What are the 18 HIPAA identifiers?

The 18 HIPAA identifiers are: names, geographic data smaller than a state, dates (except year) related to an individual, phone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers and serial numbers, device identifiers and serial numbers, web URLs, IP addresses, biometric identifiers, full-face photographs, and any other unique identifying number or code.

What encryption does HIPAA require?

HIPAA requires encryption of PHI at rest and in transit as an addressable safeguard under the Security Rule. In practice, this means AES-256 for data at rest and TLS 1.2+ for data in transit. While technically 'addressable' rather than 'required,' failing to encrypt PHI without a documented equivalent alternative is considered a violation by HHS enforcement.

Blog

HIPAA for SaaS Developers: What You Actually Need to Know

Q: Do I need HIPAA compliance if I'm not a healthcare company?

Yes, if your app handles Protected Health Information (PHI). HIPAA applies to covered entities (hospitals, insurers, providers) and their business associates — any company that creates, receives, maintains, or transmits PHI on their behalf. If your SaaS stores patient data, processes health records, or integrates with EHR systems, you are likely a business associate and HIPAA applies to you.

Published March 17, 2026 · 11 min read

You built a SaaS product. Maybe it is a scheduling tool for clinics. Maybe it is an analytics dashboard that happens to process patient survey data. Maybe your CRM just added a healthcare vertical. Then someone asks: “Are you HIPAA compliant?”

HIPAA is not just for hospitals. Any application that handles Protected Health Information (PHI) on behalf of a healthcare entity falls under HIPAA. That includes your SaaS if it touches health data in any way. This guide breaks down what HIPAA actually requires from a developer perspective — no legal jargon, just the technical reality.

1. Who actually needs HIPAA compliance

HIPAA (Health Insurance Portability and Accountability Act) applies to two categories of organizations:

Covered Entities

Healthcare providers (hospitals, clinics, doctors), health plans (insurers, HMOs), and healthcare clearinghouses. These are the organizations that directly handle patient care or health insurance.

Business Associates

Any person or company that creates, receives, maintains, or transmits PHI on behalf of a covered entity. This is where most SaaS companies fall. If a hospital uses your scheduling app, or a therapist stores notes in your platform, or a health insurer sends claims data through your API — you are a business associate.

SaaS products that often need HIPAA

Telehealth and appointment scheduling. Any app connecting patients with providers.
EHR integrations. If your API pulls or pushes data to Epic, Cerner, or any electronic health record system.
Patient messaging and communication. Secure messaging, email, or notification services handling health information.
Health analytics and reporting. Dashboards, population health tools, or clinical trial platforms.
Billing and claims processing. Any system handling insurance claims, medical billing codes, or payment data tied to health services.
Cloud hosting and infrastructure. If you host or store PHI on behalf of a healthcare client, even as an infrastructure provider.

Key point: You do not need to be a healthcare company to need HIPAA compliance. If any of your customers are healthcare organizations and they store, transmit, or process health-related data through your product, HIPAA likely applies to you.

2. What counts as PHI (the 18 identifiers)

Protected Health Information (PHI) is any individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate. The key word is “individually identifiable” — health data that cannot be linked back to a specific person is not PHI.

HIPAA defines 18 types of identifiers. If any of these appear alongside health information, the data is PHI:

#	Identifier	Developer notes
1	Names	Full name, first + last, maiden names
2	Geographic data	Anything more specific than state (street address, city, zip code)
3	Dates	Birth date, admission/discharge dates, date of death (year alone is OK)
4	Phone numbers	Including mobile, home, work
5	Fax numbers	Still common in healthcare
6	Email addresses	Personal and work email
7	Social Security numbers	Never store these in plaintext
8	Medical record numbers	Assigned by healthcare providers
9	Health plan beneficiary numbers	Insurance member IDs
10	Account numbers	Financial account numbers tied to health services
11	Certificate/license numbers	Professional licenses, driver's licenses
12	Vehicle identifiers	VINs, license plate numbers
13	Device identifiers	Serial numbers for medical devices, UDIs
14	Web URLs	Personal URLs that could identify a patient
15	IP addresses	Logged in access logs, analytics, error tracking
16	Biometric identifiers	Fingerprints, voiceprints, retinal scans
17	Full-face photographs	Profile photos, ID photos, medical images showing face
18	Any other unique identifier	Internal user IDs, patient IDs, MRN-like codes

