When the sensitive data is the product, every diff is a safeguards diff.
For healthtech teams handling patient data. HIPAA's technical safeguards and GDPR's data duties show up in ordinary changes: a log line, a storage config, a dropped check.
In most products, personal data is at the edges. In healthtech it is the substance of the system, so ordinary engineering changes carry safeguard weight that nothing in the diff announces: a debugging log that captures a request body captures a health record; a storage migration that loses an encryption setting exposes patient data at rest. HIPAA wrote its technical safeguards at exactly this grain, and GDPR adds its own duties on top for EU patients.
Technical safeguards, checked where they change
The HIPAA Security Rule's technical safeguards (access control, audit controls, integrity, authentication, transmission security) are properties of code and configuration, which means they are properties a pull request can strengthen or erode. heygrc is built to read each change against the frameworks you selected and name the safeguard or article it touches, so the reviewer sees that a convenience change to logging or storage is also a compliance decision.
It does not determine your covered-entity status, write your risk analysis, or sign a BAA. It keeps the everyday diffs from drifting away from safeguards you have already committed to.
Changes that read as ordinary code.
A few of the control-relevant changes heygrc is built to flag for this case, each cited to the clause it touches.
A patient-records store loses its encryption-at-rest config
HIPAA 164.312(a)(2)(iv)A full request body with patient data is logged for debugging
GDPR Art. 5(1)(c)An integrity check on record updates is dropped
HIPAA 164.312(c)(1)
The frameworks that matter most here.
Guide: Compliance checks in pull requests
heygrc flags control-relevant changes and cites the clause so the issue can be handled in the pull request. It does not certify you, run your audit, or replace your own judgment.