Regulation (US)Stable

HIPAA

US Privacy + Security Rules for Protected Health Information. Compliance is a deployment concern, not a code concern — but you must understand BA obligations before going to prod.

Two rules every builder must know:

Privacy Rule — what counts as PHI, who can access it (covered entities + business associates), patient rights.

Security Rule — administrative, physical, technical safeguards (encryption at rest + in transit, audit logging, access controls).

For builders:

Synthetic / Synthea data is not PHI → safe for dev + demos

Real patient data → covered + you need a Business Associate Agreement (BAA) with anyone handling it (cloud provider, AI vendor)

Anthropic offers a BAA for enterprise customers — talk to your account team

Reference: HHS HIPAA for Professionals.

External links

→HHS HIPAA