ive been asked to develop a website for a medical professional in the UK. he'd like patients to enter basic medical data after logging in on his website and they will also be able to download medical reports generated from this data. it doesnt include medical trials or research, just patients keeping track of where they're at in their treatment, so no FDA style compliance is required afaik.

i know there are laws & regulations regarding this stuff, as its basically quite confidential data. are there guidelines such a website needs to comply with (secure hosting, ssl, ...) ?