Why Your No-Code Healthtech MVP Might Not Be HIPAA Compliant
You built a healthtech MVP on Bubble in three weeks. It works. Patients can book appointments, submit intake forms, and message providers. You're ready to pilot with a local clinic.
January 8, 2025 17 min read
You built a healthtech MVP on Bubble in three weeks. It works. Patients can book appointments, submit intake forms, and message providers. You're ready to pilot with a local clinic.
The clinic's legal team asks: "Is this HIPAA compliant? Can you sign a Business Associate Agreement?" You say yes, assuming Bubble handles that. You send Bubble's security documentation. The clinic's lawyers respond: "This doesn't address our requirements. Do you have a BAA with Bubble? What about data encryption? Where is PHI stored?"
You discover Bubble offers BAAs only on expensive enterprise plans. Your current plan doesn't include the encryption options you need. The PHI you've already collected from test users is stored in ways you can't fully control or audit.
No-code tools are incredible for rapid prototyping. But HIPAA compliance requires control, documentation, and vendor agreements that most no-code platforms either don't support or only provide on enterprise tiers you can't afford.
What No-Code Tools Claim About HIPAA
Most popular no-code platforms mention HIPAA in their marketing. The reality is more limited than the claims suggest.
Bubble's HIPAA Story
Bubble is the most popular no-code platform for building web apps. Their HIPAA position:
What they claim:
"HIPAA-ready infrastructure available"
"Supports healthcare applications"
"Security features for protected health information"
What this actually means:
BAAs available only on Dedicated or Agency plans ($349+/month per app)
You must configure encryption and security settings correctly
Zapier and Make (formerly Integromat) connect different tools through automation workflows. Some founders use them to move patient data between systems.
HIPAA compliance for automation tools:
Zapier offers BAAs on Team ($69/month) and Company ($99/month) plans
Make offers BAAs but requires contact for pricing
You need BAAs with every tool in the workflow, not just the automation platform
Where this breaks down:
Zapier plus a HIPAA-compliant database is not enough if you're also using Gmail (which doesn't offer BAAs on standard accounts)
Workflows that touch non-compliant services break HIPAA compliance even if some components are compliant
Debugging automation failures often exposes PHI in error logs that aren't encrypted
Workflow automation for PHI requires every single component to be HIPAA compliant with signed BAAs. One non-compliant link in the chain breaks everything.
Why No-Code Falls Short for HIPAA
HIPAA compliance is not about security features. It's about control, documentation, and contractual obligations. No-code tools limit all three. For a comprehensive overview of HIPAA requirements, see our HIPAA risk assessment guide.
You Don't Control Data Storage
HIPAA requires knowing exactly where PHI is stored and how it's protected. No-code platforms abstract this away.
What you can't control on no-code platforms:
Data residency: PHI might be stored in multiple regions or countries. HIPAA doesn't forbid this, but some state laws do. You often can't choose.
Backup locations: Automated backups might be stored in different facilities than primary data. You can't specify where.
Encryption methods: Platforms choose encryption algorithms and key management approaches. You can't customize or audit.
Data deletion: When you delete records, are they truly gone or kept in backups? You don't know.
HIPAA requires audit trails showing who accessed what PHI and when. Most no-code platforms have basic activity logs, not HIPAA-grade audit trails.
What HIPAA audit trails need:
Record of every PHI access with user ID and timestamp
Immutable logs that cannot be edited or deleted
Logs retained for at least 6 years
Queryable by patient, user, date range, or action type
What no-code platforms actually provide:
General activity logs showing page views or record changes
Logs that may be deleted or overwritten after 30-90 days
No PHI-specific tagging or filtering
Export-only formats that make searching difficult
When a patient requests an access log (their HIPAA right), you need to provide every instance their PHI was viewed or modified. No-code tools can't easily produce this.
Third-Party Integrations Create Compliance Gaps
No-code platforms rely on integrations for features like email, payments, or analytics. Each integration is a potential HIPAA violation.
Common integration problems:
Email services:
Sending appointment confirmations through standard Mailchimp or SendGrid (without BAAs)
Patient communications flowing through Gmail or Outlook (no BAAs on consumer accounts)
Automated emails containing PHI in subject lines or body text
Analytics tools:
Google Analytics tracking patient interactions (Google doesn't offer BAAs for Analytics)
Mixpanel or Amplitude analyzing user behavior with patient identifiers
Heatmap tools recording sessions containing PHI
Payment processors:
Stripe integration storing notes like "payment for diabetes consultation" (diagnosis is PHI)
Invoice descriptions containing patient names and medical services
Payment confirmation emails auto-generated with health information
Customer support:
Support tickets created through Intercom or Zendesk (need BAAs with these vendors)
Live chat logs containing patient questions about health conditions
Help desk systems accessible by support staff without proper BAA coverage
Every integration must have a BAA. Most no-code integrations don't.
