You've built an incredible health tech product. The AI works. The UX is clean. Beta users love it. You're ready to launch.
Then someone asks: "Are you HIPAA compliant?"
And suddenly you're Googling at 2 AM, reading contradictory advice, wondering if you need to hire a compliance officer before you even have revenue.
Having built HIPAA compliance architectures for dozens of health tech startups — from AI-powered speech therapy platforms to medical concierge companies — I see the same mistakes over and over. Here are the ten that could cost you your launch, your funding, or up to $50,000 per violation.
Download our free HIPAA Compliance Checklist — a 10-point pre-launch review used by 500+ health tech companies.
1. Assuming You're Not a "Covered Entity" So HIPAA Doesn't Apply
This is the most dangerous assumption. Most health tech startups aren't covered entities (hospitals, insurers, clearinghouses). But the moment you handle, store, process, or transmit Protected Health Information (PHI) on behalf of a covered entity, you're a Business Associate — and HIPAA applies to you fully.
If a clinic uses your app to manage patient data, you're a Business Associate. If a therapist uses your platform and patient names flow through your servers, you're a Business Associate. If you integrate with an EHR system, you're a Business Associate.
The fix: Map your data flows. If PHI touches your system in any way — even in transit — assume HIPAA applies and build accordingly. It's far cheaper to build compliant from day one than to retrofit later.
2. Thinking "We Use AWS/Google Cloud, So We're Compliant"
AWS and Google Cloud offer HIPAA-eligible services and will sign a BAA with you. But their BAA only covers their infrastructure — not how you use it.
AWS's BAA, for example, includes conditional compliance clauses requiring proper configuration, audit logging, and encryption by the customer. If you misconfigure an S3 bucket and PHI leaks, that's on you, not AWS.
The cloud provider gives you compliant tools. You still need to use them correctly and document everything.
The fix: Sign the BAA with your cloud provider, then conduct a security risk assessment of your specific configuration. Document your encryption settings, access controls, audit logging, and backup procedures. The BAA is step one, not the finish line.
3. Not Understanding What Constitutes PHI
PHI is broader than most founders think. It's not just medical records. A patient's name + an appointment date + the name of a healthcare provider is PHI, even without any clinical data.
The 18 HIPAA identifiers include names, dates, phone numbers, email addresses, Social Security numbers, device identifiers, IP addresses, and more — when connected to health information.
If your app collects a user's name and the fact that they're seeing a therapist, that's PHI. If your fitness app connects to a clinic's system and receives appointment data, that's PHI.
The fix: Audit every data field your product collects. Cross-reference against the 18 HIPAA identifiers. If any identifier is linked to health data, treat it as PHI with full HIPAA safeguards.
4. Using Third-Party Tools Without BAAs
Your analytics platform. Your email service. Your customer support tool. Your AI API provider. If any of these touch PHI, you need a Business Associate Agreement with each one.
This is where most startups have the biggest gap. You might have a BAA with your cloud provider but are sending patient data through Intercom, Mixpanel, or a third-party AI API without any agreement in place.
OpenAI, for example, offers a BAA for their API services — but you have to request it specifically and configure your usage to be compliant. Most startups using GPT for health features don't know this.
The fix: Create a vendor inventory. List every tool that touches or could touch PHI. For each one, confirm they offer a BAA and sign it. If they don't offer a BAA, replace them with a vendor that does.
Read our deep dive: Why Your BAA Template Is Probably Not Enough
5. Skipping the Security Risk Assessment
The Security Risk Assessment (SRA) isn't optional — it's the single most referenced requirement in HIPAA enforcement actions. Yet most startups skip it entirely or treat it as a checkbox exercise.
An SRA identifies where PHI lives in your system, what threats exist, what vulnerabilities you have, and what your risk level is. Without it, you have no defensible compliance posture.
The fix: Conduct a formal SRA before launch. Document every finding. Create a remediation plan with timelines. This is the document OCR (Office for Civil Rights) will ask for first in any investigation.
6. No Breach Response Plan
HIPAA requires you to notify affected individuals within 60 days of discovering a breach. If more than 500 people are affected, you must also notify HHS and the media.
Most startups have no idea what they'd do if a breach occurred tomorrow. Who makes the call? How do you assess what was exposed? Who notifies patients? What's the legal exposure?
The fix: Create a Security Incident Response Plan before you need it. Define roles, escalation procedures, assessment criteria, notification templates, and timelines. Run a tabletop exercise with your team at least once.
7. Treating HIPAA as a One-Time Project
Compliance isn't a deliverable — it's an ongoing program. Your product changes. Your vendors change. Regulations update. New threats emerge.
