HIPAA Compliance for Startups: Complete Guide (2025)

Quick Facts

Aspect	Details
What is HIPAA?	Health Insurance Portability and Accountability Act (US federal law)
Enacted	1996 (Privacy Rule: 2003, Security Rule: 2005, Breach Notification: 2009)
Applies To	Healthcare providers, health plans, healthcare clearinghouses, business associates
Protected Data	PHI (Protected Health Information) – health data linked to individuals
Penalties	$100 - $1.9M per violation (depending on culpability)
Compliance Cost	$10,000 - $50,000 (small startups)
Timeline	3-6 months (average: 4-5 months)
Certification	No formal certification (self-declaration + audits)
Enforcement	HHS Office for Civil Rights (OCR) + state attorneys general
Key Requirement	Business Associate Agreement (BAA) required

What is HIPAA?

HIPAA (Health Insurance Portability and Accountability Act) is a federal law enacted in 1996 that establishes national standards for protecting sensitive patient health information from being disclosed without the patient's consent or knowledge.

Key Components

HIPAA consists of 5 rules (called "Titles"), but startups primarily care about 3 rules:

Privacy Rule (2003): Sets standards for protecting PHI (who can access, when, how)
Security Rule (2005): Sets technical and organizational standards for securing electronic PHI (ePHI)
Breach Notification Rule (2009): Requires notification when PHI is breached (60-day timeline)

Other rules (less relevant for most startups):

Transactions and Code Sets Rule: Standards for electronic health transactions (claims, eligibility)
Identifiers Rule: Standard identifiers for healthcare providers, health plans, employers

What is PHI?

PHI (Protected Health Information) is any health information that can be linked to an individual, including:

Medical records: Diagnoses, treatment plans, prescriptions, lab results
Health history: Past medical conditions, surgeries, allergies
Payment information: Health insurance info, billing records
Demographics: Name, address, DOB, SSN (when linked to health data)

Key point: PHI is any individually identifiable health information, not just medical records.

ePHI vs PHI

PHI: Protected Health Information (all forms: paper, electronic, oral)
ePHI: Electronic Protected Health Information (PHI stored or transmitted electronically)

Most startups deal with ePHI (health data in databases, apps, cloud systems).

HITECH Act (2009)

The HITECH Act (Health Information Technology for Economic and Clinical Health Act) expanded HIPAA in 2009:

Extended HIPAA to Business Associates (vendors/contractors handling PHI)
Increased penalties (up to $1.9M per violation)
Required breach notification
Introduced audits and enforcement

Impact: Health tech startups (Business Associates) are now directly liable for HIPAA compliance (not just covered entities).

Why HIPAA Matters for Startups

1. Legal Requirement (Not Optional)

Unlike SOC 2 or ISO 27001 (voluntary), HIPAA is mandatory if you handle PHI.

Consequence of non-compliance:

Civil penalties: $100 - $1.9M per violation
Criminal penalties: Up to $250K + 10 years in prison (for willful neglect)
Business shutdown (inability to serve healthcare customers)

2. Customer Requirement (Healthcare Industry)

Healthcare providers, hospitals, health plans, and health systems will not work with you unless you:

Sign a Business Associate Agreement (BAA)
Demonstrate HIPAA compliance (policies, procedures, safeguards)

Sales impact: Without HIPAA compliance, your sales team cannot close deals with healthcare customers.

3. Competitive Advantage

HIPAA compliance signals to customers that:

Your startup is established and trustworthy
You take data security seriously
You're ready for enterprise healthcare customers

Marketing value: Display "HIPAA Compliant" badge on website (increases conversion with healthcare buyers).

4. Reduces Data Breach Risk

Healthcare is the most targeted industry for cyberattacks:

Average healthcare data breach cost: $10M (highest of any industry)
Per-record breach cost: $408 (vs. $148 average across industries)

HIPAA safeguards (encryption, access controls, monitoring) reduce breach risk significantly.

5. Enables Upmarket Movement

HIPAA compliance unlocks enterprise healthcare customers:

Hospitals and health systems (typically $500K-$5M contracts)
Health plans and insurers (typically $1M-$10M contracts)
Large medical practices (typically $50K-$500K contracts)

ROI: A single enterprise healthcare deal can justify the $10K-$50K cost of HIPAA compliance.

2025 HIPAA Updates

In 2025, HHS proposed significant updates to the HIPAA Security Rule—the most substantial changes since the rule was enacted in 2005.

End of Self-Declared Compliance

Old model (pre-2025): Health tech companies could self-declare HIPAA compliance without independent verification.

New model (2025+): HHS proposes moving to "proven compliance" requiring:

Independent audits (annual or biennial)
Real-time monitoring and continuous risk assessments
Third-party verification of safeguards

Impact: Self-declaration no longer sufficient—must demonstrate compliance through audits and monitoring.

New Requirements (Proposed 2025)

1. Mandatory Annual Compliance Audits

Requirement: Conduct annual independent audits of HIPAA safeguards.

Details:

Audits must be performed by qualified independent auditors
Audit reports must document compliance with all HIPAA safeguards
Audit reports retained for 6 years

Impact: Increases cost ($5K-$15K per annual audit) and effort (audit preparation, evidence collection).

2. Regular Vulnerability Scanning & Penetration Testing

Requirement: Conduct regular vulnerability scans and annual penetration tests.

Details:

Vulnerability scans: At least quarterly (monthly recommended)
Penetration testing: At least annually
Remediate critical vulnerabilities within 30 days (high-risk: 7 days)

Impact: Requires security tools (Nessus, Qualys) and remediation processes.

3. 24-Hour PHI Access Revocation

Requirement: Revoke access to PHI within 24 hours of termination or role change.

Old standard: "Timely" (no specific timeframe)

New standard: 24 hours (specific timeframe)

Impact: Requires automated offboarding processes (manual offboarding too slow).

4. 72-Hour Disaster Recovery Requirement

Requirement: Cloud-based health systems must restore ePHI within 72 hours of system failure or disaster.

Details:

Applies to cloud-based systems (AWS, GCP, Azure)
Must test disaster recovery at least annually
Document recovery time objectives (RTOs) and recovery point objectives (RPOs)

Impact: Requires robust backup and disaster recovery infrastructure.

5. Comprehensive Network Mapping & Asset Management

Requirement: Maintain real-time documentation of PHI data flows across all systems.

Details:

Network diagrams showing all systems with PHI
Data flow diagrams showing how PHI moves (collection → storage → processing → transmission)
Asset inventory (all systems, devices, applications with PHI access)
Update documentation within 30 days of changes

Impact: Requires network discovery tools and data mapping processes.

Timeline

Proposed rule published: 2024 Comment period: Closed 2024 Final rule expected: Late 2025 or early 2026 Compliance deadline: TBD (likely 12-24 months after final rule)

Recommendation: Start implementing these requirements now (even if final rule delayed, these are security best practices).

Does HIPAA Apply to You?

HIPAA applies if you're a Covered Entity or Business Associate handling PHI.

Covered Entities (Always Subject to HIPAA)

Three types:

1. Healthcare Providers

Any provider of medical or health services who transmits health information electronically.

Examples:

Hospitals, clinics, medical practices
Doctors, nurses, dentists, therapists
Pharmacies, laboratories
Nursing homes, home health agencies

Electronic transmission includes: Claims, eligibility checks, referrals, authorizations (even if outsourced to clearinghouse).

2. Health Plans

Organizations that pay for or provide health care coverage.

Examples:

Health insurance companies (Aetna, UnitedHealthcare, Blue Cross Blue Shield)
HMOs, PPOs
Medicare, Medicaid
Employer-sponsored health plans (>50 employees)
Pharmacy benefit managers (PBMs)

Exceptions: Plans with <50 participants, administered entirely by employer (self-insured small employers).

3. Healthcare Clearinghouses

Entities that process health information between providers and health plans.

Examples:

Billing services
Claims processors
Community health information systems
Health information exchanges (HIEs)

Business Associates (Subject to HIPAA Since 2013)

Business Associate: Any person or entity that performs services for a Covered Entity involving the use or disclosure of PHI.

Examples of Business Associates:

Health tech SaaS: EHR vendors (Epic, Cerner), patient portals, telehealth platforms, health apps
Cloud providers: AWS, Google Cloud, Azure (when hosting PHI)
Data analytics: Analytics platforms processing PHI
Billing services: Medical billing companies, revenue cycle management
IT services: IT support accessing PHI, data backup services
Legal/consulting: Law firms, consultants accessing PHI

Key test: Do you create, receive, maintain, or transmit PHI on behalf of a Covered Entity?

Yes → You're a Business Associate → HIPAA applies
No → You're not a Business Associate → HIPAA does not apply

Subcontractors (Business Associates of Business Associates)

If you're a Business Associate and you hire a subcontractor to help you perform services involving PHI, the subcontractor is also a Business Associate.

