For highly regulated sectors like healthcare, delving into the realms of no-code to build apps can be a slightly intimidating prospect. Here the founder of a no-code development agency lifts the lid on what she learned helping an organisation in the space. *Spoiler* It can be done.
Veronica Picciafuoco heads up Eldur Studio: a no-code development agency that helps organisations implement no-code and low-code tools, and shows what can be done without developers. On a recent project, she was tasked with a slightly sensitive challenge. A company in the telehealth space wanted to build a patient portal app for onboarding purposes, but were eager not to slow down development on their core product, their mobile app. They wanted to create a patient portal that their employees (in this case, members of the care team) could use and tweak themselves, without having their team of developers build those apps from scratch.
The company can’t be named due to compliance reasons. If we told you, we’d have to kill you and then probably ourselves. That gives a hint of the kind of industry they’re operating in – where rules around compliance and privacy are understandably stringent. The upshot is that for many building apps that handle health information, delving into the realms of no-code can be a slightly off-putting prospect.
Well, it needn’t be. That’s the message from Veronica, who managed to successfully build a no-code solution combining Twilio, Retool, Make and Google Sheets. The result is a patient portal that helps a single member of the care team support hundreds of patients, instead of a handful. Here Veronica gives us her key learnings.
'The upshot is that for many building apps that handle health information, delving into the realms of no-code can be a slightly off-putting prospect'.
1. Audit your processes before making any architectural decisions
‘Not every part of your app needs to be HIPAA-compliant. You only need to ensure that the parts of your app’s architecture that handle PHI (protected health information) comply with HIPAA regulations. For example, we wanted to create an automation that would text patients who hadn’t done a certain thing. So we connected to the relational database to get the list of patients matching that condition. That list was then automatically copied to a Google Sheet, which is *not* HIPAA-compliant. It didn’t matter because the patient data was anonymised. The only thing relevant to this automation was the phone numbers. We used (automation tool) Make to connect that data with Twillio, where we created a no-code chatbot that you could text and which would send replies.’
‘Not every part of your app needs to be HIPAA-compliant. You only need to ensure that the parts of your app’s architecture that handle PHI (protected health information) comply with HIPAA regulations'
2. If you can, pick a tool that offers HIPAA-compliance out of the box
‘While that example is a workaround of HIPAA constraints, there are many no-code tools that claim HIPAA compliance. This means a bunch of things, but the big one is that the no-code platform is able to sign a BAA (Business Associate Agreement) with you. JotForm, Caspio, KnackHQ, Formstack, Retool, and AppSheet are some of those able to do that. Using a compliant tool is crucial when it comes to stuff like intake forms, where you’ll almost always be passing PHI. Does this mean that you can’t use Webflow forms? Yes. But you could still build your website in Webflow, embed a HIPAA-compliant form within it and have the best of both worlds: a great landing page and killer website while being at peace with the law.’
3. Don't let compliance requirements scare you – but be wary of permissions
‘While not many no-code tools are able to sign a BAA (or will want you to upgrade to an Enterprise plan to do so), most of what's needed to protect patient data is already industry standard for no-code. Like encryption, logging changes, and permissions. For example, encrypted and secure data is largely the standard and log changes are available in the pro plans of most no-code tools out there. It’s tempting to use a popular internal tool instead of a database to organise projects and allow non-technical people to make data changes, but remember that with healthcare data, row-level permissions are also a must-have. This is the main reason why Google Sheets is not a good idea to hold patient data (nor Notion or Airtable).’
4. Don’t forget to document and train your team
‘A big part of being compliant is not just checking the boxes with the tech tools you use, but having the right processes in place to check everything works. Properly documenting your architecture and training your staff regularly on it is a must. I used the visual collaboration tool Whimsical embedded in a Notion page, but really any diagramming tool for UX flows works, like Miro or Figma or even Google Slides. One good thing about no-code is that it’s simple to understand, so your team can really know how the data is processed. No more “the system doesn’t let me do it”! There is a reason why a nurse cannot access certain data.’