You Can't Customize Security Controls
HIPAA requires implementing "appropriate" safeguards based on your risk assessment. No-code platforms give you their security model. Take it or leave it.
Customizations you can't make:
Access controls:
Implementing fine-grained role-based permissions beyond what the platform offers
Restricting access based on patient relationships (provider only sees their assigned patients)
Time-based access (temporary access for consultants or auditors)
IP-based restrictions (only allow access from clinic network)
Authentication requirements:
Enforcing specific password complexity beyond platform defaults
Requiring specific multi-factor authentication methods
Implementing session timeouts shorter than platform minimums
Custom authentication flows for different user types
Data encryption:
Choosing specific encryption algorithms or key sizes
Managing your own encryption keys (bring your own key)
Implementing field-level encryption for especially sensitive data
Encrypting data in transit between your app and third-party services
You get the platform's security model. If it's insufficient for your risk profile, you're stuck.
BAAs Aren't Enough
Even when no-code platforms offer BAAs, signing one doesn't make you compliant.
What a BAA does:
Obligates the vendor to protect PHI according to HIPAA
Defines the vendor's responsibilities if a breach occurs
Allows you to use that vendor for PHI handling
What a BAA doesn't do:
Make your application automatically compliant
Guarantee the platform's features meet HIPAA requirements
Exempt you from implementing your own safeguards
Remove your liability if the vendor has a breach
A BAA is necessary but not sufficient. You still need to configure the platform correctly, implement access controls, conduct risk assessments, train your team, and document everything.
Many founders think "we have a BAA" equals "we're HIPAA compliant." It doesn't.
Real Scenarios Where No-Code Breaks
These are actual situations where no-code healthtech MVPs created compliance problems.
Scenario 1: Mental Health Scheduling App
What was built: Bubble app for therapists to manage client appointments and session notes. Built on Professional plan ($134/month) to save money during validation.
The problem: Therapist signed BAA with clinic they work with. Clinic legal team asked for copy of BAA with Bubble. Founder didn't have one (Professional plan doesn't include BAAs). Founder upgraded to Dedicated plan ($349/month per app, $4,188/year). First-year budget blown before getting first paying customer.
What should have happened: Built on custom code with HIPAA-ready infrastructure like Convex (offers BAAs on all paid plans). Would have cost similar dev time but no surprise $4K/year platform fees.
Scenario 2: Telehealth Platform With Airtable Backend
What was built: Simple telehealth platform with Webflow frontend, Airtable storing patient records, and Zapier connecting them. Total monthly cost: under $100.
The problem: First enterprise customer asked for BAA with all vendors. Webflow doesn't offer BAAs. Airtable BAAs require Enterprise plan ($4K/month minimum). Customer walked. Founder had to rebuild entire platform on compliant infrastructure.
Migration pain: 200+ patient records needed to be exported, cleaned, and re-imported to new system. Providers had to be retrained on new interface. Lost 3 months and the original customer.
Scenario 3: Patient Intake Forms With Google Sheets
What was built: Custom intake forms built in Typeform feeding responses to Google Sheets for provider review. Used for nutrition coaching collecting health histories.
The problem: Patient submitted intake form including medications and health conditions (PHI). Data went to Google Sheets on standard Google Workspace account. Google doesn't offer BAAs on standard Workspace plans. All PHI was stored non-compliantly.
Regulatory risk: If reported, OCR could fine the business for willful neglect (storing PHI without appropriate safeguards). Minimum fine: $50,000.
What should have happened: Used Typeform Enterprise (offers BAAs) or built custom forms storing data in HIPAA-ready database from the start.
Scenario 4: Analytics Tracking Patient Journeys
What was built: Healthtech app with Google Analytics tracking which patients completed intake, booked appointments, or messaged providers.
The problem: Google Analytics tracked events with patient user IDs as custom dimensions. Patient IDs are PHI identifiers. PHI was being sent to Google Analytics, which doesn't offer BAAs. Every analytics event was a HIPAA violation.
Discovery: Caught during SOC 2 audit preparation. Auditor flagged it as critical finding. Had to remove all analytics, delete historical data, and re-implement with HIPAA-compliant analytics tool.
What should have happened: Either anonymize analytics data (don't track individual users) or use analytics tools that offer BAAs and are designed for healthcare.
When No-Code Can Work for Healthtech
No-code isn't completely off-limits for healthtech. It works in specific scenarios.