Example:

Hospital (Covered Entity) hires Health Tech SaaS (Business Associate)
Health Tech SaaS uses AWS to host PHI (AWS = Subcontractor = Business Associate)
AWS uses third-party data center (Data center = Subcontractor = Business Associate)

Chain: Covered Entity → Business Associate → Subcontractor (BA) → Subcontractor (BA)

Each must sign BAA with the entity above them.

Does HIPAA Apply to Your Startup?

Yes, if:

✅ You're a healthcare provider transmitting health info electronically (claims, referrals)
✅ You're a health tech SaaS serving healthcare providers or health plans
✅ You store, process, or transmit PHI on behalf of healthcare customers
✅ You provide services to covered entities (analytics, billing, IT, consulting) involving PHI

No, if:

❌ You're a consumer health/wellness app with no connection to healthcare providers (Fitbit, MyFitnessPal) – Exception: If you share data with healthcare providers, you may become a Business Associate
❌ You're a general SaaS company not serving healthcare customers (Slack, Zoom) – Exception: If healthcare customers use your product to store PHI, you may need to sign BAAs
❌ You provide services without accessing PHI (e.g., general IT services not touching PHI)

Gray areas:

Wearables/fitness trackers: Generally not HIPAA (wellness, not healthcare) – UNLESS integrated with EHR or prescribed by doctor
Mental health apps: May be HIPAA if working with therapists/psychiatrists (Business Associate)
HR wellness programs: Generally not HIPAA (employment records, not healthcare) – UNLESS health plan involved

Rule of thumb: If healthcare customers are asking you to sign a BAA, HIPAA applies to you.

Protected Health Information (PHI)

Understanding what constitutes PHI is critical for HIPAA compliance.

What is PHI?

PHI (Protected Health Information) is individually identifiable health information transmitted or maintained in any form (electronic, paper, oral) that:

Relates to: Individual's past, present, or future physical or mental health condition, provision of healthcare, or payment for healthcare
Identifies the individual (or could be used to identify)
Is created or received by: Covered Entity or Business Associate

Key point: PHI is health information + identifiers.

The 18 HIPAA Identifiers

PHI includes health information linked to any of these 18 identifiers:

Names (first, last, maiden)
Geographic subdivisions smaller than state (street address, city, county, zip code)
- Exception: First 3 digits of zip code OK if area has 20,000+ people
Dates related to individual (birth, admission, discharge, death, age >89)
Telephone numbers
Fax numbers
Email addresses
Social Security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers and serial numbers (VIN, license plates)
Device identifiers and serial numbers (pacemaker serial number)
Web URLs
IP addresses
Biometric identifiers (fingerprints, retina scans, voice prints)
Full-face photos or comparable images
Any other unique identifying number, characteristic, or code

Examples of PHI:

Patient's name + diagnosis → PHI
Email address + prescription → PHI
Phone number + appointment date → PHI
Medical record number + lab results → PHI
IP address + health survey responses → PHI

Not PHI (de-identified):

Diagnosis alone (no name, no identifiers) → Not PHI
Aggregate statistics (50 patients with diabetes) → Not PHI
De-identified dataset (all 18 identifiers removed) → Not PHI

ePHI (Electronic PHI)

ePHI: PHI that is stored or transmitted electronically.

Examples:

EHR/EMR systems (electronic medical records)
Health apps and patient portals
Databases with patient data
Emails containing PHI
Cloud storage with PHI
Backups of systems with PHI

HIPAA Security Rule applies specifically to ePHI (technical safeguards: encryption, access controls, audit logs).

De-Identification Methods

To remove PHI (and avoid HIPAA obligations), you can de-identify data using one of two methods:

Method 1: Safe Harbor

Remove all 18 HIPAA identifiers (listed above) + any other information that could identify the individual.

Result: Data is no longer PHI (can be used/disclosed without HIPAA restrictions).

Method 2: Expert Determination

Hire a qualified statistician to certify that the risk of re-identification is "very small."

Result: Data is no longer PHI (if statistician certifies).

Common use case: Research datasets, analytics (de-identify before analysis).

Covered Entities vs Business Associates

HIPAA distinguishes between Covered Entities (healthcare organizations) and Business Associates (vendors/contractors).

Covered Entities

Definition: Healthcare providers, health plans, and healthcare clearinghouses.

HIPAA obligations:

Implement all HIPAA safeguards (Privacy, Security, Breach Notification)
Sign Business Associate Agreements (BAAs) with all Business Associates
Train workforce on HIPAA
Designate Privacy Officer and Security Officer
Conduct risk assessments
Respond to patient rights requests (access, amendment, accounting of disclosures)

Examples:

Hospitals, clinics, medical practices
Health insurance companies
Pharmacies, laboratories

Business Associates

Definition: Any entity that performs services for a Covered Entity involving PHI.

HIPAA obligations:

Implement HIPAA Security Rule safeguards (for ePHI)
Implement applicable Privacy Rule requirements (limited data uses, minimum necessary)
Sign Business Associate Agreements (BAAs) with Covered Entities
Sign BAAs with subcontractors (if subcontractors access PHI)
Conduct risk assessments
Train workforce on HIPAA
Report breaches to Covered Entity (within 60 days)

Examples:

Health tech SaaS (EHR vendors, telehealth platforms, patient portals)
Cloud providers (AWS, Google Cloud, Azure)
IT services, data analytics, billing services

Key difference: Covered Entities have more obligations (patient rights, Privacy Officer, etc.). Business Associates have fewer obligations (primarily Security Rule + breach notification).

Most startups are Business Associates (not Covered Entities).

Business Associate Agreements (BAAs)

The Business Associate Agreement (BAA) is a required contract between a Covered Entity and a Business Associate.

When is a BAA Required?

Always required when:

Covered Entity engages a Business Associate to perform services involving PHI
Business Associate engages a subcontractor to perform services involving PHI

Example flow:

Hospital (Covered Entity)
  ↓ BAA required
Health Tech SaaS (Business Associate)
  ↓ BAA required
AWS (Subcontractor / Business Associate)
  ↓ BAA required
Third-party data center (Subcontractor / Business Associate)

No BAA required when:

Services don't involve PHI (e.g., payroll, general IT support not accessing PHI)
"Conduit" exception: Entities merely transmitting PHI (postal service, courier) – do not need BAA

What Must a BAA Include?

Federal regulations (45 CFR § 164.504(e)) require BAAs to include:

1. Permitted Uses and Disclosures

Define what the Business Associate is allowed to do with PHI
Example: "Business Associate may use and disclose PHI only to perform [services] on behalf of Covered Entity"

2. Restrictions on Uses and Disclosures

Business Associate cannot use or disclose PHI except as permitted by BAA or required by law
Business Associate must implement safeguards to prevent unauthorized use/disclosure

3. Safeguards Requirement

Business Associate must implement appropriate safeguards (administrative, physical, technical) to protect PHI
Must comply with HIPAA Security Rule (for ePHI)

4. Subcontractor Requirements

Business Associate must enter into BAAs with any subcontractors that access PHI
Subcontractors must agree to same restrictions as Business Associate

5. Breach Notification

Business Associate must report breaches of unsecured PHI to Covered Entity
Timeline: Within 60 days of discovery (sooner if possible)

6. Access to PHI (for patient rights)

Business Associate must provide PHI to Covered Entity (or directly to patients) within 30 days of request
Necessary for Covered Entity to fulfill patient right of access

7. Amendment of PHI

Business Associate must amend PHI if Covered Entity requests (to correct inaccuracies)

8. Accounting of Disclosures

Business Associate must provide information about disclosures to Covered Entity (for accounting of disclosures to patients)

9. Availability of Books and Records

Business Associate must make records available to HHS for compliance investigations

10. Return or Destruction of PHI

Upon termination of BAA, Business Associate must return or destroy all PHI
If not feasible, must extend protections and limit further uses/disclosures

BAA Template

Sample BAA structure:

BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement ("Agreement") is entered into as of [Date]
between [Covered Entity Name] ("Covered Entity") and [Business Associate Name]
("Business Associate").

1. DEFINITIONS
   - Protected Health Information (PHI)
   - Electronic PHI (ePHI)
   - Breach
   - Unsecured PHI

2. PERMITTED USES AND DISCLOSURES
   Business Associate may use and disclose PHI only to perform [services]
   on behalf of Covered Entity.

