Comment by baobun

> I strongly believe that these kinds of apps need some kinds of privacy protections that are lighter-weight than HIPAA. I haven't yet found a perfect answer.

Let the data stay client side. Facilitate secure client-to-client communication instead of relying on the gravity well of cloud servers.

It becomes a lot more light-weight, and if done right the rules and red-tape do too as you reduce your presence in the regulatory scope by verifiably preventing access to user data by yourself (and service providers, their partners, hackers, and three-letter agencies).