There Is No Such Thing as "HIPAA Certified"

Search for "HIPAA compliant app development" and you will find dozens of agencies advertising "HIPAA certification." None of them hold one, because HHS has never created a certification program for software vendors, hosting providers, or development agencies. HIPAA is a law, not a badge. There is no exam to pass, no certificate to frame, and no government body that will stamp your app as compliant.

What exists instead is a set of legal obligations under the HIPAA Security Rule and Privacy Rule, enforced after the fact by the HHS Office for Civil Rights, usually triggered by a breach report or a complaint. Compliance is demonstrated by having the right agreements, controls and documentation in place, not by a certificate. Any vendor that leads with "we are HIPAA certified" is either misinformed or misrepresenting what they offer, and it is worth asking them directly what they mean by it.

This matters because the honest answer changes what you should actually be evaluating an agency on: not a certificate, but whether they understand the Security Rule's technical safeguards, whether they will sign a Business Associate Agreement, and whether they choose infrastructure that is itself HIPAA-eligible.

Who Actually Has to Care About HIPAA

HIPAA applies directly to "covered entities," healthcare providers, health plans, and healthcare clearinghouses, and to their "business associates," any vendor that creates, receives, maintains or transmits protected health information (PHI) on a covered entity's behalf. A development agency becomes a business associate the moment it handles real patient data, whether that's during a staging environment loaded with production data, ongoing hosting and maintenance, or direct database access for support.

If your app is built entirely with synthetic or de-identified test data through development, and a hospital or clinic (the covered entity) only receives real PHI after they take over hosting themselves, the picture is different, the agency may never become a business associate at all. This is a genuine architectural decision worth making early: minimizing who touches real PHI reduces your compliance surface area significantly.

Consumer health and wellness apps that are not affiliated with a covered entity, a fitness tracker, a period tracker, a symptom journal that a user fills in independently, typically fall outside HIPAA entirely, even though the data feels sensitive. They are still subject to GDPR (if serving EU users), state privacy laws, and FTC health-data rules in the US, but HIPAA specifically only attaches through a covered entity relationship.

The Technical Safeguards HIPAA Actually Requires

The HIPAA Security Rule (45 CFR §164.312) lists the specific technical safeguards an application handling PHI must implement. This is the part vendors rarely explain in concrete terms, so here it is:

Access control: every user needs a unique identifier (no shared logins), the system must support emergency access procedures, and sessions should enforce automatic logoff after inactivity. Role-based access control, so a receptionist cannot see clinical notes a nurse can, is the practical implementation.

Audit controls: the system must record and be able to examine activity in systems containing PHI, who viewed what record, when, and what changed. This is not optional logging, it is a named requirement, and it is one of the two or three things OCR investigators ask for first after any breach report.

Integrity controls: mechanisms to confirm PHI has not been improperly altered or destroyed, typically checksums, versioning, or database-level constraints combined with the audit trail above.

Transmission security: PHI must be protected against unauthorized access while being transmitted over a network, meaning TLS 1.2 or higher on every connection, with no exceptions for internal traffic between services.

Encryption at rest is technically an "addressable" specification rather than strictly "required," but in practice OCR treats an unencrypted database holding PHI as effectively indefensible after a breach. We treat AES-256 encryption at rest as non-negotiable on every health-data project regardless of its formal designation.

Business Associate Agreements, the Real Gatekeeper

The Business Associate Agreement (BAA) is the actual legal mechanism that governs a vendor relationship under HIPAA, and it is far more important in practice than any marketing claim about "compliance." A BAA is a contract that obligates the vendor to safeguard PHI, report breaches within a defined window, and only use the data for permitted purposes.

Every vendor in the chain that will touch real PHI needs one: your hosting provider, your development agency if it retains any access post-launch, your email or SMS provider if it sends anything containing PHI, your analytics tool if it is not carefully scoped to exclude PHI fields. A single vendor in that chain without a signed BAA is a genuine compliance gap, regardless of how compliant everyone else in the stack is.

Practically, this means the sequence for a new health-data build should be: architect the system to minimize who needs real PHI access, identify every remaining vendor that will touch it, get BAAs signed with each before any real patient data enters the system, not after.