3. OBLIGATIONS OF BUSINESS ASSOCIATE
   a. Not use or disclose PHI except as permitted by this Agreement
   b. Implement appropriate safeguards (HIPAA Security Rule)
   c. Report breaches to Covered Entity within [60] days
   d. Enter into BAAs with subcontractors
   e. Make PHI available to Covered Entity for patient access (30 days)
   f. Amend PHI upon Covered Entity request
   g. Provide accounting of disclosures
   h. Make books and records available to HHS

4. OBLIGATIONS OF COVERED ENTITY
   a. Provide Business Associate with Notice of Privacy Practices
   b. Notify Business Associate of any restrictions on PHI use

5. TERM AND TERMINATION
   a. Term: Until [date] or services complete
   b. Termination: If breach by Business Associate, Covered Entity may terminate
   c. Upon termination: Business Associate must return or destroy PHI

6. INDEMNIFICATION
   Business Associate indemnifies Covered Entity for breaches caused by
   Business Associate.

7. MISCELLANEOUS
   Governing law, dispute resolution, etc.

Where to get BAA templates:

HHS provides sample BAA provisions: Sample BAA
Health tech vendors often provide their own BAAs (review carefully before signing)

Common BAA Negotiation Points

Covered Entities typically want:

Business Associate to have cyber insurance ($1M-$5M)
Business Associate to conduct annual security audits
Indemnification (Business Associate pays for breaches caused by BA)
Breach notification within 24-48 hours (not 60 days)

Business Associates typically want:

Limit liability (cap indemnification at contract value)
Exclude consequential damages
Carve out subcontractor liability (BA not liable for AWS breaches)

Negotiation tip: Most healthcare customers have standard BAAs (difficult to negotiate). Focus on liability caps and insurance requirements.

HIPAA Rules Overview

HIPAA consists of three main rules relevant to startups:

1. Privacy Rule (45 CFR Part 160 and Part 164, Subparts A and E)

Effective: April 14, 2003

Purpose: Sets standards for protecting PHI (who can access, when, how).

Key requirements:

Notice of Privacy Practices

Covered Entities must provide patients with a Notice of Privacy Practices explaining:

How PHI is used and disclosed
Patient rights (access, amendment, accounting of disclosures)
Covered Entity's duties

Business Associates: Not required to provide Notice (only Covered Entities).

Minimum Necessary

Use and disclose only the minimum necessary PHI to accomplish the purpose.

Example: If billing department needs to process claim, provide claim info only (not entire medical history).

Patient Rights

Covered Entities must allow patients to:

Access their PHI (within 30 days)
Amend their PHI (correct inaccuracies)
Request restrictions on uses/disclosures
Request confidential communications (alternate phone number, address)
Accounting of disclosures (list of who received PHI in past 6 years)

Business Associates: Must assist Covered Entities in fulfilling patient rights (provide PHI within 30 days of request).

Permitted Uses and Disclosures

PHI may be used/disclosed without patient authorization for:

Treatment: Providing healthcare to patient
Payment: Billing, claims, reimbursement
Healthcare operations: Quality improvement, audits, case management

All other uses/disclosures require patient authorization.

Business Associates: Can only use/disclose PHI as permitted by BAA (typically: performing services for Covered Entity).

2. Security Rule (45 CFR Part 160 and Part 164, Subparts A and C)

Effective: April 20, 2005

Purpose: Sets technical and organizational standards for securing ePHI (electronic PHI).

Applies to: Covered Entities and Business Associates handling ePHI.

Key requirements:

Three Types of Safeguards

Administrative Safeguards: Policies, procedures, workforce training
Physical Safeguards: Physical access controls (locked doors, surveillance)
Technical Safeguards: Encryption, access controls, audit logs

45 specifications (34 required, 11 addressable).

We'll cover these in detail in the HIPAA Safeguards section.

3. Breach Notification Rule (45 CFR Part 164, Subparts A and D)

Effective: September 23, 2009

Purpose: Requires notification when unsecured PHI is breached.

Key requirements:

What is a Breach?

Breach: Unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of the PHI.

Exceptions (not breaches):

Unintentional access/use by workforce member acting in good faith within scope of authority (and no further disclosure)
Inadvertent disclosure from authorized person to another authorized person at same organization (and no further use)
Unable to retain PHI: Recipient couldn't have retained PHI (e.g., sent to wrong fax, but recipient confirms didn't read/retain)

Breach Notification Timeline

If breach affects:

1-499 individuals:

Notify affected individuals: Within 60 days of discovery
Notify HHS (annual report): By March 1 of following year

500+ individuals:

Notify affected individuals: Within 60 days of discovery
Notify HHS: Within 60 days of discovery (not annual report)
Notify media: Within 60 days of discovery (prominent media outlets in affected areas)

Business Associate breaches:

Business Associate must notify Covered Entity within 60 days of discovery
Covered Entity then notifies individuals, HHS, media (as above)

Unsecured PHI

Unsecured PHI: PHI that is not encrypted or destroyed according to HIPAA standards.

Safe harbor: If PHI is encrypted (AES-256 or higher) or destroyed (shredding, wiping), breach notification not required.

Key point: Encrypt all ePHI to avoid breach notification obligations.

HIPAA Costs & Timeline

Cost Breakdown

HIPAA compliance costs vary based on company size, existing security maturity, and implementation approach.

Total First-Year Costs

Company Size	Total Cost	Breakdown
1-25 employees	$10,000 - $30,000	Consultant: $5K-$15K, Tools: $3K-$8K, Training: $1K-$3K, Audit: $1K-$4K
26-50 employees	$20,000 - $50,000	Consultant: $10K-$25K, Tools: $5K-$12K, Training: $2K-$5K, Audit: $3K-$8K
51-100 employees	$30,000 - $80,000	Consultant: $15K-$40K, Tools: $8K-$20K, Training: $3K-$8K, Audit: $4K-$12K

Average for small health tech startups (10-50 employees): $15,000 - $40,000 first year

Cost Components

1. Consultant Fees (Optional but Recommended)

Service	Cost	When Needed
Gap analysis & risk assessment	$5,000 - $10,000	Initial assessment (highly recommended)
Full implementation support	$15,000 - $40,000	Don't have internal HIPAA expertise
Part-time support	$8,000 - $20,000	Need guidance but can do some work internally
Policies & procedures	$3,000 - $8,000	Writing HIPAA documentation

2. Compliance Platform (Optional)

Platform	Annual Cost	Features
Vanta	$15,000 - $30,000	HIPAA + SOC 2 + ISO 27001 + multi-framework
Drata	$12,000 - $25,000	HIPAA + SOC 2 + continuous monitoring
Secureframe	$10,000 - $20,000	HIPAA + SOC 2 + GDPR
Sprinto	$10,000 - $18,000	HIPAA + SOC 2 + ISO 27001
Thoropass	$12,000 - $25,000	Expert-led HIPAA + SOC 2

3. Security Tools & Infrastructure

Tool Category	Examples	Annual Cost
Encryption	AWS KMS, Azure Key Vault, Google Cloud KMS	$500 - $2,000
Access controls (SSO/MFA)	Okta, Auth0, Google Workspace	$1,000 - $5,000
Logging/Monitoring	Datadog, Splunk, Papertrail	$1,000 - $10,000
Vulnerability Scanning	Nessus, Qualys, AWS Inspector	$500 - $3,000
Backup & DR	AWS Backup, Veeam, Backblaze	$1,000 - $5,000
Training	KnowBe4, SANS Security Awareness	$500 - $2,000
Documentation	Confluence, Notion, Google Workspace	$500 - $2,000

Total tools: $3,000 - $15,000/year

4. Internal Labor

Role	Time Commitment	Equivalent Cost
HIPAA Compliance Officer (project lead)	40% time for 4-6 months	$25,000 - $50,000
Security Lead (technical implementation)	30% time for 4-6 months	$15,000 - $30,000
IT/DevOps	20% time for 4-6 months	$10,000 - $20,000
HR/People Ops	10% time for 4-6 months	$3,000 - $8,000

Total internal labor: 150-300 hours (equivalent $50K-$110K if fully outsourced)

5. Audit (2025+ Requirement)

Audit Type	Cost	Frequency
Internal audit (readiness check)	$3,000 - $8,000	Once (before going live)
External audit (third-party)	$5,000 - $15,000	Annual (proposed 2025 requirement)

Annual Maintenance Costs

Year 2+ (Ongoing Compliance):

Cost Category	Annual Cost
Annual audit (2025+ requirement)	$5,000 - $15,000
Compliance platform	$10,000 - $30,000 (if using)
Tools/infrastructure	$3,000 - $15,000
Training (annual refresher)	$500 - $2,000
Internal labor (ongoing maintenance)	50-100 hours/year
Total Year 2+	$18,000 - $62,000/year

Timeline Breakdown

Average: 3-6 months from project start to HIPAA-ready (most startups: 4-5 months)

Optimistic Timeline (3 months)

For: Startups with existing security practices, dedicated security person, compliance platform

Phase	Duration	Activities
Assessment & planning	Week 1-2	Risk assessment, gap analysis, scope definition
Administrative safeguards	Week 3-5	Policies, procedures, training program, designate officers
Physical safeguards	Week 3-4	Facility access controls (if applicable), device security
Technical safeguards	Week 5-10	Encryption, access controls, audit logs, backups
Documentation & training	Week 11-12	Finalize documentation, train workforce
Audit & remediation	Week 12-13	Internal audit, fix gaps
Go live	Week 14	Begin serving healthcare customers, signing BAAs

Total: 3-4 months

Realistic Timeline (4-6 months)

For: Most startups (moderate security maturity, part-time compliance person)

Phase	Duration	Activities
Assessment & planning	Week 1-4	Risk assessment, gap analysis, consultant selection
Administrative safeguards	Week 5-10	Policies, procedures, training program
Physical safeguards	Week 5-8	Facility security, device controls
Technical safeguards	Week 11-18	Encryption, access controls, logging, monitoring, backups
Documentation & training	Week 19-22	Finalize docs, train all employees
Audit & remediation	Week 23-26	Internal audit, fix gaps, external audit (optional)
Go live	Week 26	HIPAA-ready, sign BAAs with customers

Total: 6 months

Conservative Timeline (6-12 months)

For: Startups with minimal security practices, no dedicated security person, complex architecture

Duration: 6-12 months (highly variable)

HIPAA Safeguards

The HIPAA Security Rule requires three types of safeguards to protect ePHI:

Administrative Safeguards: Policies, procedures, and processes
Physical Safeguards: Physical access to facilities and devices
Technical Safeguards: Technology to protect ePHI

45 specifications total:

Required (R): 34 specifications (must implement)
Addressable (A): 11 specifications (implement if reasonable and appropriate, or document why not and implement alternative)

Administrative Safeguards (9 Standards, 29 Specifications)

Administrative safeguards are policies, procedures, and processes for managing security.