Developer trap: IP addresses and email addresses are HIPAA identifiers. If your application logs IP addresses alongside any health-related activity (appointment bookings, prescription views, health assessment results), those logs contain PHI. This catches many SaaS teams off guard because standard logging and error-tracking libraries capture IP addresses by default.

ePHI: the digital version

Electronic Protected Health Information (ePHI) is PHI in electronic form — stored in a database, transmitted over an API, logged in an error tracker, or cached in a browser. As a developer, virtually all PHI you encounter is ePHI, and the HIPAA Security Rule applies specifically to ePHI.

3. Technical safeguards: encryption, audit logs, access controls

The HIPAA Security Rule defines three categories of safeguards: administrative (policies and procedures), physical (facility access), and technical (the technology controls developers implement). Here is what the technical safeguards actually mean for your code.

Encryption

HIPAA classifies encryption as “addressable” rather than “required.” In practice, this distinction is meaningless. HHS has made clear that failing to encrypt ePHI without implementing an equivalent alternative measure is a violation. Treat encryption as mandatory.

At rest: AES-256 encryption for databases, file storage, and backups. Use managed encryption (AWS RDS encryption, GCP Cloud SQL encryption) or application-level encryption for sensitive fields.
In transit: TLS 1.2 or higher for all connections. This includes API calls, database connections, internal service communication, and any data transfer between systems.
Key management: Use a dedicated KMS (AWS KMS, GCP Cloud KMS, Azure Key Vault). Never store encryption keys alongside the data they protect. Rotate keys on a documented schedule.

Example: Verifying encryption configuration

# Check RDS encryption at rest
aws rds describe-db-instances \
  --query 'DBInstances[*].[DBInstanceIdentifier,StorageEncrypted]'

# Check S3 bucket encryption
aws s3api get-bucket-encryption \
  --bucket my-phi-bucket

# Verify TLS version on your endpoint
openssl s_client -connect api.yourapp.com:443 \
  -tls1_2 < /dev/null 2>&1 | grep "Protocol"

Audit logs

HIPAA requires audit controls that record and examine activity in systems containing ePHI. Your audit logs must capture:

Who accessed the data (authenticated user identity)
What data was accessed, created, modified, or deleted
When the access occurred (timestamp)
Where the access originated (IP address, system)
Outcome of the access attempt (success or failure)

Audit logs must be tamper-proof (write-once storage or append-only), retained for a minimum of six years, and regularly reviewed. Failed login attempts, privilege escalations, and PHI exports should trigger alerts.

Access controls

The HIPAA Security Rule requires four access control mechanisms:

Unique user identification

Every user must have a unique identifier. No shared accounts, no generic “admin” logins. This is necessary for meaningful audit trails.

Emergency access procedure

A documented process for accessing ePHI during an emergency. Break-glass procedures that bypass normal access controls but log everything.

Automatic logoff

Sessions must time out after a period of inactivity. Implement idle session expiration and require re-authentication. The timeout period should reflect the sensitivity of the data.

Encryption and decryption

Mechanisms to encrypt ePHI whenever it is stored or transmitted, and to decrypt it only when accessed by authorized users or processes.

Beyond these four requirements, implement role-based access control (RBAC) with the principle of least privilege. Users should only access the minimum PHI necessary to perform their function. MFA should be enforced for any system that stores or accesses ePHI.

4. Business Associate Agreements (BAAs)

A Business Associate Agreement (BAA) is a legally binding contract between a covered entity and a business associate (you). It is not optional. HIPAA requires a BAA to be in place before any PHI is shared.

