Most conversations about HIPAA and AI stay at the level of theory. This one does not. Here is what actually gets built, what the configuration looks like, and where the limits are.
What the tool does
The tool is a patient intake web application built for a small or solo medical practice. It has three core components:
A patient-facing intake form with fields for: full name, date of birth, contact phone, contact email, insurance provider, insurance member ID, reason for visit (free text), current medications (free text), and a triage priority selector (routine, urgent, follow-up).
An appointment status board visible to staff showing today's patients, their intake status, triage priority, and whether the form has been completed.
A daily prep view that generates a summary list for the morning: who is coming in, what they need, and what follow-up items are pending from prior visits.
What HIPAA-awareness means in this context
HIPAA-awareness is not HIPAA certification. No tool built in a weekend replaces a compliance attorney or a formal risk assessment. What it means here is that the development process was configured from the start to reduce exposure.
The configuration lives in the CLAUDE.md file at the root of the project. This file tells Claude Code how to behave when building and modifying this codebase. For a HIPAA-aware project, the CLAUDE.md includes rules like:
Never log patient names, dates of birth, or insurance IDs to the console or any log file. All PHI fields must be encrypted at rest using the database's built-in encryption. API routes that return patient data must require authentication. No patient data is ever included in error messages or stack traces. All form submissions are transmitted over HTTPS only.
These are not suggestions. Claude Code reads the CLAUDE.md before every action and applies these constraints to every file it creates or modifies.
The development environment setup
The project starts with a Next.js application, a PostgreSQL database, and Prisma as the ORM. The CLAUDE.md is written before any code.
The database schema defines which fields are sensitive. The patient name, date of birth, and insurance member ID columns use PostgreSQL's pgcrypto extension for at-rest encryption. The schema explicitly marks these columns with comments that Claude Code references when generating queries.
Authentication is handled through NextAuth with a credentials provider. No patient data is accessible without a valid session. The session configuration sets short expiration times (30 minutes) with secure cookie flags.
Environment variables are separated: database connection strings, encryption keys, and authentication secrets are never hardcoded. The .env.example file documents what is needed without exposing values.
What you can build in a weekend vs what takes longer
In a weekend, a competent Claude Code user can build the intake form, the appointment board, basic authentication, and the daily prep view. The database schema, API routes, and front-end components are all within reach.
What takes longer: role-based access control (different views for front desk vs clinical staff), audit logging (tracking who accessed what patient record and when), automated backup and disaster recovery configuration, and integration with existing EHR systems.
The weekend build gives you a functional tool. The production build requires another one to two weeks of hardening, testing, and documentation.
The honest limits
This approach is good for: small practices that need a simple, custom intake workflow and cannot afford or do not want a $200/month SaaS tool that does not match their process.
This approach is not a substitute for: a formal HIPAA risk assessment, a BAA with your hosting provider, or legal review of your data handling practices. The tool can be built with HIPAA guardrails. The organizational compliance around the tool still requires professional guidance.
The CLAUDE.md reduces development risk. It does not replace compliance infrastructure.
Explore Healthcare Enterprise Training covers this end to end, including CLAUDE.md setup and HIPAA-aware coding standards.
Get posts like this in your inbox
No spam. New articles on AI strategy, governance, and building with AI for small business.