1. Security Management Process (R)

Implement policies and procedures to prevent, detect, contain, and correct security violations.

Specifications:

Risk Analysis (R): Conduct risk assessment to identify ePHI threats and vulnerabilities
Risk Management (R): Implement measures to reduce risks to reasonable and appropriate level
Sanction Policy (R): Apply sanctions to workforce members who violate security policies
Information System Activity Review (R): Review logs, audit reports, security incidents

Implementation:

Annual risk assessment (identify assets, threats, vulnerabilities, likelihood, impact)
Risk treatment plan (mitigate, accept, transfer, avoid)
Disciplinary policy (warnings, termination for security violations)
Quarterly log reviews (access logs, failed logins, anomalies)

2. Assigned Security Responsibility (R)

Designate a Security Officer responsible for developing and implementing security policies.

Implementation:

Appoint Security Officer (CTO, VP Eng, or security lead)
Document responsibilities in job description
Provide adequate resources (budget, time, tools)

3. Workforce Security (R)

Implement procedures to ensure workforce members have appropriate access to ePHI.

Specifications:

Authorization and/or Supervision (A): Authorize and supervise workforce members with ePHI access
Workforce Clearance Procedure (A): Verify workforce member is cleared for ePHI access (background checks, training)
Termination Procedures (A): Revoke access upon termination (within 24 hours)

Implementation:

Access request and approval process (manager approval required)
Background checks for employees with ePHI access
Offboarding checklist (revoke access within 24 hours)

4. Information Access Management (R)

Implement policies to authorize and limit access to ePHI.

Specifications:

Isolating Healthcare Clearinghouse Functions (R): If clearinghouse, isolate functions (not applicable to most startups)
Access Authorization (A): Authorize access based on job role (role-based access control)
Access Establishment and Modification (A): Procedures for granting/modifying access

Implementation:

Role-based access control (RBAC): Define roles (admin, clinician, read-only), assign least privilege
Access request form (name, role, systems needed, business justification)
Quarterly access reviews (review all users, remove unnecessary access)

5. Security Awareness and Training (R)

Train workforce on security policies and procedures.

Specifications:

Security Reminders (A): Periodic security reminders (quarterly emails, posters)
Protection from Malicious Software (A): Procedures to detect and prevent malware
Log-in Monitoring (A): Monitor login attempts (failed logins, unusual activity)
Password Management (A): Password policy (complexity, expiration, MFA)

Implementation:

Annual HIPAA security training for all employees (online course + certificate)
Quarterly security awareness emails (phishing tips, password hygiene)
Anti-virus/anti-malware on all devices (endpoint protection)
MFA required for all ePHI access
Password policy (min 12 characters, complexity, 90-day expiration)

6. Security Incident Procedures (R)

Respond to security incidents (breaches, unauthorized access, malware).

Specifications:

Response and Reporting (R): Identify, respond to, report security incidents

Implementation:

Incident response plan (roles, escalation, containment, recovery, notification)
Incident response team (Security Officer, IT, legal, communications)
Incident log (track all incidents, root cause, remediation)
Breach assessment (if incident is breach, follow Breach Notification Rule)

7. Contingency Plan (R)

Plan for emergencies, disasters, and system failures.

Specifications:

Data Backup Plan (R): Backup ePHI (daily backups, offsite storage)
Disaster Recovery Plan (R): Restore ePHI after disaster (RTO: 72 hours per 2025 rule)
Emergency Mode Operation Plan (R): Continue operations during emergency (workarounds, manual processes)
Testing and Revision Procedures (A): Test DR plan annually
Applications and Data Criticality Analysis (A): Identify critical systems/data (prioritize recovery)

Implementation:

Automated daily backups (databases, file storage)
Offsite backup storage (separate geographic region)
Disaster recovery plan (RTO: 72 hours, RPO: 24 hours)
Annual DR test (restore from backup, verify data integrity)
Business impact analysis (identify critical systems, acceptable downtime)

8. Evaluation (R)

Conduct periodic technical and non-technical evaluations of security safeguards.

Implementation:

Annual security audit (internal or external)
Quarterly vulnerability scans
Annual penetration testing
Document findings and remediation

9. Business Associate Contracts and Other Arrangements (R)

Enter into Business Associate Agreements (BAAs) with vendors handling ePHI.

Specifications:

Written Contract or Other Arrangement (R): BAA must be in writing, include required provisions

Implementation:

Sign BAA with every vendor that accesses ePHI (AWS, Google, Stripe, Twilio, etc.)
BAA checklist (ensure all required provisions included)
Vendor inventory (list all vendors, BAA status, renewal dates)

Physical Safeguards (4 Standards, 6 Specifications)

Physical safeguards protect physical access to facilities, devices, and workstations with ePHI.

1. Facility Access Controls (R)

Limit physical access to facilities with ePHI.

Specifications:

Contingency Operations (A): Allow access during emergencies
Facility Security Plan (A): Document physical security measures (locks, cameras, badges)
Access Control and Validation Procedures (A): Control and validate visitor access (visitor logs, escorts)
Maintenance Records (A): Document repairs and modifications to physical security (door locks, cameras)

Implementation:

Locked doors, badge access (key cards, PIN codes)
Visitor log (name, date, time, purpose, escort)
Surveillance cameras (entrances, server rooms)
Escort policy (visitors must be escorted)

Note: If fully cloud-based (no physical offices or data centers), document this in policies and note physical safeguards are handled by cloud provider (AWS, GCP, Azure).

2. Workstation Use (R)

Policies for workstation use (laptops, desktops, tablets with ePHI access).

Implementation:

Workstation security policy (lock screen when away, no shared devices, no ePHI on personal devices)
Clean desk policy (no PHI on desks, lock documents in drawers)
Screen privacy filters (prevent shoulder surfing)

3. Workstation Security (R)

Physical safeguards for workstations (prevent unauthorized access).

Implementation:

Automatic screen lock (after 5-15 minutes inactivity)
Cable locks for laptops (in offices)
Encrypted hard drives (full-disk encryption: FileVault, BitLocker)

4. Device and Media Controls (R)

Secure devices and media containing ePHI (laptops, USB drives, hard drives, backups).

Specifications:

Disposal (R): Securely dispose of ePHI and devices (shredding paper, wiping drives)
Media Re-use (R): Remove ePHI before re-using media (wipe drives before repurposing)
Accountability (A): Track movement of devices/media (inventory, check-in/check-out)
Data Backup and Storage (A): Backup ePHI, store securely

Implementation:

Asset inventory (all laptops, servers, USB drives with ePHI)
Secure disposal procedure (shred paper, wipe drives with NIST 800-88 standards)
Media sanitization (before selling/donating devices)
Device tracking (who has which device, location)

Technical Safeguards (5 Standards, 10 Specifications)

Technical safeguards are technology to protect ePHI.

1. Access Control (R)

Limit ePHI access to authorized users.

Specifications:

Unique User Identification (R): Assign unique user ID to each user (no shared accounts)
Emergency Access Procedure (R): Establish procedure for emergency access (break-glass accounts)
Automatic Logoff (A): Auto-logoff after inactivity period
Encryption and Decryption (A): Encrypt ePHI (AES-256 or higher)

Implementation:

Unique usernames (no shared accounts, generic accounts)
Emergency access (break-glass accounts for system failures, logged and reviewed)
Auto-logoff (15-30 minutes inactivity)
Encryption at rest (AES-256 for databases, file storage)
Encryption in transit (TLS 1.2+ for all ePHI transmission)

2. Audit Controls (R)

Log and monitor activity on systems with ePHI.

Implementation:

Centralized logging (aggregate logs from all systems: AWS CloudTrail, Google Cloud Logging, Azure Monitor)
Log ePHI access (who accessed, when, what action)
Log retention (minimum 6 years per HIPAA, 1 year practical minimum)
Log reviews (quarterly reviews, investigate anomalies)

3. Integrity (R)

Protect ePHI from improper alteration or destruction.

