HIPAA for Health Tech Founders: What You Are Probably Getting Wrong
- laurafleetesq
- Jul 8
- 4 min read

Here is a scenario that comes up in health tech procurement more often than founders expect:Â a health system asks for your HIPAA compliance documentation before they will integrate with your platform. You send your privacy policy, your Business Associate Agreement template, and a note that your team completed HIPAA training at onboarding. They come back with a request for your risk analysis, then your security policies, then your breach notification procedures. The conversation slows down. The deal takes longer than it should.
None of what you sent was wrong. It was just incomplete.
Â
WHAT FOUNDERS MEAN VS. WHAT HIPAA REQUIRES
When founders say they are HIPAA compliant, they usually mean they have a Business Associate Agreement with their cloud provider and a privacy notice on their website. Both of those things matter. Neither of them completely meets HIPAA requirements.
HIPAA has three rules that operate independently. The Privacy Rule governs how protected health information can be used and disclosed. The Breach Notification Rule establishes what you must do when a breach occurs. The Security Rule governs how you manage and protect electronic protected health information on an ongoing basis. It is also the rule that most early-stage health tech companies have not fully addressed.
The Security Rule is operational. It requires administrative, physical, and technical safeguards that run continuously, not just at launch. That is the part that is hard to replicate in a procurement conversation when you have not built it.
Â
WHERE THE GAPS USUALLY ARE
Three gaps come up most often when health tech companies face serious compliance scrutiny.
No written risk analysis. The Security Rule explicitly requires a documented analysis of potential risks and vulnerabilities to electronic protected health information in your environment. This is not a form to fill out once. It is a process to run on a regular cadence and document over time. Most early-stage companies do not have one.
Business Associate Agreement gaps with subcontractors and vendors. A BAA with your cloud provider is a start. But if your product uses third party services that interact with protected health information, including analytics platforms, customer support tools, or AI integrations, you need BAAs with those vendors too. Many founders have not mapped this fully.
Incident response without a documented process. Founders often know they are supposed to notify HHS and affected individuals after a breach. What they have not done is build and document that process before they need it. When something happens, the clock starts immediately.
Â
HIPAA compliance is not a form you fill out at launch. It is an operating posture you build and maintain. |
Â
WHAT THE SECURITY RULE ACTUALLY REQUIRES
The Security Rule is organized around three categories of safeguards.
Administrative safeguards are the policies, procedures, and training that govern how your workforce handles protected health information. This includes who has access, how access is granted and revoked, how you train employees, and how you respond to security incidents. Most companies have some version of this. What they are often missing is documentation that it is actually working.
Technical safeguards are the controls in your systems: access controls, audit controls, transmission security. The question is not just whether you have these controls. It is whether you can demonstrate that you have them and that you review them on a regular cadence.
Physical safeguards cover the facilities and devices where protected health information is stored or accessed. For companies operating in the cloud, this is often the easier category. But if employees access protected health information on personal devices or in shared spaces, you need policies that address it.
Â
The gap most founders discover too late is not that they did something wrong. It is that they could not prove they did something right. |
Â
WHAT A REAL HIPAA POSTURE LOOKS LIKE
You do not need a compliance department to have a real HIPAA posture. You need four things.
First, a documented risk analysis that is current. Not from two years ago. Not from when you launched. Current, and updated when your environment changes.
Second, a designated Security Officer with actual authority. Not a founder who owns it in theory but does not have time for it in practice.
Third, policies that describe how your company actually operates. Generic templates describe a hypothetical company. Procurement teams and auditors can tell the difference.
Fourth, a workforce that has been trained and can demonstrate it. Onboarding training that happened once is not a workforce training program.
None of this is technically complex. The complexity is operational. The founders who clear HIPAA scrutiny quickly are not the ones with the most documentation. They are the ones who built a real program before they needed to show it.
Â
HIPAA is not the hardest regulatory framework health tech founders will encounter. What makes it expensive is the gap between what founders believe they have and what they can actually demonstrate. Closing that gap is not a legal exercise. It is an operational one, and it starts before the procurement conversation, not during it. Contact me for an analysis of your HIPAA posture or to help you design and implement one.