We Design Extraordinary Things
HIPAA-Aware UI UX Design for Healthcare Software.2.png

HIPAA-Aware UI/UX Design for Healthcare Software

How The Skins Factory designs HIPAA-aware healthcare software: no real patient data, invite-only file handling, NDAs, and flexible BAA terms.

Healthcare UX  ·  Data Handling  ·  Compliance-Aware

HIPAA-Aware UI/UX Design for Healthcare Software

The Skins Factory has designed healthcare software interfaces for enterprise platforms including InnovaMD (an Anthem company) and DocPanel, the world's largest radiology marketplace. Every engagement follows the same principle: exceptional healthcare UI/UX design does not require access to a single real patient record.

Enterprise healthcare product design that never touches real patient data. When a healthcare CTO evaluates a design partner, the portfolio question comes second. The first question is quieter: what happens to our data when this vendor touches our product? This page answers it.

HIPAA-Aware UI/UX Design | The Skins Factory

The Distinction

HIPAA-Aware vs. HIPAA-Compliant

HIPAA compliance applies to organizations that create, receive, store, or transmit protected health information. Covered entities like hospitals and health plans carry it directly. Vendors who handle PHI on their behalf become business associates, sign a BAA, and inherit a long list of technical and administrative obligations that exist for one reason: they touch patient data.

A UI/UX design studio does not need to touch patient data. That is the distinction this page is built on. The Skins Factory’s engagement model is structured so protected health information never enters it. No production access, no live databases, no real patient records in a single design file.

There is nothing to breach because there is nothing there.

We call this HIPAA-aware design. It means the studio understands what PHI is, where it lives in your product, and how to design every screen, state, and workflow around realistic fabricated data instead of the real thing. Under this model a BAA becomes unnecessary rather than refused; your compliance team never has to onboard The Skins Factory as a data-handling vendor, because it never becomes one.

If a design agency tells you they are “HIPAA compliant,” ask what data they are handling that requires it. The stronger answer for a design engagement is not a vendor who manages your PHI carefully. It is a vendor whose process makes the question irrelevant.

Data Handling

Design Without PHI

No design engagement at The Skins Factory is built on real patient health information. What The Skins Factory works from depends on how a client scopes the project: sometimes screenshots are enough, sometimes The Skins Factory is given a guided walkthrough, and sometimes TSF is admitted into a demo environment. It varies by client and by project.

Whatever the source, any patient-record-style content that appears in The Skins Factory's designs is fabricated. Names, addresses, and other identifying details are invented rather than pulled from real records, sometimes playfully so: Han Solo has appeared a few times as a patient name in our mockups.

  • No real patient health information is used in any TSF deliverable.
  • What The Skins Factory is given access to (screenshots, a walkthrough, or a demo environment) is defined by the client on a project-by-project basis.
  • Any patient-style content shown in mockups uses fabricated names and details.

File Security

Secure File Handling

Design work is typically done in Sketch; we also work in Figma when a client prefers it.

  • Work in progress is shared for review and comment through Sketch Workspace on an invite-only basis, scoped to the project.
  • Final deliverables are transferred through Google Drive, set to invite-only access rather than open link-sharing.
  • TSF retains source files and working artwork after a project closes. Because these files contain fabricated names and details rather than real patient information, this raises no PHI retention concern. From project close onward, safekeeping of the files is the client’s responsibility.

Clients with heightened confidentiality requirements beyond this standard process are welcome to discuss alternative handling.

Contracts & Agreements

NDAs and Contracts

NDAs are standard practice at The Skins Factory. Over two and a half decades in business, we have signed hundreds of them, almost always the client’s own, since clients are the ones sharing information that needs protection for the scope of work. If a client doesn’t have one ready, TSF supplies a mutual NDA. The Skins Factory will sign a client NDA provided it functions as a true NDA, without non-competes or other terms not typically found in that type of agreement.

For the underlying services agreement, TSF’s preferred vehicle is its own Master Design Agreement, built specifically for design engagements with clauses covering display rights and other design-specific terms that generic contracts don’t address. We're equally comfortable working within a client’s own paperwork, including reviewing and executing a Business Associate Agreement, when that’s what a compliance team requires.

Vendor Risk

Vendor Review, Simplified

For security questionnaires and vendor risk assessments, The Skins Factory is a low-risk vendor by scope: no production system access, no PHI handling, design deliverables only. When a project calls for engineering, TSF connects clients with a trusted development partner rather than deploying code itself; TSF’s own role stays confined to design.

Client materials at The Skins Factory are never passed around. Every project is handled by the same senior team from kickoff to delivery: no rotating bench of juniors, no subcontractors, no offshore production group with access to your screens. For a vendor risk team, that is a short and verifiable access list.

We respond to vendor questionnaires directly and can typically turn them around quickly, because the honest answer to most questions is that the risk surface barely exists in a design-led engagement.

Design Expertise

How HIPAA Awareness Shapes the Design Itself

HIPAA awareness is not just about how a studio handles files. It shapes the interface decisions themselves. A designer who understands where PHI lives in a product designs differently, and healthcare software carries design considerations that consumer software never has to think about.

01Minimum-necessary display

HIPAA’s minimum-necessary principle has a screen-level equivalent: each view should surface only the patient information the role in front of it needs. Scheduling staff see appointment context, not clinical history. That hierarchy is a design decision made in wireframes, long before an engineer writes a permission rule.