When you need a BAA

With your healthcare customers. If a hospital or clinic uses your SaaS and any PHI flows through it, you need a BAA with that customer.
With your sub-processors. If you use AWS, GCP, or Azure to store ePHI, you need a BAA with that cloud provider. If you use a third-party email service to send appointment reminders containing PHI, you need a BAA with them too.
With any vendor that touches PHI. Database hosting, error tracking (if it captures PHI), backup services, analytics providers — any vendor that could access ePHI needs a BAA.

What a BAA must include

Permitted and required uses of PHI
Agreement not to use or disclose PHI beyond what the contract allows
Requirement to implement appropriate safeguards
Obligation to report breaches and security incidents
Terms for returning or destroying PHI when the contract ends
Right for the covered entity to terminate the contract if the business associate violates HIPAA

Cloud provider BAAs: AWS, GCP, and Azure all offer BAAs, but you must explicitly sign them. AWS requires you to designate specific HIPAA-eligible services in your account configuration. GCP provides a BAA through its Cloud Identity agreement. Azure offers a HIPAA BAA as part of its Online Services Terms. Do not assume your cloud provider is HIPAA-covered by default — you must actively execute the agreement.

5. How Codepliant detects health-related services

Codepliant scans your codebase to detect services, integrations, and configurations that indicate health data handling. It identifies patterns that are relevant to HIPAA compliance and generates documentation grounded in your actual implementation.

Terminal

npx codepliant go

Scanning project...
  Detected: Node.js + TypeScript
  Detected: AWS S3 (encrypted at rest), RDS (encrypted)
  Detected: Auth0 (MFA configured)
  Detected: FHIR API integration (health data)
  Detected: Twilio (patient notifications)
  Detected: Winston logging (structured audit logs)
  Detected: Redis session store (auto-expiry configured)

Generating documents...
  [+] HIPAA Compliance Checklist
  [+] Privacy Policy (HIPAA-aware)
  [+] Data Processing Inventory
  [+] Access Control Policy
  [+] Encryption Policy
  [+] Audit Log Policy
  [+] Breach Notification Plan
  [+] Business Associate Agreement Template

8 documents generated in compliance-docs/

Here is what Codepliant looks for when assessing HIPAA relevance:

Health data integrations

Scans for FHIR/HL7 libraries, EHR API clients (Epic, Cerner, Allscripts), health-specific SDKs, and medical coding libraries (ICD-10, CPT, SNOMED). The presence of these signals that your application handles health data and HIPAA likely applies.

Encryption posture

Detects database encryption settings, TLS configuration, KMS integrations, and field-level encryption patterns. Flags gaps where ePHI storage or transmission may lack encryption.

Audit trail implementation

Identifies logging libraries, structured log formats, and audit-specific patterns. Checks for the who/what/when/where/outcome fields that HIPAA audit controls require.

Access control patterns

Scans for authentication providers (Auth0, Okta, Cognito), RBAC implementations, session timeout configuration, and MFA setup. Maps findings to HIPAA access control requirements.

Third-party services needing BAAs

Identifies cloud providers (AWS, GCP, Azure), communication services (Twilio, SendGrid), analytics tools, and other vendors that may process ePHI. Flags each one as requiring a BAA if PHI flows through it.

Every generated document reflects what Codepliant actually found in your code. If it detects Auth0 with MFA configured, your Access Control Policy references that specific setup. If it finds unencrypted S3 buckets, the HIPAA Compliance Checklist flags it as a gap requiring remediation.

The goal is not to replace legal counsel — it is to give you an accurate starting point so your compliance effort is grounded in technical reality rather than guesswork.

6. Get started now

HIPAA compliance starts with understanding what your application actually does with health data. Scan your codebase, identify gaps, and generate the documentation your compliance program needs. One command:

Check your HIPAA readiness from your code

Codepliant scans your codebase for health data integrations, encryption gaps, audit log coverage, and access control patterns. Free, open source, runs locally. No PHI ever leaves your machine.

npx codepliant go

No account required. No data leaves your machine.