Comment by wonder_er

I feel like at minimum, the information should all be stored in encrypted, unavailable-to-an-admin way.

https://guides.rubyonrails.org/active_record_encryption.html

Basically, all the data in the app would be hidden to everyone except the users. I'm assuming this would be the case, and I'm assuming that you, with prod db access, wouldn't be able to directly read the text that is being written.

If that were the case, I'd say your ethical obligation is fulfilled, more or less. (obv implementing application-level 'everything is encrypted' is not trivial, but it makes it so that you couldn't ever see what was being said)

I don't believe in political authority, so when people say "But hipaa!" I hear "but I believe in the institution of authority" and I sorta tune out everything else that they say.

There's a LOT of people in the world who believe in authority/political authority, and it is tiring. sorry for us all.

This app is cool! Well done to you. Hope you don't have to spend thousands on lawyers and don't have to deal with coercive institutions based on the fantasy of political authority.