Checklist Healthcare · Cloud v3.2 · Updated November 2024

HIPAA Architecture Checklist - 94 Controls Across 7 Domains

The technical controls NHS trusts and US health startups ask us about most. Not a regulatory summary - a specific implementation checklist you can give to an engineer.

HIPAA PHI Security Encryption Access Control Audit Logging AWS GCP Healthcare Cloud

We've run HIPAA-scoped engagements for eight healthcare clients over four years, ranging from early-stage digital health startups to NHS trust infrastructure modernisation. Every engagement starts with the same gap: teams know HIPAA exists and have read the regulations, but translating "implement appropriate access controls" into specific engineering decisions is where the work stalls. This checklist is what we hand to the engineer responsible for the implementation. It's not a compliance document. It's a build list.

What's inside

The document is structured into 7 sections. Each is self-contained - you can use individual sections as standalone references or work through the document in sequence.

01
Domain 1: Encryption at rest
19 controls covering key management, encryption algorithm selection, storage-level vs application-level encryption, and the specific configurations that fail HIPAA audits most often.
02
Domain 2: Encryption in transit
12 controls across TLS version enforcement, certificate management, internal service-to-service traffic, and the configuration gaps that auditors find in transit encryption despite engineers believing it's handled.
03
Domain 3: Access control & IAM
18 controls on role design, MFA enforcement, service account hygiene, and least-privilege implementation in AWS and GCP. Includes the specific IAM policy patterns for PHI-handling services.
04
Domain 4: Audit logging
14 controls on what to log, where to store it, retention requirements, and the log integrity guarantees that satisfy a HIPAA audit. Includes CloudTrail and GCP Audit Log configuration specifics.
05
Domain 5: Network segmentation
11 controls on VPC design, PHI workload isolation, private endpoints, and the network architecture decisions that determine whether your segmentation actually isolates PHI or just looks like it does.
06
Domain 6: Backup & recovery
10 controls on RTO/RPO documentation, backup encryption, restore testing frequency, and the disaster recovery requirements that HIPAA auditors verify with actual test evidence, not documentation.
07
Domain 7: Vulnerability management
10 controls on patch cadence, container image scanning, dependency management, and the penetration testing requirements for systems that handle PHI.
What this doesn't cover

This checklist does not cover HIPAA's administrative safeguards (workforce training, risk analysis documentation, business associate agreements) or physical safeguards. It covers technical safeguards only - the implementation decisions that fall to engineering teams.

Who this is for

Platform or infrastructure engineers building systems that handle PHI
Engineering leads preparing for a HIPAA audit or BAA negotiation
CTOs at health-tech startups evaluating their security posture before a Series A
DevOps teams migrating healthcare workloads to AWS or GCP

How it was built

Used on every healthcare engagement Sequere has run since 2021. Last updated November 2024 to reflect AWS HealthLake updates and revised GCP Healthcare API configurations.

Every resource Sequere publishes is written by the engineers who ran the actual engagement - not by a content team working from secondhand notes. The trade-off is that we publish less frequently. The benefit is that the specifics are real.

Download

This resource is free to download with no account or signup required. The PDF downloads immediately.

If you use this resource on a real project and have feedback - things that were missing, out of date, or wrong - we want to hear it. Every update to this document has come from people who used it in production.