Marketing Websites and Landing Pages
If you're not collecting or storing any patient data, no-code tools work fine:
Webflow for marketing site: Company information, provider bios, blog content, contact forms for general inquiries (not health information)
Framer for landing pages: Product explainers, pricing pages, demo request forms (no PHI collected)
Carrd for simple one-pagers: Basic information and links to HIPAA-compliant app hosted elsewhere
As long as no PHI touches the no-code tool, you don't need BAAs or HIPAA compliance for that component.
Internal Tools Not Touching Patient Data
Operations and admin tools:
Airtable for employee onboarding and HR processes
Notion for internal documentation and wikis
Zapier automating non-PHI workflows (marketing automation, social media posting)
Internal tools that never access patient data don't need HIPAA compliance. Just make sure PHI never enters these systems.
Very Early Prototyping (Not for Real Patients)
You can use no-code for initial concept validation if:
You're only using fake/test data, never real patient information
You're demoing to potential customers without collecting their patients' data
You understand you'll rebuild on compliant infrastructure before handling real PHI
Important: Once you touch real patient data, even in a pilot, you need HIPAA compliance. Don't collect PHI thinking you'll deal with compliance later.
No-Code on Enterprise Plans
If you can afford enterprise pricing for every tool in your stack:
Bubble Dedicated plan with BAA ($349+/month)
Airtable Enterprise with BAA ($4,000+/month)
Zapier with BAAs on all connected services
Enterprise analytics tools with BAAs
This gets expensive quickly. At enterprise no-code pricing, custom development often costs less and gives you more control.
When to Switch to Custom Code
Specific triggers should push you from no-code to custom development.
First Paying Customer Requiring BAA
When your first serious customer asks for compliance documentation and BAAs, it's time to migrate. Enterprise customers won't accept "we're working on compliance." They need proof before signing contracts.
Timeline pressure: Healthcare sales cycles run 12-18 months. You can't afford to waste 6 months on a no-code platform, then another 3 months migrating. Start compliant so you're ready when enterprise opportunities appear.
Plan your migration before hitting hard limits that break your product.
Need for Custom Integrations
Healthcare requires integrations with EHR systems, e-prescribing networks, insurance clearinghouses, and medical device APIs. No-code platforms can't support most of these.
Integrations requiring custom code:
HL7 or FHIR interfaces with Epic, Cerner, or other EHRs
Surescripts integration for e-prescribing
Insurance eligibility verification and claims submission
Medical device data from wearables or monitoring equipment
When your roadmap includes these integrations, no-code won't cut it.
SOC 2 or Advanced Compliance Requirements
Enterprise healthcare customers often require SOC 2 Type 2 reports. Getting SOC 2 on no-code platforms is difficult:
SOC 2 challenges with no-code:
Auditors question your control over infrastructure you don't own
Shared responsibility models create ambiguity in control ownership
Limited ability to customize security controls to match audit criteria
Dependence on vendor's SOC 2 status and willingness to support your audit
Custom code hosted on compliant infrastructure (Vercel, AWS, or similar with your own SOC 2) gives auditors clarity on control ownership.
Cost Exceeds Custom Development
At enterprise no-code pricing, custom development is often cheaper:
You can still use no-code tools for parts of your business:
Webflow for marketing website
Notion for internal docs
Airtable for non-patient operations
Zapier for marketing automation
Just keep PHI out of these tools. Build compliant infrastructure for anything touching patient data.
Key Takeaways
No-code tools are powerful for rapid prototyping but create HIPAA compliance problems for healthtech startups:
Why no-code fails for HIPAA:
BAAs only available on expensive enterprise plans ($4K-50K/year)
Limited control over data storage, encryption, and audit logging
Third-party integrations often lack BAAs
Cannot customize security controls to match your risk assessment
Migration costs and delays when you outgrow the platform
No-code can work for:
Marketing websites and landing pages (no PHI)
Internal tools not touching patient data
Early prototyping with fake data only
Enterprise-plan budgets ($50K+/year for compliant no-code stack)
When to use custom code from the start:
Building for real patients (even in pilot programs)
Targeting enterprise healthcare customers
Roadmap includes EHR integration, e-prescribing, or insurance billing
Cannot afford $50K+/year in enterprise no-code platform fees
HIPAA-ready stack for healthtech MVPs:
Convex for backend (HIPAA-ready, offers BAAs)
Next.js for frontend
Clerk or WorkOS for authentication
Vercel or AWS for hosting
Total annual cost: $2K-6K vs $50K+ for enterprise no-code
Build on compliant infrastructure from day one. The migration pain and lost time isn't worth the temporary speed of no-code prototyping.
This is not legal or compliance advice. HIPAA requirements are complex and situation-specific. Consult qualified legal and compliance professionals before making technology decisions for handling PHI.
Chatbots are stateless. Agents accumulate state, make decisions, and run for minutes. Here are the 7 backend requirements that make or break production agents.
