HIPAA Compliance Checklist for Healthcare Software in 2025
HIPAA is not optional, and in 2025 it just got significantly stricter. The Department of Health and Human Services (HHS) has introduced a set of updates that convert many previously "addressable" safeguards into mandatory requirements. If you're building or buying healthcare software — or working with a vendor who handles patient data — this checklist is essential reading.
2025 Change Alert: Encryption of electronic Protected Health Information (ePHI) is now mandatory, not just recommended. Multi-Factor Authentication (MFA) is also now required for all access points — no exceptions.
The Complete 2025 HIPAA Compliance Checklist
Use this checklist for any new healthcare software build, vendor evaluation, or annual internal audit.
All electronic Protected Health Information must be encrypted at rest and in transit. Use AES-256 for data at rest and TLS 1.2 or higher for data in transit. This is now a hard requirement, not a recommendation.
Every user, including third-party vendors and administrators, must authenticate via MFA before accessing any system containing ePHI. Single-password access is no longer compliant.
Conduct and formally document a risk analysis identifying all threats and vulnerabilities to ePHI. Assess the likelihood and potential impact of each. This must be done at least annually and after any significant system change.
Implement unique user IDs, role-based permissions, and automatic session timeouts for inactivity. No user should have access beyond what their role requires. Audit access logs quarterly.
Zero Trust is now explicitly required for covered entities. No user or device is trusted by default — every access request is verified, regardless of whether it originates inside or outside the network perimeter.
Every third-party vendor who touches ePHI must have a signed, current BAA. The 2025 updates require BAAs to be reviewed and updated to reflect new mandatory requirements. Out-of-date agreements are no longer compliant.
Previously 60 days, the window to notify HHS of breaches affecting 500+ individuals is now 30 days (and some provisions reference 72 hours for post-contingency activation). Update your incident response procedures accordingly.
Mandatory semi-annual vulnerability scans of all systems handling ePHI, with remediation tracked and documented. Penetration testing is required annually.
All access to ePHI must be logged. Logs must capture who accessed what, when, and from where. These records must be retained for future audits and must be tamper-evident.
Patients now have a right to digital copies of their records within 15 days (reduced from 30). Your software must support secure export, authenticated patient portals, and FHIR-compliant data sharing with authorised third-party apps.
All employees who handle or could access PHI must complete annual HIPAA training. Records of completion must be maintained. Training must explicitly cover phishing, ransomware, and device security.
Appoint a named individual responsible for implementing and monitoring HIPAA compliance. For smaller organisations, this can be a part-time role but must be formally designated and documented.
UK Equivalent: What About NHS and GDPR?
UK healthcare software must comply with UK GDPR and NHS Data Security and Protection (DSP) Toolkit requirements. Many obligations overlap with HIPAA — encryption, breach notification (72 hours to ICO), data minimisation, and access controls — but there are important differences around data residency and patient consent that must be addressed separately.
Combined US/UK deployment? You'll need both HIPAA and UK GDPR compliance built into your architecture from the start. Retrofitting compliance into existing software is significantly more expensive.
Frequently Asked Questions
Does HIPAA apply to software vendors, not just healthcare providers?
Yes. If your software processes, stores, or transmits ePHI on behalf of a Covered Entity, you are a Business Associate and directly subject to HIPAA. You must sign a BAA and meet all technical safeguard requirements.
What are the fines for HIPAA non-compliance in 2025?
Penalties range from $100 to $50,000 per violation, with an annual cap of $1.5 million per violation category. Willful neglect violations that are not corrected carry minimum fines of $10,000 per violation. HHS has increased its audit frequency in 2025.
Can I use cloud storage for ePHI?
Yes, if your cloud provider signs a BAA and meets all technical safeguards. AWS, Azure, and Google Cloud all offer HIPAA-eligible services, but configuration is your responsibility. A HIPAA-compatible cloud service does not automatically make your use of it compliant.
Building Healthcare Software? Let's Do It Right.
We build HIPAA-compliant and NHS DSP-aligned healthcare software for US and UK healthcare providers. From patient portals to EMR integrations — compliant by design, not by afterthought.
View Our Healthcare Services