Specifications:

Mechanism to Authenticate ePHI (A): Verify ePHI hasn't been altered (checksums, digital signatures)

Implementation:

Checksums (verify file integrity after transmission or storage)
Version control (track changes to ePHI, audit trail)
Write-once storage (immutable backups)

4. Person or Entity Authentication (R)

Verify identity of persons/entities accessing ePHI.

Implementation:

Multi-factor authentication (MFA) required for all ePHI access
Strong passwords (12+ characters, complexity, 90-day expiration)
Biometric authentication (fingerprint, facial recognition) for mobile devices

5. Transmission Security (R)

Protect ePHI transmitted over networks.

Specifications:

Integrity Controls (A): Ensure ePHI is not improperly modified during transmission (encryption, checksums)
Encryption (A): Encrypt ePHI during transmission (TLS 1.2+, VPN)

Implementation:

TLS 1.2+ (HTTPS) for all web traffic
VPN required for remote access to production systems
Email encryption (S/MIME, TLS) for PHI transmitted via email
Secure file transfer (SFTP, not FTP)

6-Month HIPAA Compliance Roadmap

This roadmap assumes you're implementing HIPAA compliance over 6 months (realistic timeline for most health tech startups).

Month 1: Assessment & Planning

Month 2: Administrative Safeguards

Month 3: Physical & Technical Safeguards

Month 4: Technical Safeguards (continued)

Month 5: Documentation & Training

Month 6: Audit & Go Live

Phase 1: Assessment & Planning

Duration: Weeks 1-4 (Month 1)

Goal: Understand HIPAA requirements, assess current state, identify gaps, plan implementation.

Step 1: Determine HIPAA Applicability

Activity: Confirm whether HIPAA applies to your startup.

Questions:

Are you a Covered Entity (healthcare provider, health plan, clearinghouse)?
Are you a Business Associate (vendor to healthcare customers, handling PHI)?
Do you create, receive, maintain, or transmit PHI?

Deliverable: Applicability determination (document: Yes, HIPAA applies because [reason])

Step 2: Define Scope

Activity: Define what systems, data, and processes are in scope for HIPAA.

Scope considerations:

In-scope systems: Production environment, databases with PHI, applications handling PHI
In-scope data: What data qualifies as PHI? (patient names, DOB, medical records, etc.)
In-scope processes: User access, data transmission, backup/recovery, incident response
Out-of-scope: Non-production environments (dev, staging), systems without PHI

Deliverable: HIPAA Scope Document (1-2 pages: which systems, data, processes are covered)

Step 3: Assemble HIPAA Team

Roles:

Privacy Officer: Oversees Privacy Rule compliance (patient rights, minimum necessary) – can be same as Security Officer for small startups
Security Officer: Oversees Security Rule compliance (technical safeguards, risk assessment)
HIPAA Compliance Manager: Project lead, coordinates implementation (often same as Security Officer)
IT/DevOps: Implements technical safeguards (encryption, access controls, logging)
HR/People Ops: Implements workforce safeguards (background checks, training, offboarding)
Legal: Reviews BAAs, policies, breach response

Time commitment:

Security Officer: 40% time for 6 months
IT/DevOps: 30% time for 6 months
Others: 10-20% as needed

Tip: If you lack HIPAA expertise, hire a consultant (part-time or full-time for 3-6 months).

Step 4: Conduct Risk Assessment

Activity: Identify risks to ePHI (required by Security Management Process safeguard).

Process:

Identify assets: Systems, applications, databases, devices with ePHI
Identify threats: Unauthorized access, ransomware, insider threat, data loss, system failure
Identify vulnerabilities: No MFA, unencrypted data, weak passwords, unpatched systems
Assess risks: Likelihood × Impact = Risk level (High / Medium / Low)

Example risk:

Asset: Production database (contains patient PHI)
Threat: Unauthorized access by external attacker
Vulnerability: No MFA, database publicly accessible
Likelihood: High (common attack)
Impact: High (breach of 10,000 patient records, $500K penalty)
Risk level: High
Treatment: Implement MFA, restrict database to VPN only, enable encryption

Deliverable: Risk Assessment Report (10-20 pages, 30-50 risks identified)

Step 5: Gap Analysis

Activity: Compare current state to HIPAA requirements (identify gaps).

Process:

Review all 45 HIPAA specifications (Administrative, Physical, Technical)
For each specification, assess current state:
- ✅ Implemented
- ⚠️ Partially implemented (needs improvement)
- ❌ Not implemented (gap)
Prioritize gaps (High / Medium / Low priority)
Estimate remediation effort (hours/weeks)

Common gaps:	Gap	Priority
No documented HIPAA policies	High	2-4 weeks
No MFA on production systems	High	1 week
No encryption at rest	High	2-3 weeks
No annual security training	High	1-2 weeks
No BAAs with vendors	High	2-4 weeks
No incident response plan	Medium	2-3 weeks
No audit logs	Medium	2-3 weeks
No disaster recovery plan	Medium	3-4 weeks

Deliverable: Gap Analysis Report (spreadsheet: Specification, Current State, Gap, Priority, Effort, Owner, Target Date)

Step 6: Create Implementation Plan

Activity: Create roadmap for closing gaps.

Deliverable: Implementation Plan (Gantt chart or timeline: which gaps to remediate, by when, by whom)

Phase 2: Administrative Safeguards

Duration: Weeks 5-12 (Months 2-3)

Goal: Implement administrative safeguards (policies, procedures, training, officers).

Step 1: Write HIPAA Policies & Procedures

Activity: Document HIPAA policies and procedures.

Required policies:

HIPAA Security Policy (master policy)
Risk Management Policy
Sanction Policy (disciplinary actions)
Information System Activity Review Policy (log reviews)
Workforce Security Policy (authorization, termination)
Access Control Policy (RBAC, least privilege)
Security Awareness and Training Policy
Incident Response Policy
Contingency Plan (backup, disaster recovery)
Business Associate Management Policy
Physical Security Policy (if applicable)
Workstation Use and Security Policy
Device and Media Controls Policy
Audit Control Policy
Encryption Policy
Password Policy

Procedures (20-30 procedures):

User access provisioning and deprovisioning
Access rights review (quarterly)
Security training (annual)
Incident response
Breach notification
Backup and recovery
Vulnerability management
Vendor risk assessment

Templates: Use HIPAA policy templates (free: search "HIPAA policy templates" or paid: buy from compliance vendors)

Effort: 40-60 hours (can be done by consultant or Security Officer)

Deliverable: HIPAA Policies & Procedures Package (80-150 pages total)

Step 2: Designate Privacy Officer and Security Officer

Activity: Formally appoint Privacy Officer and Security Officer.

Documentation:

Job descriptions (include HIPAA responsibilities)
Appointment letters (signed by CEO)
Organizational chart (show reporting lines)

Deliverable: Officer appointment documentation

Step 3: Implement Workforce Security

Activity: Implement workforce security procedures.

Tasks:

Background checks: Conduct for all employees with ePHI access (Checkr, GoodHire)
Confidentiality agreements: All employees sign HIPAA confidentiality agreement
Onboarding process: Document IT account setup, access provisioning, training
Offboarding process: Document access revocation (within 24 hours of termination)

Deliverable: Workforce security procedures, background check records, confidentiality agreements

Step 4: Implement Access Management

Activity: Implement access control procedures.

Tasks:

Role-based access control (RBAC): Define roles (admin, clinician, billing, read-only), assign least privilege
Access request process: Access request form, manager approval required
Quarterly access reviews: Review all users, remove unnecessary access

Deliverable: RBAC matrix (role → permissions), access request forms, access review logs

Step 5: Implement Incident Response

Activity: Create incident response plan and team.

Components:

Incident response plan: Roles, escalation, containment, recovery, notification
Incident response team: Security Officer, IT, legal, communications
Incident log: Track all incidents, root cause, remediation
Breach assessment: Process for determining if incident is breach (requires notification)

Deliverable: Incident response plan (10-20 pages), incident response team roster, incident log template

Step 6: Obtain Business Associate Agreements (BAAs)

Activity: Sign BAAs with all vendors handling ePHI.

Process:

Vendor inventory: List all vendors with ePHI access (AWS, Google Cloud, Stripe, Twilio, email, analytics)
Request BAAs: Contact vendors, request signed BAA
Review BAAs: Ensure BAAs include all required provisions
Track BAAs: Maintain BAA repository (Google Drive folder), track renewal dates

Common vendors requiring BAAs:

Cloud providers (AWS, Google Cloud, Azure, Heroku)
SaaS tools (Google Workspace, Slack, Zoom, Intercom – if used for PHI)
Payment processors (Stripe, PayPal – if processing health transactions)
Email/SMS (SendGrid, Twilio – if transmitting PHI)
Analytics (Segment, Mixpanel – if analyzing PHI)

Deliverable: Vendor inventory (spreadsheet), signed BAAs from all vendors

Phase 3: Physical Safeguards

Duration: Weeks 5-10 (Month 2-3, concurrent with Administrative)

Goal: Implement physical safeguards (facility access, workstation security, device controls).

