Security
Your AI built a healthcare app. It didn't read HIPAA.
May 9, 2026 · 5 min read · Anju Kumari
Building a patient-facing app with Lovable, Replit, or Cursor is the fastest way to test whether anyone wants it. But healthcare is the one domain where "it works in the demo" and "it's safe to put in front of real patients" are separated by a legal wall — and AI coding tools cannot see that wall. They answer the prompt you wrote. They don't know that the data flowing through your app is protected health information, or that mishandling it carries fines measured in the tens of thousands of dollars per record.
Here's what actually gets shipped, and why none of it shows up when you click through your own app.
The gaps AI leaves in a healthcare build
PHI in places it should never be. AI-generated apps routinely log full request bodies for debugging, cache responses, or send data to third-party analytics — and in a healthcare app, those request bodies contain patient names, diagnoses, and identifiers. HIPAA doesn't care that the leak was accidental. Protected data in your logs, your error tracker, or an analytics tool you didn't sign a business associate agreement with is a violation whether or not anyone malicious ever sees it.
Access controls that trust the front end. The most common serious flaw we find in AI-built apps is authorization that lives in the interface, not the server. The app hides the "view other patient" button, so it looks locked down — but the underlying API will happily return patient B's records if patient A asks for them directly. In a to-do app that's a bug. In a patient portal it's a reportable breach.
No audit trail. HIPAA requires you to know who accessed what, and when. AI tools don't build that unless you specifically ask — and most founders don't know to. The first time you'll discover it's missing is when a regulator or a customer's security team asks for the access logs and there aren't any.
Encryption that stops at the marketing copy. "Secure" in an AI-generated README often means HTTPS is on. It rarely means data is encrypted at rest, that keys are managed properly, or that backups are protected. Those are the parts that matter in an audit, and they're the parts AI skips.
Why you can't catch these yourself
Every one of these gaps is invisible from the outside. Your app looks fine. It behaves correctly for you, the honest user clicking the intended buttons. The failures only appear when someone asks a question your interface didn't anticipate — a direct API call, a hostile input, a request for the logs. Finding them takes an engineer who has operated production healthcare systems and knows exactly where the bodies are buried, reading the actual code rather than using the app.
What to do before real patients touch it
Get the code read before you scale, not after a breach. Our code audit covers exactly this: where PHI actually flows, whether access control is enforced on the server, whether you have the audit trail and encryption HIPAA expects, and a prioritized list of what to fix first. Fixed price from $995, a written report in five business days, in plain language you can hand to a co-founder or an investor.
If you're putting an AI-built app in front of patients, this is the check that stands between a fast launch and an expensive one.
Related: read the auth security breakdown · book a vibe coding audit
Talk to us about your project
Senior engineers, honest scoping, fixed prices — quoted before work starts, paid when you approve the result.
Start a conversation →