Back
Compliance as Code: 5 Practices That Let Us Ship Daily Under HIPAA

Compliance as Code: 5 Practices That Let Us Ship Daily Under HIPAA

/6 min read/
Health TechComplianceDevOpsArchitecture

When I took over engineering at a telehealth company, I inherited a familiar problem: compliance was a bottleneck. Every release required a manual review. Engineers waited days — sometimes weeks — for sign-off. Features that took three days to build took three weeks to ship.

The conventional wisdom was clear: this is health tech, that's just how it works.

I refused to accept that. If banks can automate financial compliance checks and airlines can automate safety-critical system verification, there's no reason health tech can't automate HIPAA compliance.

Eighteen months later, our team deploys to production multiple times a day. Every deployment is fully HIPAA-compliant. No manual compliance reviews. No waiting. No bottleneck.

Here are the five practices that made it possible.

1. PHI Detection in the CI Pipeline

The most dangerous compliance failures happen when engineers accidentally handle Protected Health Information without proper safeguards. In a manual process, a reviewer has to catch these mistakes. Reviewers are human. They miss things.

We built automated PHI detection that runs on every pull request. It scans for patterns that indicate patient data handling — field names, data flows, API endpoints that touch health records — and flags any code that interacts with PHI without going through our approved data access layer.

The key insight: we don't block engineers from touching PHI. We ensure they can only touch it through compliant pathways. The scanner checks that every PHI interaction uses our encrypted data access module, which handles encryption at rest, encryption in transit, access logging, and minimum necessary access automatically.

If the scanner finds a direct database query touching a PHI table without the access layer, the build fails. Not a warning. A hard failure. The engineer gets a clear message explaining what was detected and how to fix it.

This single practice eliminated our most common category of compliance findings.

2. Infrastructure-Level Access Controls

In most organizations, access control is configured per-application. Every team implements authorization slightly differently. Some check permissions in middleware, some in controllers, some in database queries. The inconsistency is a compliance nightmare.

We moved access control to the infrastructure layer. Every service runs behind an authorization proxy that enforces role-based access before requests even reach the application code. The service itself never has to think about "does this user have permission to see this patient's data?" — that question is answered before the request arrives.

The configuration is declarative:

# service-access.yaml
endpoints:
  /api/patients/{id}/records:
    required_roles: ["provider", "care_coordinator"]
    phi_classification: "high"
    audit_level: "detailed"
    minimum_necessary: true
  /api/patients/{id}/preferences:
    required_roles: ["provider", "care_coordinator", "patient_self"]
    phi_classification: "low"
    audit_level: "standard"

When a new engineer joins the team, they don't need to learn our authorization system. They declare what their endpoint needs, and the infrastructure enforces it. Getting compliance right is easier than getting it wrong.

3. Automatic Audit Logging

HIPAA requires detailed audit trails — who accessed what patient data, when, and why. Most implementations treat this as application-level logging, which means every engineer has to remember to log access events. They forget. They log inconsistently. Audit time becomes a scramble to fill gaps.

We automated audit logging at the infrastructure layer. Every request that touches PHI-classified endpoints is automatically logged with:

  • Who made the request (authenticated identity)
  • What data was accessed (endpoint, patient ID, data classification)
  • When it happened (timestamp, request duration)
  • The access justification (derived from the user's role and the clinical context)
  • Whether the request was permitted or denied

Engineers write zero audit logging code. It happens automatically. Our compliance team can pull a complete access history for any patient record in seconds, covering every service, every API call, every data access — without a single manual log statement in application code.

This turned our audit preparation from a two-week scramble into a one-hour report generation.

4. Compliance Test Suite

We treat compliance requirements the same way we treat functional requirements: we write tests for them.

Our compliance test suite runs alongside unit tests and integration tests in every build. It verifies:

  • All PHI endpoints require authentication
  • All PHI responses are encrypted
  • No PHI appears in application logs (we scan log output for PHI patterns)
  • All data retention policies are enforced (test data older than policy limits is actually deleted)
  • Cross-service PHI transfers use encrypted channels
  • Backup encryption is configured correctly

These aren't theoretical checks. They run against real service instances in our CI environment. If someone accidentally adds a log statement that includes a patient name, the compliance test suite catches it before the code is merged.

The test suite is maintained by our platform team and runs automatically. Application engineers don't need to write compliance tests — they're inherited by every service through our service template.

5. Compliant-by-Default Service Templates

This is the practice that ties everything together. When an engineer creates a new service, they run a single command that generates a service with all compliance practices pre-configured:

  • PHI detection scanner in the CI pipeline
  • Infrastructure-level access control configuration
  • Automatic audit logging enabled
  • Compliance test suite integrated
  • Encrypted data access layer included
  • Monitoring and alerting for compliance-relevant events

The template represents our current compliance baseline. When requirements change — and they do — we update the template and roll changes to all services through automated pull requests.

The result: creating a fully HIPAA-compliant service takes the same effort as creating a non-compliant one. Actually, less effort — because the template handles everything the engineer would otherwise have to configure manually.

The Results

Since implementing these five practices:

Deployment frequency went from bi-weekly to multiple times daily. The compliance bottleneck is gone because there's nothing to manually review — the automation is the review.

Compliance findings dropped dramatically. The issues we used to find during quarterly audits — missing audit logs, inconsistent access controls, PHI in logs — are now caught in CI before code is merged.

Audit preparation shrank from weeks to hours. Every compliance artifact is generated automatically and available in real time. When auditors ask for evidence, we generate a report.

Engineer satisfaction improved measurably. Engineers no longer dread compliance. They don't even think about it. They write code, the system ensures it's compliant, and they ship.

The Bigger Lesson

The health tech industry has a compliance culture problem. Too many organizations treat HIPAA as a human process — reviews, checklists, sign-offs. Human processes don't scale. They're slow, inconsistent, and they burn out the people responsible for them.

Compliance is a software problem. And software problems have software solutions.

Every practice I've described here uses standard engineering tools — CI pipelines, infrastructure proxies, automated tests, service templates. None of this requires specialized compliance software or expensive third-party tools. It requires treating compliance with the same engineering rigor you apply to your product.

If your team is spending weeks on compliance reviews, the problem isn't HIPAA. The problem is that you haven't automated what should never have been manual in the first place.