Most health tech founders I work with have the same question: "What do I actually need to do for HIPAA compliance before my next raise?"

The answer depends on where you are. Here's the checklist I use with clients, prioritized by what matters for due diligence, not what consultants want to sell you.

The Reality of HIPAA for Startups

HIPAA isn't a single certification you pass. It's a framework of requirements across administrative, physical, and technical safeguards. For early-stage health tech, you need to demonstrate:

1. You understand what PHI you're handling
2. You have appropriate safeguards in place
3. You can prove both of these to investors and partners

Here's what that looks like in practice.

Phase 1: Foundation (Pre-Seed to Seed)

These are non-negotiable before you handle any PHI:

Business Associate Agreements (BAAs)

• BAA with your cloud provider (AWS, GCP, Azure all offer these)
• BAA with any third-party services that touch PHI
• Template BAA ready for healthcare customers

If a vendor won't sign a BAA, they can't touch PHI. Period.

Basic Technical Safeguards

• Encryption at rest for all PHI storage
• Encryption in transit (TLS 1.2+ everywhere)
• Access controls with unique user identification
• Audit logging for PHI access
• Automatic session timeout

Documentation

• Data flow diagram showing where PHI lives
• Written security policies (even simple ones)
• Incident response plan (even a one-pager)

Phase 2: Growth (Series A Preparation)

Investors at Series A will look harder. Here's what you need:

Risk Assessment

HIPAA requires a documented risk assessment. This means:

• Identify all systems that process PHI
• Document potential threats and vulnerabilities
• Assess current safeguards
• Create a remediation plan for gaps

You don't need a $50K consultant for this. A thorough internal assessment documented properly is sufficient for early stage.

Administrative Safeguards

• HIPAA Security Officer designated (can be the CTO)
• Workforce training documented
• Sanction policy for violations
• Contingency plan for data backup and recovery

Physical Safeguards

For cloud-native startups, most physical safeguards are handled by your cloud provider's BAA. But you still need:

• Workstation security policy
• Device and media controls for laptops/phones

Enhanced Technical Safeguards

• Multi-factor authentication for PHI access
• Intrusion detection or monitoring
• Regular vulnerability scanning
• Backup and disaster recovery tested

Common Mistakes I See

Mistake 1: Over-engineering Too Early

You don't need a fully staffed security team at seed stage. You need appropriate safeguards for your current risk level. Scale your compliance with your business.

Mistake 2: Ignoring the Business Associate Question

Every vendor that touches PHI needs a BAA. I've seen deals fall apart in due diligence because a startup was using a non-compliant analytics tool or logging service.

Mistake 3: No Audit Trail

If you can't prove who accessed what PHI and when, you have a problem. Build audit logging into your architecture from day one.

Mistake 4: Treating HIPAA as a One-Time Project

HIPAA compliance is ongoing. You need processes to maintain it, not just achieve it once.

HIPAA vs SOC 2: Which Comes First?

This is the question I get asked most often. My answer: it depends on your sales cycle.

• If you're selling to healthcare enterprises → HIPAA first
• If you're selling to health tech startups that need to show their compliance → SOC 2 first
• If you're building AI/ML → you'll need both, but HIPAA gives you the framework

SOC 2 Type II takes time (you need 3-6 months of controls in operation). HIPAA compliance can be demonstrated faster if your architecture is sound.

For most Series A health tech companies, I recommend getting HIPAA fundamentals solid first, then pursuing SOC 2 Type II in parallel with your A round.

What Investors Actually Ask

In technical due diligence, expect these questions:

1. "Walk me through your data flow. Where does PHI live?"
2. "Who has access to PHI and how is that controlled?"
3. "What happens if there's a breach?"
4. "Have you done a risk assessment?"
5. "What's your BAA coverage?"

If you can answer these confidently with documentation to back it up, you're in good shape.

Bottom Line

HIPAA compliance isn't about checking every box in a 100-page framework. It's about demonstrating that you take data protection seriously and have appropriate safeguards for your stage.

Start with the foundation. Document everything. Scale your compliance with your business.

If you're preparing for a raise and need help getting your compliance story straight, book a discovery call. I've helped dozens of health tech founders navigate this.