Step 1: Facility Access Controls

Activity: Secure physical facilities (offices, data centers).

Tasks:

Locked doors: Key cards, PIN codes, keys
Visitor log: Name, date, time, purpose, escort
Surveillance cameras: Entrances, server rooms
Escort policy: Visitors must be escorted in areas with ePHI

Note: If fully cloud-based (no physical offices or data centers), document this in policies and note physical safeguards are handled by cloud provider.

Deliverable: Facility security procedures, visitor log template

Step 2: Workstation Use & Security

Activity: Secure workstations (laptops, desktops).

Tasks:

Workstation security policy: Lock screens when away, no shared devices, no ePHI on personal devices
Automatic screen lock: 5-15 minutes inactivity
Full-disk encryption: FileVault (Mac), BitLocker (Windows)
Clean desk policy: No PHI on desks, lock documents

Deliverable: Workstation security policy, configuration guides

Step 3: Device and Media Controls

Activity: Secure devices and media with ePHI.

Tasks:

Asset inventory: All laptops, servers, USB drives, hard drives with ePHI
Secure disposal: Shred paper, wipe drives (NIST 800-88 standards)
Device tracking: Who has which device, location
Media sanitization: Wipe drives before selling/donating

Deliverable: Asset inventory (spreadsheet), disposal procedures

Phase 4: Technical Safeguards

Duration: Weeks 11-20 (Months 3-5)

Goal: Implement technical safeguards (encryption, access controls, audit logs, backups).

Step 1: Encryption

Activity: Encrypt all ePHI (at rest and in transit).

Tasks:

Encryption at rest: AES-256 for databases (AWS RDS encryption, Google Cloud SQL encryption, Azure SQL encryption), file storage (S3 encryption, Google Cloud Storage encryption)
Encryption in transit: TLS 1.2+ (HTTPS) for all web traffic, TLS for API/database connections, VPN for remote access

Tools:

AWS: KMS (Key Management Service), RDS encryption, S3 encryption
Google Cloud: Cloud KMS, Cloud SQL encryption, Cloud Storage encryption
Azure: Azure Key Vault, SQL encryption, Blob Storage encryption

Deliverable: Encrypted production systems (evidence: screenshots, configs)

Step 2: Access Controls (Technical)

Activity: Implement technical access controls.

Tasks:

Unique user IDs: No shared accounts
Multi-factor authentication (MFA): Required for all ePHI access (Okta, Auth0, Google Authenticator, Duo)
Auto-logoff: 15-30 minutes inactivity
Strong passwords: 12+ characters, complexity, 90-day expiration (or passwordless with MFA)

Tools:

SSO/MFA: Okta, Auth0, Google Workspace, Azure AD, Duo

Deliverable: MFA enabled (all users), password policy configured

Step 3: Audit Controls (Logging)

Activity: Implement audit logging for all ePHI access.

Tasks:

Centralized logging: Aggregate logs from all systems (AWS CloudTrail, Google Cloud Logging, Azure Monitor, Datadog, Splunk, Papertrail)
Log ePHI access: Who accessed, when, what action (read, write, delete)
Log retention: Minimum 6 years (HIPAA requirement), 1 year practical minimum
Quarterly log reviews: Investigate anomalies, failed logins, unauthorized access

Tools:

Logging: Datadog, Splunk, ELK Stack, Papertrail, AWS CloudTrail, Google Cloud Logging, Azure Monitor

Deliverable: Centralized logging configured, log retention policy, log review schedule

Step 4: Integrity Controls

Activity: Protect ePHI from improper alteration or destruction.

Tasks:

Checksums: Verify file integrity (SHA-256 hashes)
Version control: Track changes to ePHI (audit trail)
Immutable backups: Write-once storage (prevent tampering)

Deliverable: Integrity controls configured (checksums, version control)

Step 5: Transmission Security

Activity: Protect ePHI transmitted over networks.

Tasks:

TLS 1.2+: All web traffic (HTTPS)
VPN: Required for remote access to production
Email encryption: S/MIME or TLS for PHI via email (or use secure patient portal, don't email PHI)
Secure file transfer: SFTP (not FTP)

Deliverable: TLS configured (all endpoints), VPN configured

Step 6: Backup & Disaster Recovery

Activity: Implement backup and disaster recovery.

Tasks:

Automated daily backups: Databases, file storage
Offsite backup storage: Separate geographic region (AWS S3 cross-region, Google Cloud Storage multi-region)
Disaster recovery plan: RTO (Recovery Time Objective): 72 hours, RPO (Recovery Point Objective): 24 hours
Annual DR test: Restore from backup, verify data integrity

Tools:

AWS: RDS automated backups, S3 versioning, AWS Backup
Google Cloud: Cloud SQL backups, Cloud Storage versioning, Persistent Disk snapshots
Azure: SQL automated backups, Blob Storage snapshots, Azure Backup

Deliverable: Automated backups configured, DR plan documented, DR test results

Phase 5: Documentation & Training

Duration: Weeks 21-24 (Month 5-6)

Goal: Finalize documentation and train workforce.

Step 1: Finalize HIPAA Documentation

Activity: Compile all HIPAA documentation in one place.

Documentation package:

HIPAA policies and procedures (15-20 policies, 20-30 procedures)
Risk assessment report
Risk treatment plan
Security Officer and Privacy Officer appointments
Business Associate Agreements (all vendors)
Asset inventory
Access control matrix (RBAC)
Incident response plan
Disaster recovery plan
Training materials

Organization: Create HIPAA documentation repository (Google Drive, Confluence, SharePoint)

Deliverable: Complete HIPAA documentation package (organized, version-controlled)

Step 2: Develop Training Program

Activity: Create HIPAA security awareness training for workforce.

Training topics:

What is HIPAA? (Privacy Rule, Security Rule, Breach Notification Rule)
What is PHI? (18 identifiers)
How to handle PHI (minimum necessary, secure transmission, no PHI on personal devices)
Password security (strong passwords, no sharing, MFA)
Phishing awareness (don't click suspicious links, report phishing emails)
Physical security (lock screens, clean desk, visitor escorts)
Incident reporting (how to report security incidents, who to contact)
Breach notification (what is a breach, when to report)

Format:

Online course (30-60 minutes, with quiz and certificate)
Annual refresher (shorter course, 15-30 minutes)

Tools:

KnowBe4 (security awareness training platform)
SANS Security Awareness (online courses)
Custom training (build your own with Google Slides + quiz)

Deliverable: HIPAA training course (online), training materials (slides, handouts)

Step 3: Train Workforce

Activity: Train all employees on HIPAA security.

Process:

All employees complete HIPAA training (online course + certificate)
New hires complete training within 30 days of hire
Annual refresher training (every 12 months)
Track training completion (spreadsheet: employee name, date completed, certificate)

Deliverable: Training completion records (all employees trained)

Step 4: Create Incident Response Contacts

Activity: Document incident response contacts (internal and external).

Contacts:

Internal: Security Officer, Privacy Officer, IT lead, legal counsel, CEO
External: Breach notification law firm (have lawyer on retainer for breach response), forensics firm (for breach investigation), cyber insurance carrier

Deliverable: Incident response contact list

Phase 6: Audit & Maintenance

Duration: Weeks 25-28 (Month 6-7)

Goal: Audit HIPAA compliance, remediate gaps, go live.

Step 1: Conduct Internal Audit

Activity: Test HIPAA safeguards internally (before external audit or customer due diligence).

Scope: Audit all implemented safeguards (Administrative, Physical, Technical)

Process:

Review documentation: Are policies/procedures complete?
Test controls: Collect evidence, verify controls are operating (sample logs, access reviews, training records)
Interview personnel: Ask how controls are performed in practice
Identify nonconformities: Document gaps or failures

Example tests:

Access control: Review access rights for 10 users—do they match roles? (Test RBAC)
Encryption: Verify database and file storage are encrypted (check configs)
Audit logs: Review logs from past 3 months—are ePHI accesses logged?
Training: Review training records—did all employees complete training?

Deliverable: Internal audit report (findings, recommendations)

Step 2: Remediate Findings

Activity: Fix any gaps found during internal audit.

Timeline: 1-2 weeks

Process:

For each finding, create corrective action plan
Implement corrective action
Collect evidence of remediation
Close out finding

Deliverable: Corrective action report

Step 3: External Audit (Optional but Recommended)

Activity: Hire external auditor to assess HIPAA compliance.

When to do external audit:

Before serving your first healthcare customer (de-risk)
Annually (proposed 2025 requirement)
Customer due diligence (some customers require external audit report)

Cost: $5,000 - $15,000 (varies by company size, scope)

Deliverable: External audit report

Step 4: Go Live (Begin Serving Healthcare Customers)

Activity: You're now HIPAA-ready. Begin signing BAAs with healthcare customers.

