Back to Journal
Health Technology 11 min read

How to Build a HIPAA-Compliant Health App

What HIPAA actually governs, the technical safeguards you owe, the Business Associate Agreements teams forget, and an architecture that shrinks your compliance scope instead of expanding it.

Key Takeaways

  • HIPAA governs protected health information (PHI) through the Privacy Rule and the Security Rule, and it binds both covered entities and their business associates.
  • The Security Rule requires technical, administrative, and physical safeguards together — encryption alone does not make an app compliant.
  • You need a signed Business Associate Agreement with every vendor and subprocessor that can touch PHI, including your cloud provider and any LLM or AI API.
  • Sending PHI to a no-BAA model API is one of the most common and most serious compliance failures in modern health apps.
  • The cheapest compliance strategy is architectural: collect less PHI, de-identify aggressively, and push processing on-device to shrink the surface that HIPAA applies to.
  • Neurodata raises the stakes further — it is intimate, hard to de-identify, and deserves on-device-first handling by default.

Building a health app that handles real patient data means designing for the Health Insurance Portability and Accountability Act (HIPAA) from the first commit, not bolting it on before launch. Retrofitting compliance onto a system that was not designed for it is one of the most expensive and demoralizing rewrites in software. The good news: most of HIPAA, for an engineer, reduces to a handful of safeguards and one discipline — knowing exactly where protected health information lives and who can touch it.

What does HIPAA actually govern?

HIPAA protects protected health information (PHI): individually identifiable health information — diagnoses, treatments, biometric readings, anything that ties a health fact to a person — that is created, received, stored, or transmitted in the course of care. The moment health data can be linked to an identifiable individual, you are handling PHI, and HIPAA's rules attach.

Two rules do most of the work:

  • The Privacy Rule governs how PHI may be used and disclosed — the principle of minimum necessary use, patient rights over their own data, and the limits on sharing it.
  • The Security Rule governs PHI in electronic form and mandates the safeguards — technical, administrative, and physical — that keep it confidential, intact, and available.

Critically, HIPAA binds two kinds of organizations: covered entities (providers, health plans, and clearinghouses) and the business associates that handle PHI on their behalf. If your app processes PHI for a clinic or insurer, you are a business associate, and the Security Rule applies directly to you — not just to your client.

What technical safeguards does a HIPAA app require?

The Security Rule's technical safeguards translate into a concrete engineering checklist. None of these is optional theater; each maps to a real failure mode that has caused real breaches.

HIPAA technical safeguards

Security Rule

The non-negotiable technical controls every PHI-handling system owes.

Encryption in transitTLS for every connection that carries PHI — no exceptions for internal services.
Encryption at restPHI encrypted in databases, object storage, backups, and on the device.
Access controlRole-based access so each user and service sees only the minimum necessary PHI.
Audit loggingA tamper-evident record of who accessed which PHI, when, and from where.
Automatic logoffIdle sessions terminate so an unattended device does not leak PHI.
Integrity controlsMechanisms to detect that PHI has not been improperly altered or destroyed.

Technical controls alone do not make you compliant. The Security Rule also requires administrative safeguards — formal risk assessments, workforce training, an assigned security officer, and an incident-response plan — and physical safeguards over the devices, servers, and facilities where PHI lives. An app with perfect encryption and no risk assessment is still out of compliance.

Why are Business Associate Agreements where teams fail?

Here is the single most common, most serious mistake in modern health software: routing PHI to a vendor that has not signed a Business Associate Agreement.

A Business Associate Agreement (BAA) is a contract that makes a vendor legally accountable for protecting the PHI you pass to it. You need a signed BAA with every vendor and subprocessor that can touch PHI — and the chain is longer than people assume:

  • Your cloud provider. The major clouds offer BAAs, but only for a defined list of in-scope services, and you must execute the agreement and stay within that list.
  • Any analytics, logging, error-tracking, email, or SMS vendor that could receive PHI in a payload, a stack trace, or a notification.
  • Any LLM or AI API that could see PHI in a prompt. This is the trap of the moment. Teams wire a model into a health workflow and pipe patient data straight into an API that never signed a BAA. If PHI can reach the model, you need a BAA with that provider — or you must de-identify the data so completely that it is no longer PHI before it ever leaves your system.

How should the architecture itself reduce your risk?

The most effective compliance strategy is not a control you add — it is PHI you never create. The less PHI flows through your system, the smaller the surface that HIPAA governs, and the cheaper everything downstream becomes. Three architectural moves do the heavy lifting:

  • Minimize and de-identify. Collect only the data the feature genuinely needs, and de-identify aggressively the moment full identifiers are no longer required. Data that is not PHI is not subject to the Security Rule.
  • Mind data residency. Know which jurisdictions your PHI is stored and processed in, and keep it within the regions your agreements and obligations allow.
  • Push processing on-device. When sensitive computation runs on the user's own device, the raw data may never enter your infrastructure at all — which is the strongest possible scope reduction. Our neurotech pipeline does exactly this: the full clean-and-featurize path for EEG runs on the phone, so raw neural signal never leaves it. We walk through that design in processing raw EEG data for real-time BCI, and the broader decision in choosing between on-device and cloud AI.

On-device processing is not a magic HIPAA exemption — you still owe safeguards over anything you transmit or store, and the device itself needs encryption and automatic logoff. But as a default posture, doing the sensitive work at the edge is one of the most powerful tools you have for keeping compliance scope small.

What are the most common HIPAA mistakes to avoid?

