HIPAA for Healthtech Startups: What You Actually Need to Do

HIPAA sounds terrifying because the penalties are large and the language is unfamiliar. In practice, compliance for an early-stage healthtech startup comes down to a specific set of administrative, physical, and technical controls. The controls themselves are not exotic. The discipline of implementing them is what separates compliant teams from non-compliant ones.

The framework in one paragraph

HIPAA applies to Protected Health Information (PHI) handled by Covered Entities (providers, plans, clearinghouses) and their Business Associates (anyone processing PHI on a CE's behalf). Most healthtech startups are Business Associates. Your obligations come from the HIPAA Security Rule (administrative, physical, technical safeguards), the Privacy Rule (use and disclosure rules), and the Breach Notification Rule (what you have to do when something goes wrong). You will sign Business Associate Agreements (BAAs) with every covered entity you work with and with every downstream subcontractor that touches PHI.

The technical controls that actually matter

Encryption at rest. Every database, every object store, every backup. AWS, GCP, and Azure all make this trivial; turn it on. KMS-managed keys with regular rotation.

Encryption in transit. TLS 1.2 minimum for everything. No exceptions. Internal service-to-service communication included.

Access controls. Role-based access for everyone touching PHI. Principle of least privilege. Quarterly access reviews. MFA enforced on every account with PHI access.

Audit logging. Every access to PHI is logged with user, action, resource, timestamp. Logs retained for 6 years (HIPAA's record retention requirement). Logs themselves are tamper-evident.

Backup and recovery. Documented backup process, tested restore process. RPO and RTO defined and met.

Workstation security. EDR on every employee device touching PHI (CrowdStrike, SentinelOne, or equivalent). Full disk encryption. Auto-lock on inactivity.

The administrative controls

HIPAA spends as much text on administrative safeguards as on technical ones. The teams that get fined are usually weak on the administrative side.

• Designated Security Officer and Privacy Officer (can be the same person at startup scale, often the CTO).
• Written policies covering access management, incident response, contingency planning, and workforce training.
• Annual HIPAA training for all workforce members. Documented attendance.
• Documented risk assessment, updated at least annually.
• BAAs in place with every vendor that touches PHI, before they touch PHI. AWS, GCP, Datadog, Sentry, Twilio, SendGrid, all have BAAs available.
• Sanctions policy for workforce members who violate policies (you must document that violations have consequences).

Breach notification

If you have a breach involving PHI, the clock starts. Notification to affected individuals within 60 days. Notification to HHS within 60 days for breaches under 500 people, immediately for breaches over 500. For larger breaches, you also notify prominent media in the affected geography.

The most common mistake we see is conflating an "incident" with a "breach." Not every unauthorized access is a breach. The Breach Notification Rule has a risk assessment that determines whether notification is required. Document your assessment regardless.

What HIPAA does not require (despite what vendors will tell you)

HIPAA does not require a specific certification. There is no "HIPAA certified" status from HHS. Vendors selling you "HIPAA certification" are selling theater. What HIPAA requires is that you do the work and can prove you did the work. SOC 2 + HITRUST is the closest thing to an industry-standard demonstration.

HIPAA does not require on-premises hosting. AWS, GCP, and Azure are all HIPAA-compatible when you sign their BAAs and use HIPAA-eligible services.

HIPAA does not require a specific encryption algorithm or specific tool. It requires "addressable" controls that are reasonable for your environment. AES-256 is fine. TLS 1.2 is fine. Document why your choices are reasonable.

How to actually get started

Pick a compliance automation platform that supports HIPAA (Vanta, Drata, Thoropass). Run their HIPAA gap assessment. Most early-stage startups land at 30 to 50 percent coverage out of the box, mostly missing administrative controls. Budget 6 to 10 weeks of focused work to close the gaps. Then engage a HIPAA-knowledgeable auditor for a readiness assessment.

If you have your first enterprise health system customer asking for HIPAA documentation, you need a real plan, not just a checklist. We have seen deals lost over weak documentation as often as over weak controls.