How HippHealth Secures Patient Data with Fine-Grained Authorization (FGA)

Managing permissions for a healthcare application is a unique challenge.

The healthcare industry demands strict data privacy, HIPAA compliance, and fine-grained access control across a diverse range of users, from doctors and healthcare administrators to insurance providers, external partners, and, most importantly - patients.

Co-founded by Faaez Ul Haq, HippHealth is an AI-powered platform designed to assist Applied Behavior Analysis (ABA) professionals by automating administrative tasks, such as scheduling, clinical notes, and analytics.

As a startup in the healthcare field with access to sensitive patient data, HippHealth experienced the challenges of ensuring fine-grained authorization in its platform firsthand.

Watch the full case study here:

Rather than divert valuable engineering time toward building and maintaining a custom authorization system, HippHealth sought an external solution that would provide flexibility, compliance, and scalability from day one.

This case study explores how HippHealth leveraged Fine-Grained Authorization (FGA) with Permit.io to manage the complex authorization requirements of their platform while allowing their team to focus on innovating within the healthcare space.

Ensuring HIPAA Compliance While Scaling a Healthcare Platform

Authorization for a company such as HippHealth isn’t just a security measure but a fundamental necessity.

Healthcare data is highly regulated - and for a good reason. There is no doubt that any company in this space must ensure patient records are only accessible to the right individuals.

Unlike many industries where access control is primarily about efficiency, HippHealth had to meet strict HIPAA standards and establish clear audit trails to guarantee patient data protection.

Beyond compliance, HippHealth had a complex multi-tenant environment with independent healthcare practices, each with its own roles and permission structures.

Most of these practices don’t have a dedicated CTO or CIO, so authorization had to be intuitive and manageable for non-technical users while still meeting the industry's high-security demands.

HippHealth faced a common software development dilemma as many startups: build or buy?

• Building an in-house solution would require extensive engineering resources, with ongoing maintenance consuming valuable development time.
• Traditional Role-Based Access Control (RBAC) wasn’t sufficient for their needs. As roles and access levels evolved, they risked a “role explosion,” where the number of permission sets became unmanageable. This meant they had to deal with more complex models, such as Attribute Based Access Control (ABAC) and Relationship-Based Access Control (ReBAC), which take a lot of time and effort to develop from scratch in-house.
• HIPAA compliance added another layer of complexity—HippHealth needed an authorization provider that not only understood regulatory requirements but could also provide the right compliance frameworks from day one.

“The biggest challenge was understanding what it even takes to be HIPAA compliant in the first place. Unlike SOC 2, HIPAA doesn’t have a single certification body—it’s a self-driven process, which makes it easy to get lost in the requirements.”

– Faaez Ul Haq, Co-Founder, HippHealth

After exploring multiple options, HippHealth found Permit’s approach to FGA and compliance-ready infrastructure to be a great fit for them.

The Solution: Fine-Grained Authorization with Permit.io

HippHealth’s decision to adopt Permit’s FGA solution was driven by the need for flexibility, compliance, and ease of implementation. Instead of dedicating months to building a custom authorization framework, they were able to integrate Permit and go live within weeks.

• Compliance-first Approach: Permit had a HIPAA-compliant offering, ensuring that HippHealth could implement authorization while maintaining regulatory compliance.
• Multi-Tenant Support: Permit’s support for multi-tenant authorization allowed HippHealth to define detailed permissions across multiple independent healthcare practices, each with different, siloed access control environments.
• Seamless Integration: Permit.io supported HippHealth’s existing stack, allowing them to incorporate Relationship-Based Access Control (ReBAC) and Attribute-Based Access Control (ABAC) alongside traditional RBAC.
• Developer-Friendly Experience: HippHealth’s engineers were able to self-serve and integrate Permit without extensive onboarding or sales calls, accelerating time to market.

As Faaez put it:

Being able to self-serve and play with the product right away, without going through sales calls or a qualification process, was a big deal. For startups, that’s huge. I don’t want to waste time on sales calls or qualification steps in the early days. So that was important.”

One of the main advantages HippHealth saw in Permit was the no-code UI, which allowed non-technical administrators at independent healthcare practices to manage access control without developer intervention. This was crucial for them, as their target market included out-of-hospital healthcare providers who lacked in-house technical expertise.

The Impact: Long-Term Scalability and Security

With a structured authorization system in place, HippHealth successfully ensured sensitive patient data remains secure while maintaining full HIPAA compliance. This strong security foundation allowed them to scale efficiently as they expanded their platform, ensuring each healthcare practice had the right level of access control without adding unnecessary complexity.

Instead of spending engineering resources constantly tweaking access control logic, the team could now focus on what really mattered—building out their product and supporting their customers.

As new healthcare providers joined the platform, HippHealth was able to onboard them quickly and confidently, knowing that permissions could be adjusted dynamically as needed.

Having a flexible authorization system also gave HippHealth the ability to adapt to evolving regulations without disrupting their operations.

As Faaez put it:

“Permit’s Fine Grained Authorization allowed us to go above and beyond HIPAA compliance requirements, making our platform future-proof.”

By maintaining precise control over permissions, HippHealth was able to position itself as a trustworthy and scalable solution in a highly regulated industry.

Additionally, Permit.io’s continuous product updates and improvements have meant that HippHealth’s authorization system has evolved alongside their platform without requiring major rewrites or migrations.

Conclusion: Future-Proofing Authorization in Healthcare

For HippHealth, externalizing Fine-Grained Authorization through Permit was more than just a technical decision—it was a strategic move that allowed them to focus on innovation while maintaining compliance and security.

In an industry where data privacy and compliance are top priorities, the ability to quickly and securely manage permissions at scale is a competitive advantage.

By choosing to implement Fine-Grained Authorization (FGA) with Permit, HippHealth was able to accelerate its go-to-market strategy, scale effortlessly, and ensure that patient data remains protected.

For any healthcare startup navigating the complexities of compliance and access control, HippHealth’s experience highlights the importance of choosing the right authorization partner from the start.