Current network infrastructure has the core switch as 4510 where all the campus is connected Internal routing protocol is EIGRP and peering with ISP is through BGP. As of now there is no security internally as all vlans can get to each other without any access-list or firewall inspection.

Based on the existing setup how could I follow the HIPPA regulations for the new app that is going to deployed into the existing network. Assuming that the new app will have web, database and application layer which will have its own vlans A, B and C respectively.  Traffic from the each tier has to pass through ASA as well as to and from the internet has to go through the ASA for accessing this application from the internet.

I have some idea about how to approach this setup. Create 3 vlans on the core switch for web, app and database. create SVIs for these 3 vlans. Once the application is deployed with these vlans using access-list on the ASA for web-app-database communication and providing the default gateway of the firewall for each hosts associated with new application. so this will make sure that the traffic is traversed using the ASA and access-list applied.

As I am new to network design, any ideas would be welcomed. I have attached the diagram below.

Please suggest if you guys have some approaches or any other way to approach this senario.

Help would be greatly appreciated. Thanks in advance.