Understanding HIPAA Compliance: Lessons Learned from Building a Telehealth App

Developing healthcare applications often involves navigating complex privacy and security standards, especially when handling Protected Health Information (PHI). Recently, I embarked on creating a telehealth minimum viable product (MVP) using Lovable, a platform that promises quick AI-driven code generation, authentication handled by Clerk, and database management with Supabase. It even features an appealing security scan tool thought to add an extra layer of reassurance.

However, after months of development, I uncovered some critical insights that changed my approach. Despite the initial promising features, Lovable does not come with a Business Associate Agreement (BAA), a fundamental requirement for HIPAA compliance. Interestingly, there’s no hidden BAA option or additional cost tier that offers this protection. More concerning, their terms specify that, unless you’re on an enterprise plan—whose pricing remains opaque—they reserve the right to use prompts and data you input to train their AI models.

This discovery implies that my test scenarios involving mock patients, which I believed were purely local and secure, could potentially feed into Lovable’s AI training datasets. This is a significant risk when dealing with sensitive health data.

While the underlying components—Clerk and Supabase—can be configured for HIPAA compliance, it requires substantial manual setup, signing separate BAAs, and managing compliance protocols yourself. Lovable, as a platform, remains outside the protected environment, meaning your data’s privacy isn’t inherently guaranteed.

Faced with these limitations, I decided to overhaul my entire infrastructure, switching to dedicated healthcare-compliant services. This experience reinforced an important lesson: attempting to retrofit compliance into a platform not designed for it often leads to delays and increased complexity. In contrast, using properly certified tools accelerates development and ensures regulatory adherence.

If I could offer advice to fellow developers, it would be to recognize Lovable as a powerful prototyping tool—ideal for rapid development and testing—but not suitable for applications involving real PHI. Better to invest time upfront in selecting platforms with clear compliance guarantees than to risk compromising patient data and facing costly rework later.

Has anyone else encountered similar situations or made comparable mistakes? Sharing your experiences can help others avoid unnecessary setbacks and streamline their path toward compliant healthcare solutions.