  • Sending PHI to a no-BAA API. Covered above, and worth repeating because it is so prevalent.
  • Logging PHI in plaintext. Patient data in application logs, stack traces, or a third-party log aggregator is a silent breach waiting to be discovered. Redact before you log.
  • No audit trail. If you cannot answer "who accessed this record and when," you cannot satisfy the Security Rule or investigate an incident.
  • Over-collecting data. Every extra field you store is extra liability with no corresponding safeguard benefit. Minimum necessary is a design principle, not just a legal phrase.

A pragmatic build checklist

Roughly in order, this is how we sequence a compliant build so that the expensive decisions happen before the code that depends on them:

  1. Map the PHI. Diagram every place PHI is created, stored, transmitted, and processed, including every third party in the path. This data-flow map is the foundation for everything else.
  2. Run a risk assessment. Identify where PHI is exposed and rank the risks. This is an administrative-safeguard requirement, not a nicety.
  3. Execute BAAs. Sign agreements with every in-scope vendor and subprocessor before any real PHI flows to them.
  4. Encrypt everywhere. TLS in transit, strong encryption at rest across databases, storage, backups, and devices.
  5. Build access control and audit logging. Role-based permissions plus a tamper-evident access trail, in from the start.
  6. Add session controls. Automatic logoff and integrity checks on PHI.
  7. Minimize and de-identify. Cut every field you do not need; strip identifiers as early as the workflow allows.
  8. Redact logs and harden telemetry. Guarantee PHI cannot leak through logs, crash reports, or analytics.
  9. Document and train. Policies, an incident-response plan, and workforce training — the parts engineers forget and auditors check first.

Why neurodata raises the stakes

If your app touches neurodata, treat it as the most sensitive payload in the building. Neural signals are intimate, can reveal far more than a single health fact, and are notoriously hard to truly de-identify. When such data is handled in a clinical context by a covered entity or business associate, it is PHI and every rule above applies. Even outside that scope, the responsible default for our consumer EEG work on BrainCare is the strictest one: process on-device by default, retain as little as possible, and never route raw neural data to a vendor without a BAA. The sensitivity of the data should set the floor for your controls, not the letter of which rule technically applies.

From safeguards to a shipped product

HIPAA-grade health software is less about heroics and more about discipline: know where PHI lives, lock down every path it travels, sign the agreements, and design so that most of it never leaves the user's device in the first place. That discipline is exactly the kind of work an implementation team has to own end-to-end — see what a technology implementation studio is for why the architecture and the compliance posture cannot be split across vendors.

Game Changer Labs builds in this space — from privacy-first neurotech to sensitive health data systems — designing for compliance from the architecture up rather than bolting it on at the end. If you are building something that handles health data, we can help you get the foundations right the first time.

Frequently Asked Questions

What does HIPAA actually govern?

HIPAA governs protected health information (PHI): individually identifiable health information that is created, received, stored, or transmitted by a covered entity or its business associates. Its two core rules are the Privacy Rule, which limits how PHI may be used and disclosed, and the Security Rule, which mandates safeguards for PHI held in electronic form. It applies to healthcare providers, plans, and clearinghouses, and to the vendors that handle PHI on their behalf.

What technical safeguards does a HIPAA app need?

At minimum: encryption of PHI in transit and at rest, role-based access control so users see only what their role permits, audit logging of every access to PHI, automatic logoff of idle sessions, and integrity controls that detect tampering. These technical safeguards must be paired with administrative safeguards such as risk assessments and workforce training, and physical safeguards over the devices and facilities where PHI lives.

Do I need a Business Associate Agreement with my AI or LLM provider?

Yes, if any protected health information could reach that provider. A Business Associate Agreement (BAA) is a contract that makes a vendor legally accountable for protecting PHI. Sending PHI to a large language model API that has not signed a BAA is a HIPAA violation, full stop. Either sign a BAA with a provider that offers one, or de-identify the data so thoroughly that it is no longer PHI before it leaves your system.

How does on-device processing affect HIPAA compliance?

Processing data on the user's own device can dramatically shrink your compliance scope, because data that never leaves the device is far easier to secure and may avoid creating new copies of PHI in your infrastructure at all. It is not an automatic exemption, and you still owe safeguards over anything you transmit or store, but on-device-first architecture is one of the most effective ways to reduce the surface area that HIPAA applies to.

What are the most common HIPAA mistakes in health apps?

Sending PHI to a third-party API with no BAA, logging PHI in plaintext where engineers and log aggregators can read it, having no audit trail of who accessed what, and over-collecting data you do not need. Each one is common, each one is avoidable, and each one can turn a single incident into a reportable breach.

Is neurodata treated differently under HIPAA?

If neurodata is handled by a covered entity or business associate in a clinical context, it is PHI like any other and the same rules apply. Even outside that scope, neurodata is exceptionally sensitive and hard to de-identify, so the responsible engineering default is to treat it with the strictest controls regardless: process it on-device where possible, minimize what you retain, and never route it to a vendor without a BAA.

Does HIPAA apply to a consumer wellness app?

Not always. HIPAA applies when you are a covered entity or acting as a business associate handling PHI on one's behalf. A purely direct-to-consumer wellness app may fall outside HIPAA, but it can still be subject to other privacy laws, app-store health-data rules, and breach-notification statutes. The safe posture is to engineer to HIPAA-grade safeguards anyway, because it is far cheaper than retrofitting them once a clinical partnership or regulation pulls you into scope.

Game Changer Labs

Have a project that needs to ship?

Game Changer Labs designs and builds production systems across AI, neurotech, civic, and spatial computing. Tell us what you are building and we will scope it.

Start a projectSee our work

Keep Reading

Neurotechnology

How to Process Raw EEG Data for Real-Time BCI Applications

Read
AI Engineering

On-Device vs Cloud AI: How to Choose

Read
Published: April 2, 2026Game Changer Labs