If you're a healthcare operator or a founder building anything that touches patient data, HIPAA is the constraint that shapes every other decision. Here's how to think about it pragmatically — cost, timeline, architecture, and the five things that most frequently get flagged in compliance review.
What HIPAA adds to your build
For a standard $50K-$80K healthcare software project, HIPAA compliance typically adds:
- 1–2 additional weeks of timeline for formal review, documentation, and security hardening.
- 10–20% cost premium (roughly $5K–$15K) — covering penetration testing, HIPAA-specific architecture decisions, and compliance review time.
- Infrastructure constraints that rule out cheap hosting options. You'll be on AWS, Azure, or GCP HIPAA-eligible services — not on Heroku or Vercel's standard tier.
- Ongoing operational discipline. Compliance isn't a checkpoint at launch; it's a way of running the system forever after.
The five things most commonly flagged
1. Missing BAA (Business Associate Agreement) coverage
Every vendor that touches PHI needs a signed BAA. Most early-stage projects miss one of: email provider, analytics, error tracking, customer-support tool. We've seen Sentry, Segment, Intercom, Stripe, and SendGrid all cause audit flags because the BAA wasn't in place.
2. PHI in logs
Application logs are the #1 place PHI accidentally leaks. A developer adds console.log(patient) for debugging, commits it, and months later it's in CloudWatch. Compliance review catches this every single time. Fix: structured logging with a PHI-redaction middleware built in from day one.
3. Unencrypted S3 buckets / databases
At-rest encryption is mandatory. AWS defaults to encryption now, but custom setups often end up with plain-text backups, snapshots, or older buckets not re-encrypted. Review catches these; fix requires re-encrypting at rest.
4. Broken access control
Role-based access control that works for the happy path but has edge cases where a receptionist can see a physician's notes. HIPAA requires minimum-necessary access — every API endpoint must enforce it.
5. No audit log
Every access to PHI must be logged. Every change must be attributed. Covered entities need to produce audit trails on demand. Skipping this is the single most expensive post-facto remediation — you have to retroactively add it across the entire system.
Proper HIPAA architecture on AWS in 2026
For a standard patient-facing platform, a sane HIPAA-compliant AWS architecture looks like:
- Compute: ECS Fargate or Lambda (both HIPAA-eligible).
- Database: RDS PostgreSQL in a private subnet, encrypted at rest (KMS), automated backups encrypted and retained 30+ days.
- Storage: S3 with bucket policies denying non-TLS requests, KMS encryption, versioning, and access logs.
- Networking: VPC with private subnets for compute and DB. Only the ALB is internet-facing. WAF in front for rate limiting + OWASP protection.
- Authentication: Cognito or Auth0 (BAA-eligible tier). MFA required for any admin.
- Audit: CloudTrail enabled, logs to a separate account, immutable storage for 6+ years.
- Secrets: AWS Secrets Manager with rotation. No secrets in environment variables logs can see.
- BAA: signed with AWS, plus every third-party service you use (Stripe, SendGrid, Datadog, etc.).
Timeline breakdown for a practice-management platform
| Phase | Weeks | What happens |
|---|---|---|
| Discovery + HIPAA scope | 1 | Confirm which PHI is involved, which vendors, AWS BAA setup. |
| Design + architecture | 2 | Data model, role-based access, audit log schema designed upfront. |
| Core build | 5–8 | Product features; PHI handling, access control, audit built in from day one. |
| QA + security review | 2 | Penetration test, OWASP review, HIPAA checklist, audit log validation. |
| Production cutover | 1 | Launch under BAA; 30 days of close monitoring. |
Total: 11–14 weeks. Cost: $65K–$95K for a mid-complexity practice-management platform. Under 10 weeks is only realistic with an experienced HIPAA-literate team; longer than 16 weeks suggests inefficient process or expanded scope.
What separates a HIPAA-ready shop from a non-ready one
Ask three questions on the first scoping call:
- "Have you signed BAAs with AWS, Cognito, and the email provider before?" (Experienced shops have these in place already — no need to re-do paperwork.)
- "How do you handle PHI in error logs?" (If they pause, they haven't thought about it.)
- "Can you show me a sample audit log schema?" (If yes, they've shipped HIPAA before.)
When HIPAA compliance isn't required
Not everything that touches health data is regulated. HIPAA applies to covered entities (providers, payers, clearinghouses) and their business associates. A wellness app you sell direct-to-consumer is NOT automatically HIPAA. A fitness tracker isn't. A B2B tool sold to providers IS. Get a lawyer to confirm your status before assuming one way or the other.
Building in healthcare?
WebCentriq has shipped HIPAA-compliant platforms on AWS since 2019. Describe your project in a paragraph — we'll flag compliance considerations in the estimate so the scope and timeline are realistic from day one.