HEALTHCARE·APR 16·11 MIN
Evaluating BAAs and vendor risk for a small team
A 10-point checklist I run before any new vendor touches a regulated stack, with the questions that actually block a merge.
READ →
Topical cluster
Healthcare & Compliance
Patterns from shipping compliant apps without a dedicated compliance team. Audit logging, PHI boundaries in App Router, GDPR and CCPA gaps DTC operators miss, and the integration architecture behind regulated healthcare e-commerce. Everything genericized; no client-identifying detail.
13 postsFor: Healthcare CTOs and compliance-adjacent engineering leads
Go deeper
HEALTHCARE·APR 10·14 MIN
Session and token rotation patterns for healthcare apps
A working pattern for session and refresh token rotation in regulated apps: sliding sessions, reuse detection, and the rotation that satisfies automatic logoff.
READ →
HEALTHCARE·APR 4·10 MIN
A compliance-aware tooling stack for solo operators
Field notes from picking tools when one bad vendor choice sinks a regulated build. The rules I use, the categories I stack, and the stack I actually run.
READ →
HEALTHCARE·MAR 30·12 MIN
Third-party scripts and the HIPAA risk nobody reads
Every healthcare site has a script they cannot remember adding. This is why it matters: the OCR bulletin, supply chain risk, and what the privacy policy hides.
READ →
HEALTHCARE·MAR 16·13 MIN
Logging production errors in a Next.js app without leaking PHI
Three patterns for logging phi errors nextjs apps safely - redact at the emitter, error IDs instead of bodies, and BAA-covered sinks. With example code.
READ →
HEALTHCARE·MAR 14·12 MIN
UX patterns for regulated ecommerce checkout flows
Three healthcare ecommerce ux patterns for checkouts that split commerce from clinical data, stay Shopify-friendly, and survive the audit they were designed to.
READ →
HEALTHCARE·MAR 11·11 MIN
Consent capture patterns for regulated intake flows
Three anonymized instances of consent capture regulated intake flows, the event-based pattern that survives policy changes, and what it looks like in Postgres.
READ →
HEALTHCARE·FEB 19·12 MIN
PHI boundaries across the Next.js App Router's four surfaces
Patterns for protecting PHI across server components, client components, server actions, and route handlers, with the code that enforces them.
READ →
HEALTHCARE·FEB 19·14 MIN
Audit logging patterns for regulated Next.js apps
A walkthrough for audit logging healthcare nextjs apps: an append-only Postgres table, a server-action writer, and the pieces that keep it tamper-evident.
READ →
HEALTHCARE·FEB 6·11 MIN
Shipping HIPAA-compliant Next.js apps without a compliance team
What I learned building a regulated member platform solo: field encryption, audit logs, token-gated delivery, and the six places Next.js apps leak PHI.
READ →
HEALTHCARE·FEB 2·10 MIN
GDPR and CCPA gaps most DTC operators quietly miss
The GDPR CCPA DTC gaps most operators miss - silent consent defaults, server-side sharing treated as sale, data-subject request workflows, and consent-as-state.
READ →
HEALTHCARE·JAN 28·11 MIN
Running analytics on a regulated site when GA4 is off the table
Three patterns for regulated analytics without GA4: server-side measurement, first-party warehouse, and privacy-safe replay. The boundary is architecture.
READ →
Why this matters.
Building HIPAA-aware web apps solo is mostly an architecture problem, not a legal one. The legal piece is a one-time business associate agreement with hosting and any vendor that touches protected health information. The architecture piece is every day, in every pull request, until the system is decommissioned. Next.js App Router introduces real ambiguity here: server components, client components, server actions, and route handlers each have a different blast radius for a PHI leak, and the framework will not stop you from sending the wrong field across the boundary.
The articles in this cluster cover the patterns that hold across regulated builds. Audit logging that captures actor, action, target, and outcome without storing the payload. Field-level encryption that lets you keep using Postgres without rolling your own crypto. Third-party script audits that catch the marketing pixel quietly forwarding cookies into a non-BAA vendor. Session and token rotation cadences that survive a compromised admin account.
If you ship code in a regulated stack and the compliance team is one person (sometimes you), this is the reference. Start with the hub piece, then read the App Router boundaries article before the next deploy.
Put this to work
HIPAA-aware Next.js, audit trails, and regulated DTC patterns.
> See the compliant-delivery case studiesOther clusters
Attribution
Attribution & CAPI
Server-side tracking, dedup, and the math behind DTC attribution.
Shopify
DTC Shopify Infrastructure
Theme architecture, metafields, agent-orchestrated builds, Hydrogen decisions.
Solo brand
Creative-Tech Solo Brand
The hybrid creative-director-who-codes operating system.
Pricing
Services Business & Pricing
Productizing services, pricing strategy, and the retainer exit.
Lifecycle
Email & Lifecycle Marketing
Klaviyo flow architecture, retention math, and the LTV playbook.
Agents
AI Agent Engineering
Claude Code sub-agents, MCP servers, skills, and the orchestration stack.
Analytics
Analytics & Data Infrastructure
GA4, BigQuery, and the warehouse-first analytics rebuild.
Conversion
Ecommerce Conversion & UX
PDP patterns, cart decisions, checkout extensions, and the CRO stack.
Programmatic SEO
Programmatic SEO & Content Ops
Scaling content without burning author brand authority.
Paid Social
Paid Social Performance
Meta, TikTok, and Google Ads for DTC operators who also own the data.
Brand
Brand Architecture & Design Systems
Visual identity, naming ladders, and design systems that scale with the business.
Shopify Apps
Shopify App Ecosystem
Selecting, configuring, and replacing the third-party stack on Shopify.
Fractional
Fractional Ops & Service Leadership
Running a high-leverage fractional practice without becoming an agency.
Image AI
Local AI Image Generation
Running Flux, Z-Image, and Qwen locally without the cloud-API bill.
Let’s fix
some problems.
Three short steps below. I read all of these, it’s just me on the inbox. Usually you get a real reply within a day, sometimes the same day if I’m at the desk.
or email direct hello@michaeldishmon.com
01 / 03WHAT YOU NEED
$ cat lead.json | mail -s 'new signal' michael
