Role
Product Design Lead
Duration
3 months
Industry
HealthTech
Team
Calvin - Product Director
Elliot - Senior EM
Elisa - UXR
Nick - Staff Engineer
TL;DR
Internal discussions on our encryption policy forced a deeper question: what do healthcare professionals actually trust, and why? I spent a few weeks mapping that answer. What came out, keeps influencing how our design team thinks about trust as a first-class design material with its own properties, failure modes, and compounding effects.
Disclaimer: Confidential information has been omitted or obfuscated. This case reflects my own perspective and not necessarily the views of Doctolib.
Context
A policy debate became a design problem.
Doctolib is committed to privacy-first infrastructure. When an internal discussion opened about how to introduce AI features, while maintaining top privacy standards, technical and legal were heavily involved.. Soon it turned out to be System Design challenge first.
HCPs are not typical enterprise users. They carry the highest confidentiality obligations of any professional group, and they extend that expectation to every tool they use at work. Even a minor compliance drift can register as a betrayal to a clinician.
91%
of Dutch HCPs share patient info via messaging apps
55%
of Dutch HCPs share patient info via messaging apps
23%
use a secure messenger exclusively
Diagnosis
Security and trust are not the same thing.
The first thing I had to establish internally was the distinction that platform can be technically airtight and still fail on trust. The gap between the two is where user behavior lives.
Security
Technical measure
Encryption
Authentication
Access control
Trust
User confidence
Built over time on:
Security
Brand perception
Reassurance triggers
The System
Use AI to structure context after clinicians have already discussed the case, not before.
If we can transform unstructured clinical conversations into structured, specialty-ready summaries, we can improve referral quality without changing clinician behavior.
The Direction
Trust as a key paradigm while scoping design
To balance regulatory compliance, efficiency, and trust, we suggest pursuing user-centered, privacy-preserving designs (yes, design is critical to maintain, or re-establish trust):
1
Separate admin controls from access to message content.
2
Explain what is accessible, by whom, and under what conditions.
3
"no surprises" rule for any future privacy-adjacent changes
Trust Signals in key moments
ISO certification marks, encryption status indicators..
The output can be shared inside or outside Doctolib, bridging interoperability gaps without forcing EHR lock-in.
