How do you design a secure, HIPAA-compliant API for sharing patient data between third-party systems at Tendo?