The startups that get into trouble are the ones that did a compliance project 18 months ago and never revisited it. Their BAAs are outdated. Their risk assessment doesn't reflect their current architecture. Their team hasn't been trained since onboarding.
The fix: Schedule quarterly compliance reviews. Update your SRA annually. Retrain your team every 12 months. Review BAAs whenever vendor relationships change. Build compliance into your product development lifecycle, not alongside it.
8. No Minimum Necessary Standard
Most startups give every employee full access to all PHI in the system. The developer, the marketing intern, the customer support rep — everyone can see everything. This violates one of HIPAA's core principles.
Under 45 CFR § 164.502(b), the Minimum Necessary Standard requires that access to PHI be limited to the minimum amount necessary for each person to perform their job function. A support agent doesn't need access to clinical notes. A developer doesn't need to see real patient names in a staging environment.
The fix: Implement role-based access controls (RBAC) from day one. Define what PHI each role needs access to and restrict everything else. Use de-identified or synthetic data for development and testing. Audit access logs regularly to catch over-permissioned accounts.
9. Ignoring State Privacy Laws
HIPAA is a federal floor, not a ceiling. Many founders assume that if they're HIPAA compliant, they're covered everywhere. That's wrong. States like California (CMIA — Confidentiality of Medical Information Act), New York (SHIELD Act), and Texas have privacy requirements that are stricter than HIPAA in key areas.
For example, California's CMIA requires patient authorization for many disclosures that HIPAA permits without authorization. Texas imposes its own breach notification timelines that are shorter than HIPAA's 60-day window. If you operate in multiple states — or serve patients across state lines — you need to comply with the strictest applicable standard.
See also: GDPR vs DPDP: What Indian Health Tech Companies Need to Know
The fix: Map every state where your users or patients are located. Research the health privacy laws in each jurisdiction. Build your compliance framework to meet the strictest standard across all applicable states — that way you're covered everywhere.
10. No Written Policies and Procedures
"We do that in practice" is not a compliance defense. HIPAA explicitly requires written policies and procedures under 45 CFR § 164.316. If it's not documented, it doesn't exist in an OCR investigation.
This includes policies on access controls, data encryption, breach response, workforce training, device management, facility security, and more. Many startups have informal practices but nothing written down. When OCR comes knocking, "we always did it that way" won't protect you.
The fix: Create a written policy manual covering every HIPAA requirement applicable to your organization. Include procedures for implementation, responsible parties, and review dates. Store policies in a centralized, version-controlled location. Review and update them at least annually — and document every review.
The Bottom Line
HIPAA compliance doesn't have to delay your launch or drain your budget. But it does require intentional architecture from day one. The cost of getting it wrong — fines of $50,000 per violation, breach costs averaging $7.42 million per incident, and the reputational damage that can sink an early-stage company — far outweighs the cost of getting it right.
The founders who succeed are the ones who treat compliance as a competitive advantage, not a burden. When you can tell a hospital system "we're fully HIPAA compliant with documented policies and signed BAAs" — that's a sales accelerator, not a cost center.
Frequently Asked Questions
Does HIPAA apply to my health tech startup?
If your product handles, stores, or transmits Protected Health Information on behalf of a covered entity (hospital, clinic, insurer), you're a Business Associate and HIPAA applies fully — regardless of your company size.
What's the penalty for HIPAA non-compliance?
Penalties range from $100 to $50,000 per violation, with an annual maximum of $1.5 million per violation category. Criminal penalties can include up to 10 years imprisonment for intentional violations.
Do I need a BAA with OpenAI or other AI providers?
Yes, if you're sending PHI through their API. OpenAI offers BAAs for their API services — you must request it specifically. Most AI providers now offer HIPAA-eligible tiers with BAAs available.
How long does it take to become HIPAA compliant?
For a typical health tech startup, building a compliant framework takes 2-6 weeks with experienced counsel. The key is starting before launch, not after.
Is HIPAA compliance a one-time thing?
No. HIPAA requires ongoing compliance including annual risk assessments, regular training, BAA reviews when vendors change, and quarterly policy reviews.
Not sure where your HIPAA gaps are?
Book a free 15-minute discovery call. I'll review your product, your data flows, and your vendor stack — and tell you exactly what you need before launch.
Get My Free Discovery Call →Ankita (Ann) Srivastava is the founder of Gavel Speaks Inc., a cross-border healthcare compliance practice serving health tech companies across the US, EU, India, and UAE. She holds an LL.M. from Harvard Law School and has built HIPAA compliance frameworks for 500+ global clients.