Medical Systems
If your app handles health data, medical decisions, or patient information, you're operating in one of the most regulated and high-stakes areas of software development.
AI-generated code, on its own, is not sufficient for medical systems.
This page explains the risks, regulations, and what you need to do if you're building something in the health space.
Why Medical Systems Are Different
A bug in a social media app means someone can't see their friend's photo. A bug in a medical app can mean someone dies.
| What Can Go Wrong | The Consequence |
|---|---|
| Incorrect dosage calculation | Patient receives wrong medication amount |
| Misdiagnosis suggestion | Patient doesn't get necessary treatment |
| Data breach of health records | Identity theft, insurance fraud, legal liability |
| System downtime during emergency | Delayed care, worsened outcomes |
| Incorrect patient data display | Wrong treatment for wrong patient |
Medical software has real consequences for real people's health and safety.
Regulations You Need to Know
HIPAA (USA)
If your app handles Protected Health Information (PHI) — any data related to a person's health, treatment, or payment — you likely need to comply with HIPAA.
Key requirements:
- Data encryption at rest and in transit
- Access controls — who can view or modify health data
- Audit logs — every access to health data must be logged
- Breach notification — patients must be notified within 60 days
- Business Associate Agreements (BAAs) — with any third-party service that touches health data
- Physical security — servers must be in secure facilities
Penalties: Up to $50,000 per violation, with a maximum of $1.5 million per year per violation category.
FDA Regulation (USA)
Many medical software applications are regulated by the FDA as medical devices. This includes:
- Software that diagnoses diseases
- Software that recommends treatments
- Software that calculates medication dosages
- Software that monitors patient vital signs
FDA clearance can take months or years and requires clinical validation.
GDPR (EU)
Health data is considered special category data under GDPR, with additional protections:
- Explicit consent required for processing
- Data Protection Impact Assessment (DPIA) required
- Higher fines for violations
Other Regulations
| Regulation | Region | Applies To |
|---|---|---|
| PIPEDA | Canada | Health information |
| LGPD | Brazil | Health data (sensitive category) |
| MDR | EU | Medical device software |
| HITECH | USA | Electronic health records |
What AI-Generated Code Typically Misses
1. Clinical Validation
Medical software must be clinically validated — proven to work correctly through studies and testing. AI-generated code has no clinical validation.
2. Regulatory Compliance
AI doesn't know about HIPAA, FDA, or other regulations. It won't generate compliant code unless you provide extremely detailed requirements — and even then, it may get things wrong.
3. Safety-Critical Error Handling
Medical systems need:
- Fail-safe modes — what happens when the system crashes
- Redundancy — backup systems that take over automatically
- Graceful degradation — core functions continue working even when non-critical features fail
- Alerting — immediate notification when something goes wrong
AI-generated code typically handles none of these.
4. Data Integrity
Health data must be:
- Accurate — no corruption or data loss
- Complete — no missing or truncated records
- Auditable — every change tracked and logged
- Non-repudiable — proof of who created or modified each record
5. Interoperability Standards
Medical systems often need to communicate with other systems using standards like:
- HL7/FHIR — health data exchange formats
- DICOM — medical imaging
- ICD-10/11 — diagnosis codes
- SNOMED — clinical terminology
AI is unlikely to generate code that correctly implements these standards.
What You Can Build Safely
Some health-related apps are lower risk and more feasible with AI assistance:
| Lower Risk | Higher Risk |
|---|---|
| Fitness tracking (steps, calories) | Diagnosis or disease detection |
| Appointment scheduling | Medication dosage calculation |
| General wellness information | Treatment recommendations |
| Health blog or educational content | Patient medical records |
| Meditation or mindfulness apps | Clinical trial management |
Rule of thumb: If your app makes a claim about diagnosing, treating, or preventing a medical condition, it's likely regulated. If it's general wellness or lifestyle, it's probably lower risk — but check with a legal professional.
What to Do If You're Building a Medical App
1. Consult a Regulatory Expert
Before writing any code, talk to someone who understands medical software regulation. They can tell you:
- What regulations apply to your specific app
- What you need to do to comply
- Whether your app needs FDA clearance
- What data you can and cannot collect
2. Use HIPAA-Compliant Infrastructure
If you handle health data, your infrastructure must be HIPAA-compliant:
| Service | HIPAA Compliant? |
|---|---|
| AWS | Yes (with BAA) |
| Google Cloud | Yes (with BAA) |
| Azure | Yes (with BAA) |
| Vercel | No (standard plan) |
| Railway | No |
| Supabase | Yes (with BAA, paid plan) |
You need a Business Associate Agreement (BAA) with every service that touches health data.
3. Never Use AI for Clinical Decisions
AI coding tools should not be used to generate:
- Diagnostic algorithms
- Treatment recommendations
- Dosage calculations
- Patient risk assessments
These require clinical expertise and validation that AI cannot provide.
4. Get Professional Code Review
Every line of code in a medical application should be reviewed by:
- A professional software engineer with medical software experience
- A security specialist familiar with healthcare regulations
- A clinical expert (if the code affects patient care)
The Bottom Line
Medical software is not a place to learn as you go. The stakes are too high.
AI coding tools can help with non-critical parts of a medical app — UI design, documentation, administrative features. But the core functionality that affects patient health and safety requires professional expertise, regulatory compliance, and clinical validation.
If you're building something in the health space, invest in professional help. Your users' health — and your legal safety — depend on getting it right.