Copyright Forbes
Bob Cody is the CXO at Gate6 - We build Experiences people love, delivering earliest lovable products. I’ve worked with healthcare organizations long enough to notice a pattern: Many treat HIPAA compliance as a finish line. Once they've checked off a few items, passed an audit or updated a document or two, it gets put on the shelf until something goes wrong. But the reality is different. HIPAA compliance isn’t a one-time task; it’s a moving target, especially as new tech stacks emerge, mobile apps become patient-facing and data is shared through third-party APIs more than ever before. Here’s what I’ve learned after being involved in the creation or modernization of numerous healthcare software systems and mobile platforms: The organizations that succeed view HIPAA not as a restriction but as a foundation for resilience and trust. And in a time when cyberattacks make headlines seemingly every week, that's not optional. Compliance Is Not The Same As Security A common misconception I often encounter is the belief that “We follow HIPAA, so our information is secure.” That's not true. HIPAA regulations only ensure a basic level of protection. That doesn’t mean complete defense against ransomware, phishing or other malicious software. I have seen compliant systems with expired SSL certificates, exposed encryption keys and no logs. One overlooked weakness can lead to the unauthorized disclosure of protected health information. Your Mobile App Might Be The Weakest Link Most people think of HIPAA as related to back-end systems, patient records and cloud storage. However, in today’s world, mobile apps and web portals often serve as the primary access points for patients and pose the most significant compliance risks. Healthcare applications often use third-party SDKs, analytics and outsourced cloud services that might not follow HIPAA rules. I have reviewed applications with weak authentication controls, unencrypted data during transmission and poorly designed session management. Although these issues may not be intentional, overlooking them at this level of severity does not eliminate the potential consequences. If your developers aren’t building with HIPAA requirements integrated, you're probably exposing your users without knowing it. Common Overlooked Areas You Need To Monitor Here are four compliance blind spots I most commonly observe: 1. Data In Transit And At Rest: Encryption is just the beginning. Many teams settle for HTTPS and believe they are protected. You need comprehensive data lifecycle security, including secure storage of backups and logs. 2. Access Control: Who has access, and how is that access managed? Are old employee credentials still active? Is multifactor authentication enforced? 3. Vendor Oversight: Offshore development partners or third-party plugins can create unexpected compliance gaps. Without proper business associate agreements (BAAs), you are accepting legal risks. 4. Incident Readiness: Do you have an actual response plan? Not just a document gathering dust, but a practical playbook your team knows how to follow? In my experience, organizations that proactively audit these areas move the fastest because they don’t need to stop and fix things later. Build Compliance Into The Process, Not After It Here's a mindset shift that works: Treat HIPAA as a design constraint, not just a post-launch filter. That means involving compliance experts early in development. It means embedding security checks into QA cycles. It also means choosing vendors and tools that have HIPAA-readiness built in, not added later. At my company, we frequently develop healthcare platforms with compliance integrated into every sprint. It’s not just about passing an audit; it’s about creating something that both patients and providers can trust. Here are three things you can begin doing now: • Include HIPAA in your development process. Don’t wait until QA to raise concerns. • Train your entire team. Everyone—from designers to product managers—should understand the basics of compliance. • Review your tech stack regularly. What was secure 18 months ago might no longer meet current standards. Take A More Proactive Approach Today Knowing the benefits of HIPAA compliance, many view it not just as a cost-tolerable burden, but as an opportunity to improve software development and strengthen client relations. I’ve seen companies forced into urgent rebuilds, expensive legal fixes and PR crises, and all because compliance wasn’t part of the conversation early enough. Don’t be that company. Start treating compliance as part of your product strategy. It’ll save you money and generate more value over time.
