Back to Blog10/04/2026

Security

HIPAA, PHI, and trust: how we engineer compliance from day one

In healthcare software, security is not a feature. It is not a checkbox on a compliance audit. It is not something you add in version 2.0 after you have found product-market fit. Security in healthcare is the product. If patients cannot trust you with their data, nothing else you build matters.

We understood this before we wrote our first line of code.

What PHI actually means

Protected Health Information is not just medical records. It is anything that can identify a patient in connection with their health data. A name plus a diagnosis. An email address plus a prescription. A phone number plus an appointment time. The surface area is enormous, and most healthcare startups underestimate it.

At HealNote, we classify every data field in our system into one of three categories: PHI, PII, or operational. This classification is not documentation — it is enforced in code. PHI fields are encrypted at rest with AES-256. They are encrypted in transit with TLS 1.3. They are never logged in plaintext. They are never included in error reports. They are never sent to third-party analytics.

Ever.

The architecture of trust

Our backend is designed around what we call the “minimum exposure principle.” Every API endpoint returns only the data that the requesting user is authorised to see, and nothing more. A clinic receptionist sees appointment times and patient names. A doctor sees the full clinical record. An administrator sees aggregate statistics without individual patient data.

This is not role-based access control bolted onto a flat database. It is access control designed into the data layer itself. The query never retrieves what the user should not see — it is not filtered after retrieval, it is never fetched in the first place.

Most security breaches in healthcare are not sophisticated attacks. They are over-permissioned queries returning data that nobody needed to see.

Audit everything

Every access to patient data in HealNote is logged. Not just writes — reads too. If a doctor views a patient record, we log who, when, what they accessed, and from which device. If an administrator exports a report, the export is logged with its exact parameters.

This is not surveillance. It is accountability. In the event of a breach — or even a suspected breach — we can reconstruct exactly what happened, when, and what data was exposed. Most healthcare platforms cannot answer the simple question: “Who accessed this patient's record in the last 30 days?” We can answer it in seconds.

  • AES-256 encryption at rest for all PHI
  • TLS 1.3 for all data in transit
  • Complete audit trail for every data access
  • Zero PHI in logs, error reports, or analytics
  • Role-based access enforced at the query layer
  • Automated breach detection and alerting

AI and privacy

When we use AI to analyse patient data — for intake form processing, diagnostic assistance, or clinical summarisation — the data never leaves our infrastructure. We do not send patient data to third-party AI APIs. Our models run within our own secure environment, subject to the same encryption and access controls as every other part of the system.

When we work with partners like Anthropic and Google on model development, we use de-identified, aggregated datasets that have been stripped of all PHI. The models learn patterns, not patients.

Compliance as culture

HIPAA compliance is often treated as a legal obligation — something the compliance team handles while the engineering team builds features. At HealNote, compliance is an engineering discipline. Our code review process includes security review. Our CI/CD pipeline includes automated checks for PHI exposure. Our development environment uses synthetic data, never real patient records.

We do not have a separate “security team.” Every engineer on our team is a security engineer. This is not idealistic — it is the only approach that works at the scale and speed we need to operate.

Trust takes years to build and seconds to lose. In healthcare, the stakes of that equation are not just commercial — they are deeply personal. Every data point in our system represents a moment of vulnerability, a person who trusted a doctor enough to share something private. We owe it to them to protect it with everything we have.