HIPAA-readiness sprint for a healthtech MVP
The 8-week sprint that gets a healthtech startup from zero to credible HIPAA posture before the first BAA signing. Educational only.
Educational only — not legal or compliance advice. HIPAA requirements vary by entity type (covered entity vs business associate), state, and use case. Confirm everything with a HIPAA-experienced attorney before signing your first BAA.
A healthtech MVP that handles Protected Health Information (PHI) needs HIPAA-readiness before the first paying customer signs a Business Associate Agreement (BAA). The honest version of "HIPAA-ready" at MVP stage is: you've done the foundational work, you can credibly answer the questionnaire, and you have a defensible posture if audited. It's not "fully compliant in perpetuity" — that's an ongoing operational thing, not a sprint thing.
The 8-week sprint that gets you there:
Week 1-2 — Scoping and infrastructure
What: Define what PHI you actually touch. Map every system that stores, transmits, or processes it. Identify your role (covered entity vs business associate; most healthtech startups are business associates).
Output: A one-page system inventory listing every data store, every API, every third-party that touches PHI.
Infrastructure decisions:
- Hosting: AWS, Azure, GCP — all offer HIPAA-eligible services with a signed BAA at the hosting layer. Sign their BAA early.
- Database: Postgres-on-RDS, Aurora, or Supabase Enterprise (which has a HIPAA add-on). Avoid hosting your own PHI database on a tier without infrastructure-level BAA coverage.
- Email: Resend, Postmark, and SendGrid have HIPAA-eligible tiers — but they're paid tiers requiring a separate BAA. Don't send PHI via the free tier of any of these.
Spend: ~$0-500 this stage. Mostly infrastructure-account setup.
Week 3-4 — Policies and procedures
What: Write the HIPAA-required policies. The Security Rule mandates ~20 policies; the Privacy Rule another ~10. Most are short documents (2-5 pages each).
Required policies include:
- Risk assessment and management
- Workforce security training and access management
Weekly digest
Get new resources like this, weekly.
One email a week: new hubs, new tools, and the editorial pieces worth reading. One click to unsubscribe.