When people hear 'privacy by design', most assume it means the engineering team is careful. That's a low bar — every team is careful. The harder question is: what happens if someone on the team isn't?
Application-layer privacy vs database-layer privacy
In most healthcare apps, privacy lives in the application code. The patient hits an API; the API checks whether the user is allowed to see that row, then returns it. If the API has a bug — or if a future feature forgets the check — the data is exposed.
Row-Level Security (RLS) pushes the check into the database itself. Every query, from every code path, has to pass the same policy. A patient sees their own record. A practitioner sees only patients they're linked to. The application code can't accidentally serve more than that — the database refuses.
What this means for you, the patient
If we ship a buggy feature tomorrow that tries to fetch all assessments — the database returns nothing for that user except their own. The bug is visible immediately. There's no scenario where a misconfigured API quietly returns someone else's medications.
This isn't a magic shield. RLS doesn't help if the database itself is breached. But for the day-to-day failure modes of a multi-tenant healthcare app — accidental over-exposure via app code — it's the strongest control we know of.