Process:

Sign BAAs: Healthcare customers provide BAA, you review and sign
Customer due diligence: Some customers request HIPAA documentation (policies, audit report, security questionnaire)
Ongoing compliance: Maintain safeguards (quarterly access reviews, annual training, log reviews)

Deliverable: Signed BAAs with customers

Step 5: Ongoing Maintenance

Activity: Maintain HIPAA compliance (ongoing).

Activities:

Quarterly: Access reviews, log reviews, vulnerability scans
Annual: Security training (all employees), risk assessment review, policies review, disaster recovery test, external audit
As needed: Incident response, breach notification, offboarding (revoke access within 24 hours)

Time commitment: 5-10 hours/week (Security Officer)

Cost: $18,000 - $62,000/year (audits, tools, training, labor)

Common HIPAA Controls

Here are 30 common HIPAA controls organized by safeguard type.

Administrative Safeguards

Risk assessment – Annual risk assessment (identify ePHI risks)
Risk management – Implement controls to mitigate risks
Sanction policy – Disciplinary action for security violations
Information system activity review – Quarterly log reviews
Security Officer designation – Appoint Security Officer
Workforce authorization – Access based on job role (RBAC)
Background checks – Screen employees with ePHI access
Termination procedures – Revoke access within 24 hours
Access reviews – Quarterly review of user access rights
Security training – Annual HIPAA training for all employees
Incident response plan – Document incident response procedures
Breach assessment – Process for determining if incident is breach
Data backup – Daily automated backups
Disaster recovery – DR plan (RTO: 72 hours)
DR testing – Annual disaster recovery test
Security audit – Annual internal or external audit
Business Associate Agreements (BAAs) – Sign BAAs with all vendors

Physical Safeguards

Facility access controls – Locked doors, badge access
Visitor log – Track all facility visitors
Workstation security – Automatic screen lock (15 minutes)
Full-disk encryption – Encrypt laptops (FileVault, BitLocker)
Asset inventory – Track all devices with ePHI
Secure disposal – Shred paper, wipe drives (NIST 800-88)

Technical Safeguards

Unique user IDs – No shared accounts
Multi-factor authentication (MFA) – Required for all ePHI access
Encryption at rest – AES-256 for databases, file storage
Encryption in transit – TLS 1.2+ (HTTPS)
Audit logging – Log all ePHI access (who, when, what)
Log retention – Retain logs for 6 years (HIPAA requirement)
VPN – Required for remote access to production

HIPAA Penalties

HIPAA violations can result in severe civil and criminal penalties.

Civil Penalties (HHS Office for Civil Rights)

HIPAA civil penalties are tiered based on culpability:

Tier	Violation Type	Penalty (Per Violation)	Annual Maximum
Tier 1	Did not know (and could not have known with reasonable diligence)	$100 - $50,000	$1,500,000
Tier 2	Knew or should have known (but not willful neglect)	$1,000 - $50,000	$1,500,000
Tier 3	Willful neglect (but corrected within 30 days)	$10,000 - $50,000	$1,500,000
Tier 4	Willful neglect (not corrected within 30 days)	$50,000 - $1,900,000	$1,900,000

Key points:

Penalties are per violation (not per breach). Example: If 10,000 patient records breached, potentially 10,000 violations.
Annual maximum: $1.9M per violation category per year
Willful neglect: Conscious, intentional failure to comply (e.g., knowing encryption is required but choosing not to implement)

Criminal Penalties (Department of Justice)

HIPAA criminal penalties apply to knowing violations:

Violation Type	Penalty
Knowingly obtaining or disclosing PHI	Up to $50,000 + 1 year in prison
Obtaining PHI under false pretenses	Up to $100,000 + 5 years in prison
Obtaining PHI with intent to sell, transfer, or use for commercial advantage, personal gain, or malicious harm	Up to $250,000 + 10 years in prison

Key point: Criminal penalties typically apply to individuals (employees, executives), not companies.

Notable HIPAA Enforcement Actions

Largest HIPAA settlements:

Year	Entity	Settlement	Violation
2024	Rite Aid	$7.25M	No risk assessment, inadequate device security
2024	Doctors' Management Services	$100K	Lack of BAA with vendor
2023	Novant Health	$1.62M	Impermissible disclosure of PHI on website tracking
2022	EyeCare Leaders	$600K	Ransomware attack (lacked encryption, risk assessment)
2019	Anthem	$16M	Data breach (79M records) – inadequate security
2018	Anthem (follow-up)	$39.5M	Data breach settlement (OCR + states)
2016	Advocate Health Care	$5.55M	Stolen unencrypted laptops (4 breaches)

Common violations in enforcement actions:

Lack of risk assessment (most common)
No encryption (unencrypted devices stolen/lost)
Inadequate access controls (no MFA, weak passwords)
No Business Associate Agreements (vendors not under contract)
Delayed breach notification (not reporting within 60 days)

Takeaway: Implement risk assessment and encryption first (most likely to trigger enforcement if absent).

HIPAA vs SOC 2 vs ISO 27001

Many health tech startups pursue multiple compliance frameworks. Here's how they compare:

Aspect	HIPAA	SOC 2	ISO 27001
Type	Federal law (US)	Auditing framework (US)	International standard
Mandatory?	Yes (if handling PHI)	No (voluntary)	No (voluntary)
Geographic focus	United States	United States	Worldwide (especially Europe)
Scope	PHI protection	Customer data security	Information security management
Certification	No (self-declaration + audits)	No (attestation report)	Yes (certificate)
Cost	$10K-$50K (first year)	$20K-$50K (Type 2)	$10K-$50K (first year)
Timeline	3-6 months	6-12 months (Type 2)	3-6 months
Penalties	$100 - $1.9M per violation	None (voluntary)	None (voluntary)
Enforcement	HHS OCR, DOJ	None	None
Who needs it?	Healthcare providers, BAs	SaaS, cloud, data processing (US)	International customers, EU
Key requirement	Business Associate Agreement	SOC 2 report (Type 1 or Type 2)	ISO 27001 certificate

Control Overlap

HIPAA vs SOC 2: 70-80% overlap (many SOC 2 controls satisfy HIPAA safeguards)

HIPAA vs ISO 27001: 60-70% overlap (ISO 27001 is broader, HIPAA is PHI-specific)

SOC 2 vs ISO 27001: 90% overlap (very similar controls)

Multi-Framework Strategy

Common combinations:

Health tech startup serving healthcare customers:

HIPAA (mandatory)
SOC 2 (if also serving non-healthcare customers or if healthcare customers require both)

Health tech startup serving international healthcare customers:

HIPAA (mandatory for US healthcare)
ISO 27001 (for EU/international healthcare customers)

Total cost (HIPAA + SOC 2): $40K-$80K (vs. $30K-$50K for HIPAA alone) – only 30-50% premium for both

Strategy: Implement HIPAA first (mandatory), then add SOC 2 or ISO 27001 if customers require (incremental effort: 20-30%).

Common Mistakes

Avoid these common HIPAA compliance mistakes:

1. Treating HIPAA as One-Time Project

Mistake: Implement HIPAA once, then forget about it.

Impact: Controls lapse (access not reviewed, training not renewed) → fail future audits or customer due diligence.

Fix: Assign ongoing ownership (Security Officer), maintain controls continuously (quarterly access reviews, annual training).

2. No Risk Assessment

Mistake: Skipping risk assessment (required by Security Management Process safeguard).

Impact: Most common HIPAA violation in enforcement actions. Risk assessment is required (not optional).

Fix: Conduct annual risk assessment (identify assets, threats, vulnerabilities, likelihood, impact). Document findings and risk treatment plan.

3. No Encryption

Mistake: Not encrypting ePHI (at rest or in transit).

Impact: Second most common violation. If unencrypted device lost/stolen → breach notification required → OCR investigation → penalties.

Safe harbor: If ePHI is encrypted (AES-256+), breach notification not required (even if device lost/stolen).

Fix: Encrypt all ePHI (databases, file storage, laptops) at rest. Use TLS 1.2+ for all ePHI transmission.

4. No BAAs with Vendors

Mistake: Using vendors (AWS, Google, Stripe) without signed Business Associate Agreements.

Impact: HIPAA violation. Covered Entities and Business Associates must sign BAAs with all vendors handling PHI.

Fix: Request BAAs from all vendors. Maintain BAA repository (Google Drive folder). Track renewal dates.

5. Delayed Breach Notification

Mistake: Discovering breach but not notifying HHS, affected individuals, or Covered Entity within 60 days.

Impact: Separate HIPAA violation (Breach Notification Rule). OCR may impose penalties for delayed notification (even if breach itself wasn't your fault).

Fix: Implement breach assessment process (immediate determination: is this a breach?). If breach, notify within 60 days (sooner if possible).

6. Using Personal Devices for PHI

Mistake: Allowing employees to access PHI from personal laptops or phones (BYOD).

