HIPAA does not have to slow care down
Ask a hospital IT leader to move faster and you’ll get a careful answer, and they’re right to be careful. What we keep relearning is that the careful teams are the ones that can move quickly, once privacy is built into how they work instead of checked at the end.
In healthcare a missed detail isn’t a bug to patch next sprint. It’s a privacy breach or a patient-safety event, with real people and regulators on the other side of it. So leaders gate releases, add review, and hold the line on change. That instinct is sound, and any consultant who tells you to override it hasn’t spent time on a hospital IT floor. The useful question is narrower: does treating the Health Insurance Portability and Accountability Act (HIPAA) as a checkpoint at the end actually buy the safety you want, or mostly the delay?
Caution and speed are not a trade
The care is real. What matters is where it goes. When access scope, auditability, and data boundaries are settled in the first design conversation, privacy becomes something the system carries the way it carries uptime, and the review at the end gets shorter because there is less left to catch.
That is the whole argument, and it sounds abstract until you make it concrete. In Jira and Confluence, designing privacy in is a set of specific, unglamorous decisions made before the work starts rather than after it ships. Scoped access means project and space permissions are set against actual roles, so a research coordinator, a billing analyst, and a clinical reviewer each see what their work requires and nothing more, and that scoping is written down as a deliberate choice rather than inherited from whatever the last admin happened to leave open. Auditability in the workflow means the trail of who changed what, who approved it, and when, is produced by the way the work moves through its states, not reconstructed from memory and screenshots the week before an audit. Data boundaries agreed up front means deciding, on purpose, which information is allowed to live in a ticket or a page at all, so protected health information does not drift into a comment thread or an attachment where it was never supposed to be. None of these is a heroic act. Each is a small agreement made early, and made once.
We saw this at a Food and Drug Administration (FDA) regulated health company where we brought 350 people onto one platform. Auditability lived inside the workflow rather than being reconstructed after the fact, and that is what let delivery speed up without anyone lowering the bar. The careful people stayed careful. They just stopped paying for it twice. You can read how that came together.
Why the delay collects at the end
When privacy is a final gate, that gate is where every unexamined decision arrives at once. The reviewer is not slow. The reviewer is the first person in the chain who was actually asked to look, and so the questions that should have been settled in design land on them all together, late, when changing anything is expensive. A boundary that would have been a one-line agreement at the start becomes a rework cycle at the end, and the team waits while it gets sorted. Push the same questions earlier and the end-of-line review stops being a place where work piles up and becomes what it should be: a confirmation that the decisions already made were the right ones. The caution is identical. Only its timing changes, and timing is most of the cost.
In healthcare, caution and speed are not opposites. Build the privacy in, and the careful team becomes the fast one.
Most of the delay lives between the teams
Healthcare is rarely one tidy IT department. It’s provider groups, payers, research, and a sprawl of teams running their own systems, each with its own tools, its own approvals, and its own idea of what “done” means. The wait usually sits in the space between them, not inside any one team. A request leaves one group in good shape and goes quiet for days, because no one owns the handoff and no one can see where it stopped. That gap is the real bottleneck, and it is invisible precisely because it belongs to everyone and no one.
The fix is unglamorous: put the work where everyone can see it, so dependencies and status stop vanishing into the gaps. When a research team and a clinical systems team share one view of a dependency, the handoff has an owner and a state instead of a silence. That is most of what a well-run Atlassian platform earns its keep doing here. Not speeding up any single team, but closing the spaces between teams that were never anyone’s job to watch.
AI helps, inside the lines you draw first
AI can take real weight off a healthcare team, deflecting routine questions, summarizing, and easing the administrative load that has nothing to do with care. Near protected health information it needs the same discipline as everything else, and a little more attention to where it looks, because an assistant that can read across spaces will read across exactly the access you left open. So the boundaries you draw for people are the boundaries that govern the AI: scope its access, limit what it can see, and keep a person in the loop on anything clinical. Decide that before you switch it on and it stays a tool rather than a reportable incident. We walk through exactly that in governing Rovo before you switch it on.
The hospitals pulling ahead didn’t get reckless. They moved the caution earlier, into how the work is built, and got their speed back as the return on it.
If you want to see where privacy reviews are stalling your releases, see where delivery is getting stuck.