A founder reached out last week. She’d built two healthcare products on one of the no-code AI platforms, the kind where you describe what you want and it builds the thing for you. The product was smart and the apps actually worked.
Then she asked the question almost nobody asks early enough. What do I need to do before this holds real patient data?
She asked before loading a single real record. That alone puts her ahead of most people, who ask the same question about six months after the data’s already in there.
What I told her is the thing the platform never mentions except in the fine print (that most people don’t read).
The platform won’t sign the paper
If your product touches protected health information (PHI), the law expects a Business Associate Agreement. A BAA is the contract where a vendor agrees, in writing, to handle that data under HIPAA and take on liability if they mishandle it. No BAA, no PHI. That’s the law, not a best practice.
The no-code platforms don’t sign BAAs. Their terms of service usually say outright that you can’t put regulated health data on them. So it doesn’t matter how good the build is. The moment real patient data lands there, the product is operating outside the law, and so is anyone building it.
She’d felt this coming, which is why she called. What she hadn’t connected was that there’s no patching it. There’s no setting that fixes it because the platform itself is the problem.
AWS is just the beginning
She’d set up AWS and assumed that covered the compliance question. Common read, and it’s half right.
AWS will sign a BAA, and it gives you a foundation you can actually build a compliant system on, but that BAA only covers what AWS runs. The encryption, the access controls, who can see which patient’s record, the storage that isn’t accidentally open to the whole internet, all of that is still yours to get right. AWS hands you a building that’s up to code. What you put inside it is on you.
“We’re on AWS now” is the start of the work, not the end of it.
The prototype was always going to be thrown away
The other hard truth. You can’t export a no-code app and drop it onto real infrastructure. The pieces don’t line up, and most of what makes these platforms fast is the stuff they hide from you. When it’s time to go to production, you rebuild.
Throwing away the prototype sounds like a loss. It isn’t one. What she built proves the idea and the workflow, which is the hardest part of any product. It’s a blueprint. The production version gets built properly on a real stack, using everything she already figured out as the spec. These tools are great for proving something is worth building, but they were never meant to run a production system, let alone a regulated system.
The question founders ask is the wrong one
When I told her the platform was out, the next question was instant. “Is this other tool okay? What about that one?”
I get the instinct. It’s still the wrong question.
Founders shop features, but the real filter has nothing to do with features. It’s this: who will sign a BAA and put their name next to your liability? A slick demo costs a vendor nothing. A signed BAA is a vendor agreeing to share the risk when real data is on the line. That signature is the only reliable signal that a tool is actually built to hold regulated data. If they won’t sign, the answer is no, and you can stop evaluating the product right there.
Change the question, and the whole confusing market gets simple. Stop comparing builders. Ask, “Who’s willing to be on the hook with me?”
So where does that leave you
Build your prototype on whatever gets you to a working version fastest. That part is genuinely great, and more people building things is a good thing. Just know where the line is.
The day real regulated data shows up is the day the tool has to change. The founders who come out fine are the ones who saw it coming and treated the prototype as a prototype. The ones who get hurt quietly promoted the demo to production because it already worked and found out what a BAA was the hard way.
If you’re building something that’s going to touch regulated data and you’re not sure where your line is, book a call. Better to find that line now than after the data’s already sitting somewhere it legally can’t be.