Where Supabase Fits

Supabase, the Postgres backend we use for most application builds, offers a HIPAA compliance add-on with a signed BAA available on its Team plan and above. That covers the infrastructure layer, encrypted storage, network security, and Supabase's own commitment as a business associate for the database and auth components.

What it does not do is make your application automatically compliant. Row-Level Security policies still need to be written correctly so that no user can query another patient's record. Audit logging still needs to be built as an explicit table and trigger pattern, Supabase does not turn this on by default. Automatic session logoff, unique user identifiers, and role-based visibility are all implementation work in your application layer, not settings you toggle on in Supabase's dashboard.

This is the same pattern that applies to any infrastructure provider claiming HIPAA eligibility, AWS, Google Cloud, and Azure all offer HIPAA-eligible services with BAAs as well. The hosting layer being eligible is a prerequisite, not the whole answer.

HIPAA vs GDPR vs HDS, Compared

If your users span the US, the EU, and France specifically, you are likely dealing with all three frameworks at once. They share a security backbone, encryption, access logging, breach notification, but differ sharply on scope and mechanism.

HIPAA (United States)

Applies to covered entities and their business associates handling PHI. No agency-level certification exists. Enforced by HHS OCR, penalties per violation category, requires a signed BAA with every vendor touching real data.

GDPR (European Union)

Applies to all personal data of EU residents, health data is "special category" under Article 9 with stricter conditions. Requires a Data Processing Agreement, EU data residency, and explicit lawful basis for processing health data.

HDS (France)

Certifies the hosting infrastructure, not the software agency, under Article L.1111-8 of the Code de la santé publique. Required when health data of patients treated in France is hosted. OVHcloud, AWS, Azure and Google Cloud all hold HDS-certified regions.

The recurring mistake across all three is the same: assuming certification attaches to the agency that writes the code. It does not. HIPAA certifies nothing, GDPR certifies nothing at the agency level either (though a Data Processing Agreement is required), and HDS certifies the hosting infrastructure specifically. In every case, the agency's real job is choosing infrastructure that holds the right status and building the application correctly on top of it.

How We Architect Health-Data Apps

We do not claim App Studio is "HIPAA certified" or "HDS certified," because neither claim would be accurate. What we do on every health-data project: select hosting that is HIPAA-eligible or HDS-certified depending on where the patients are, sign a BAA before any real PHI enters a staging or production environment, and build Row-Level Security policies, audit logging tables, role-based access control and automatic session timeouts as standard, not optional, features.

Our experience with sensitive personal data outside a clinical HIPAA context is real and directly relevant: we built the claims-reimbursement and dispute-management CRM for Nostrum Care, the tech subsidiary of a French mutual-insurance group, handling sensitive personal and financial data under GDPR with WeWeb, Supabase and n8n. That is health-insurance back-office data, not clinical patient records, and we describe it that way deliberately, it demonstrates real GDPR-grade data-handling experience without overstating it as a HIPAA or HDS clinical deployment.

For a new health-data build, we typically start by mapping exactly which parties will touch real PHI and minimizing that list before writing a line of application code. Fewer parties touching real data means fewer BAAs to negotiate, a smaller audit surface, and a faster path to launch.

Compliance Checklist Before Launch

Run through this before any health-data application goes live with real patient data.

Agreements: BAA signed with your hosting provider; BAA signed with your development agency if it retains any post-launch access; BAA or equivalent signed with every third-party service (email, SMS, analytics, error monitoring) that could touch PHI; Data Processing Agreement in place if you have EU users.

Access control: unique login per user, no shared credentials; role-based visibility enforced at the database level via Row-Level Security, not just hidden in the UI; automatic session logoff after inactivity; emergency access procedure documented.

Audit and integrity: an audit log table recording who accessed or changed what record and when; this log itself protected from tampering; a documented process for reviewing audit logs periodically, not just collecting them.

Encryption: AES-256 at rest on every database and backup; TLS 1.2+ on every network connection, internal and external; no PHI ever logged in plaintext to application logs or error trackers.

Risk analysis: a documented risk analysis covering where PHI lives, who can access it, and what could go wrong, the single most common gap cited in actual HHS OCR enforcement actions, and the cheapest one to fix before launch.

Geography: HDS-certified hosting confirmed if any patient is treated in France; EU data residency confirmed if you have EU users; HIPAA-eligible hosting with a signed BAA confirmed if you have US patients or a US covered-entity client.