Impact: Personal devices often lack security controls (no encryption, no MFA, no remote wipe). If device lost/stolen → breach.

Fix: Prohibit PHI on personal devices OR implement MDM (Mobile Device Management) with encryption, MFA, remote wipe.

7. Emailing PHI Unencrypted

Mistake: Sending PHI via regular email (not encrypted).

Impact: Email is unencrypted by default (plain text over internet). Transmission Security safeguard requires encryption.

Fix: Use encrypted email (S/MIME, TLS) OR secure patient portal (don't email PHI). Train employees: "Never email PHI."

8. No Training Records

Mistake: Training employees on HIPAA but not documenting completion.

Impact: Auditor/customer asks for training records → can't provide → looks like no training conducted.

Fix: Use training platform (KnowBe4, SANS) that auto-generates completion certificates. Or track manually in spreadsheet (name, date, topic, certificate).

9. Ignoring Subcontractors

Mistake: Signing BAA with Covered Entity but not signing BAAs with your own subcontractors (AWS, Google).

Impact: Business Associates must sign BAAs with subcontractors who access PHI. Not doing so is a HIPAA violation.

Fix: Sign BAAs with all subcontractors handling PHI (cloud providers, SaaS tools, email services).

10. No Offboarding Process

Mistake: Employees terminated but access not revoked (or revoked days/weeks later).

Impact: 2025 requirement: Revoke access within 24 hours. Delayed offboarding = security risk (disgruntled ex-employees can access PHI).

Fix: Automated offboarding (use SSO like Okta to centrally revoke access). Offboarding checklist (IT confirms access revoked within 24 hours).

HIPAA Compliance Tools

These tools help automate HIPAA compliance and reduce manual effort.

Compliance Platforms (All-in-One)

Platform	Cost	Best For	Key Features
Vanta	$15K-$30K/year	HIPAA + SOC 2 + multi-framework	Auto-evidence, risk assessment, policy library, BAA management
Drata	$12K-$25K/year	HIPAA + SOC 2 + continuous monitoring	Real-time monitoring, policy templates, training tracking
Secureframe	$10K-$20K/year	Budget-conscious, early-stage	Affordable, HIPAA + SOC 2 + GDPR templates
Sprinto	$10K-$18K/year	HIPAA + SOC 2 focus	Compliance automation, evidence collection
Thoropass	$12K-$25K/year	Expert-led HIPAA implementation	Consultant + platform hybrid, audit support

Security Tools (Point Solutions)

Category	Tool	Cost	Use Case
Encryption	AWS KMS, Google Cloud KMS, Azure Key Vault	$500-$2K/year	Encrypt ePHI at rest
SSO/MFA	Okta, Auth0, Google Workspace, Azure AD	$1K-$5K/year	Centralized access control, MFA
Logging	Datadog, Splunk, Papertrail, ELK Stack	$1K-$10K/year	Centralized audit logs
Vulnerability Scanning	Nessus, Qualys, AWS Inspector	$500-$3K/year	Quarterly vulnerability scans
Backup & DR	AWS Backup, Veeam, Backblaze	$1K-$5K/year	Automated backups, disaster recovery
Training	KnowBe4, SANS Security Awareness	$500-$2K/year	HIPAA security training
MDM (Mobile Device Management)	Jamf, Microsoft Intune, Workspace ONE	$500-$3K/year	Secure mobile devices, remote wipe

HIPAA-Specific Resources

Resource	Provider	Use Case
BAA templates	HHS	Sample BAA provisions
Risk assessment template	NIST	Risk assessment methodology (NIST 800-30)
HIPAA policies	Compliance vendors	Policy templates (purchase or free)
Breach notification service	ID Experts, Kroll	Breach notification and credit monitoring for affected individuals

FAQ

1. Is HIPAA compliance required for my health tech startup?

Yes, if you handle PHI on behalf of healthcare customers (providers, health plans). Most health tech SaaS companies are Business Associates and are directly subject to HIPAA (since 2013 HITECH Act).

2. How long does HIPAA compliance take?

Average: 3-6 months (most startups: 4-5 months)

Optimistic: 2-3 months (with compliance platform, strong existing security)

Conservative: 6-12 months (DIY, minimal existing security)

3. How much does HIPAA compliance cost?

First year: $10K-$50K (depending on DIY vs consultant vs platform)

Ongoing (Year 2+): $18K-$62K/year (audits, tools, training, labor)

4. Is there a HIPAA certification?

No. Unlike ISO 27001 (which has formal certification), HIPAA is self-declaration. You declare HIPAA compliance based on implementing required safeguards.

However: The 2025 proposed rule would require annual audits (moving toward "proven compliance").

Common misconception: Some vendors claim to be "HIPAA certified" (misleading—there's no official HIPAA certification).

5. Do I need a Business Associate Agreement (BAA)?

Yes, if you're a Business Associate (vendor to healthcare customers handling PHI). Healthcare customers will require you to sign a BAA before doing business.

Also yes, if you're a Covered Entity hiring vendors to handle PHI. You must sign BAAs with all vendors (AWS, Google, Stripe, email providers, etc.).

6. What happens if I have a data breach?

If breach affects:

1-499 individuals: Notify affected individuals within 60 days, report to HHS by March 1 of following year
500+ individuals: Notify affected individuals within 60 days, report to HHS within 60 days, notify media

If you're a Business Associate: Notify Covered Entity within 60 days. Covered Entity then notifies individuals/HHS/media.

Safe harbor: If ePHI is encrypted (AES-256+), breach notification not required.

7. Can I use cloud providers (AWS, Google Cloud, Azure) for PHI?

Yes, but you must sign a Business Associate Agreement (BAA) with the cloud provider.

Good news: AWS, Google Cloud, and Azure all offer HIPAA-compliant services and provide BAAs:

AWS: Sign BAA via AWS Artifact, use HIPAA-eligible services (RDS, S3, EC2, etc.)
Google Cloud: Sign BAA via Google Cloud console, use HIPAA-compliant products
Azure: Sign BAA via Microsoft Volume Licensing or Azure portal, use HIPAA-compliant services

8. Do I need HIPAA if I'm just a wellness app (not healthcare)?

Generally no, if you're a consumer wellness app with no connection to healthcare providers (Fitbit, MyFitnessPal).

However, you may need HIPAA if:

You integrate with EHRs or share data with healthcare providers (becomes Business Associate)
Doctor prescribes your app as part of treatment (may become Business Associate)
You're a "personal health record" (PHR) vendor offering services to healthcare providers (Business Associate)

Rule of thumb: If healthcare customers are asking you to sign BAAs, HIPAA applies.

9. What's the difference between HIPAA and GDPR?

HIPAA: US federal law protecting health information (PHI)

GDPR: EU regulation protecting personal data (broader than health data)

Key differences:

Scope: HIPAA = health data only; GDPR = all personal data
Geography: HIPAA = US; GDPR = EU (worldwide reach)
Enforcement: HIPAA = HHS OCR; GDPR = Data Protection Authorities (EU)
Penalties: HIPAA = up to $1.9M/year; GDPR = up to €20M or 4% revenue

If serving both US healthcare and EU customers: You need both HIPAA and GDPR compliance (about 50% overlap).

10. Can I self-declare HIPAA compliance without an audit?

Yes (currently), but this is changing.

Current (pre-2025): You can self-declare HIPAA compliance (no formal certification required). Implement safeguards, document compliance, sign BAAs with customers.

Proposed (2025+): HHS proposes requiring annual audits (independent verification). Self-declaration would no longer be sufficient.

Recommendation: Conduct internal or external audit before signing BAAs with customers (de-risk customer due diligence).

Key Resources

Official Resources

HHS HIPAA Website: https://www.hhs.gov/hipaa
HIPAA Privacy Rule: 45 CFR Part 164, Subpart E
HIPAA Security Rule: 45 CFR Part 164, Subpart C
Breach Notification Rule: 45 CFR Part 164, Subpart D
Sample BAA Provisions: HHS Sample BAA

Compliance Platforms

Vanta: https://www.vanta.com
Drata: https://www.drata.com
Secureframe: https://secureframe.com
Sprinto: https://sprinto.com
Thoropass: https://thoropass.com

Free Templates & Guides

HIPAA Policy Templates: Compliancy Group HIPAA Templates
Risk Assessment Template: NIST 800-30 Risk Assessment Guide
HIPAA Compliance Checklist: HHS Security Rule Checklist

Related Guides

Need Help with HIPAA Compliance?

HIPAA compliance can be complex. Whether you're just starting or preparing for a customer audit, we can help.

Schedule a Consultation to discuss:

Whether HIPAA applies to your startup
Risk assessment and gap analysis
Policies and procedures development
Technical safeguards implementation (encryption, access controls, logging)
Business Associate Agreement review and negotiation
Compliance platform recommendations
Audit preparation
Ongoing compliance maintenance

Promise Legal helps health tech startups navigate HIPAA compliance with practical, cost-effective strategies.

Related Topics:

View All Startup Legal Topics