: Not Understanding Minimum Necessary
What developers think: "Let's show all patient data on one dashboard for convenience!"
What HIPAA requires: Minimum necessary—only show what's needed for the task at hand.
A billing clerk doesn't need to see clinical notes. A scheduler doesn't need to see lab results. A front desk admin doesn't need to see diagnosis codes.
The fix: Design interfaces that show only what's relevant to the user's role. Can a physician see everything? Usually, yes. But tailor views based on job function. This isn't just compliance—it's good UX. Don't overwhelm users with irrelevant data.
Mistake #5: Treating Patient Portals Like Social Media
What developers think: "Let's make it engaging! Push notifications! Auto-share on social!"
What patients need: Privacy and control over their health information.
Push notifications for healthcare need to be extremely careful. "Your test results are ready" on a lock screen? That might be okay. "Your STI test is positive"? Absolutely not.
And for the love of all that is holy: never, ever auto-share health information to social media. Not engagement metrics. Not workout stats. Not "milestones." Make sharing opt-in, explicit, and clearly explained.
"Health data isn't content. It's not engagement bait. Treat it with the gravity it deserves."
Mistake #6: Assuming "The Cloud" Is HIPAA Compliant
What developers think: "We use AWS/Azure/GCP. Those are secure, right?"
Reality check: Cloud providers can be HIPAA compliant—if you configure them correctly and sign a BAA.
Just because AWS offers HIPAA-eligible services doesn't mean your specific setup is compliant. You need:
- A signed BAA with your cloud provider
- Properly configured encryption (at rest and in transit)
- Access controls and logging enabled
- Regular security audits and risk assessments
- Disaster recovery and backup plans
- Policies for data retention and destruction
And every third-party service that touches PHI—analytics tools, email services, chatbot platforms—needs a BAA too. No BAA = no PHI. Period.
Mistake #7: Not Training Users
What developers think: "We built a secure system. We're done."
What actually happens: Users write passwords on sticky notes, share logins, and circumvent security because they were never trained on why it matters.
HIPAA requires regular training for all workforce members. And that training needs to be more than "don't do bad things." It needs to explain:
- Why security matters: Real-world examples of breaches and consequences
- How to use the system securely: Step-by-step guidance
- What to do in emergencies: When to override, how to request access, who to contact
- How to report incidents: No-blame culture that encourages reporting
Developer responsibility: Build systems that are secure by default but intuitive to use. If your security measures are so cumbersome that users work around them, you've failed—not the users.
What HIPAA Actually Requires: The Essentials
Okay, enough doom and gloom. Let's break down what you actually need to be HIPAA compliant:
Technical Safeguards:
- Unique user IDs and authentication
- Automatic logoff after inactivity
- Encryption of PHI (at rest and in transit)
- Audit controls and logs
- Integrity controls (prevent improper alteration/destruction)
Physical Safeguards:
- Facility access controls
- Workstation security (lock screens, positioned away from public view)
- Device and media controls (proper disposal, reuse, accountability)
Administrative Safeguards:
- Risk assessments (regular and documented)
- Workforce training
- Incident response plan
- Business Associate Agreements (BAAs) with all vendors
- Policies and procedures (documented, reviewed, updated)
Building Healthcare Tech That Doesn't Suck
Here's the thing about HIPAA compliance: it's not just about checking boxes to avoid fines. It's about respecting the fact that you're handling the most personal, sensitive information in someone's life.
When I'm building healthcare tech, I think about my family. Would I want their HIV status logged in plaintext? Would I want their mental health history accessible to anyone with database credentials? Would I want their cancer diagnosis plastered across a push notification on a locked phone screen?
Hell no.
So I build systems that:
- Are secure by default, not as an afterthought
- Balance security with usability (because workarounds are the enemy of security)
- Respect clinical workflows (because frustrated clinicians make mistakes)
- Log everything without exposing PHI
- Make privacy visible and understandable to patients
- Fail safely (if something breaks, default to "no access" not "access everything")
"The best HIPAA-compliant system is one where clinicians don't even think about security—because it just works."
Resources to Actually Get This Right
If you're building healthcare tech, bookmark these:
- HHS HIPAA Guidance: The official word from the Department of Health & Human Services. Dry, but authoritative.
- NIST Cybersecurity Framework: Technical standards that align with HIPAA requirements.
- HITRUST CSF: Common Security Framework—basically HIPAA compliance on steroids. If you're building enterprise health tech, aim for this.
- Penetration testing: Hire actual security professionals to try breaking your system. Fix what they find.
And honestly? Talk to clinicians. Not just once during requirements gathering, but throughout development. Show them prototypes. Watch them use your system. Listen when they say "this workflow doesn't make sense" or "this will create workarounds."
Because the best security is the kind that users don't fight. And the only way to build that is by understanding their actual work.
The Bottom Line
HIPAA compliance isn't glamorous. It won't win you design awards or TechCrunch headlines. But it's the baseline for building healthcare tech that doesn't actively harm people.
So encrypt your data. Sign your BAAs. Log your access. Train your users. Build systems that balance security with usability. And for the love of everything holy, never log PHI in plaintext.
Because at the end of the day, that's not just a patient record you're protecting. It's someone's mother. Someone's child. Someone at their most vulnerable. Build accordingly.