How do you approach designing a system that must comply with strict data privacy regulations like HIPAA?