How would you architect a secure API gateway that handles sensitive patient data while complying with HIPAA regulations for Oscar Insurance?