02Role-based views

Physicians, administrators, billing staff, and patients experience the same product through different lenses. Designing each role’s view as its own experience, rather than one interface with fields hidden, keeps sensitive data out of screens where it has no business appearing.

03Screens that live in public spaces

Healthcare software runs on monitors at nurses’ stations, check-in kiosks, and shared workstations where anyone walking past can glance at the display. Masked fields, collapsed-by-default records, and deliberate placement of identifying details are interface-level defenses against the most low-tech breach there is: someone looking over a shoulder.

04Session timeout and re-authentication

Workstations get walked away from. How a product locks, what it shows while locked, and how quickly a clinician can resume mid-task is a UX problem as much as a security one. Done badly, staff work around it; done well, security costs the workflow almost nothing.

05Audit-friendly interaction design

Regulated products log who viewed and changed what. Interfaces designed with clear, discrete actions rather than ambiguous multi-purpose controls produce audit trails that compliance teams can actually read.

None of this requires access to real patient data. It requires a designer who has spent time inside healthcare products and understands why these patterns exist. For the deeper version of this argument, read Healthtech UI/UX Design: Bad Design Decisions Have Real Consequences.

Case Studies

Healthcare Work

Real healthcare products, designed under the same process described above. InnovaMD and DocPanel show how these data-handling and file-security practices hold up on actual client engagements, not just in theory. Built without ever touching real patient data.

InnovaMD, an Anthem Company

Healthcare Provider Portal · Flagship Engagement

TSF’s flagship healthcare portal engagement. The discovery phase included direct interviews with physicians, clinic administrators, and office personnel to identify usability and workflow pain points before any redesign work began.

InnovaMD healthcare provider portal web application UI and UX design by The Skins Factory

DocPanel

World’s Largest Radiology Marketplace

UI/UX redesign connecting patients and imaging providers to a network of over 700 US-based academic and subspecialty radiologists. The engagement covered admin, radiologist, and client-facing screens. As with all TSF healthcare work, patient names shown in the designs are fictitious.

Common Questions

HIPAA-Aware Design FAQ

Straight answers about how The Skins Factory handles data, files, contracts, and compliance boundaries on healthcare engagements.

Does The Skins Factory need access to our production environment?

No. Depending on how a client scopes the project, The Skins Factory typically works from screenshots, a guided walkthrough, or access to a demo environment, sometimes a combination of these. What The Skins Factory designs against is defined by the client, and any patient-record-style content in the deliverables is fabricated rather than real.

Will you sign our NDA and security documentation?

Yes. The Skins Factory signs client NDAs as standard practice, provided the document is a true NDA rather than a broader agreement bundling in non-competes or other terms not typically found in an NDA. The Skins Factory also responds directly to vendor security questionnaires.

What is the difference between HIPAA-aware and HIPAA-compliant?

HIPAA compliance is a legal status for organizations that handle protected health information, either directly as covered entities or as business associates under a BAA. HIPAA-aware describes The Skins Factory’s engagement model: the studio understands what PHI is and structures every project so it never enters the engagement. No PHI handled means no business associate relationship, which means compliance obligations never attach to the design work in the first place.

Do you use AI tools on our project materials?

Client project materials, screenshots, walkthrough recordings, and demo environment content are not fed into AI tools. Design work at The Skins Factory is produced by hand in Sketch or Figma. Where AI is used elsewhere in the studio’s operations, it does not involve client-confidential material, and clients with specific AI usage policies are welcome to include them in the NDA or project agreement.

Who at The Skins Factory has access to our files?

The same senior team that designs your project, from kickoff to delivery. There is no rotating bench of juniors, no subcontractors, and no offshore production group with access to client materials. File access is limited to the people actually doing the work, which keeps the access list short enough to state in a single sentence on a security questionnaire.

Do we need a BAA with a design studio?

The Skins Factory’s preferred agreement is its own Master Design Agreement, built specifically for design engagements with clauses covering display rights and other terms generic contracts don’t address. If your compliance policy requires a BAA instead, The Skins Factory is comfortable reviewing and executing one.

How do you design realistic healthcare interfaces without real patient data?

Because a healthcare interface is still an interface. Patient data isn’t necessary to build user flow maps, design the user experience, or design the user interface itself. Where mockups need to show record-style content, The Skins Factory fabricates names, addresses, and other details rather than using real patient information.

Have you designed HIPAA-regulated products before?

Yes. InnovaMD, an Anthem company, is The Skins Factory’s flagship healthcare engagement, a healthcare portal built through a discovery phase that included direct interviews with physicians, clinic administrators, and office personnel. The Skins Factory’s healthcare portfolio also includes DocPanel, the world’s largest radiology marketplace.

Design responsibility and compliance responsibility are separate. The Skins Factory designs the interface; ensuring the live, deployed product meets HIPAA and other regulatory requirements, including how patient data is protected in production, is the client’s responsibility, not The Skins Factory’s.

What happens to our files after the project ends?

The Skins Factory retains source files and working artwork after project close. Since these files contain fabricated names and details rather than real patient data, there’s no PHI retention concern. From that point, safekeeping of the files is the client’s responsibility.

HIPAA-aware UI UX design for healthcare software
THE REALLY, REALLY SHORT FORM

Have a Healthcare Product to Design?
Let's discuss it.

Thank you for reaching out.

We will be in touch within one business day.