Building Trust: Data Security, Privacy & HIPAA for Health Startups

Health data is among the most sensitive and most regulated categories of personal information in the U.S. legal system. The Health Insurance Portability and Accountability Act — HIPAA — established a federal floor for the protection of individually identifiable health information in 1996, and a subsequent series of rules, amendments, and enforcement actions have built a compliance framework that governs not only how health information is stored and transmitted, but who can access it, for what purposes, and under what contractual obligations. Founders who treat HIPAA as a box to check before enterprise sales calls, rather than as a design constraint that should shape product architecture from day one, routinely discover the cost of that decision when a breach occurs or a large health system walks away from a procurement.

HIPAA applies to two categories of entities. Covered entities are the organizations at the center of healthcare delivery: health plans, healthcare clearinghouses, and most healthcare providers. Business associates are entities that receive, create, or transmit protected health information — abbreviated PHI — on behalf of a covered entity. A digital health company that stores patient records for a hospital is a business associate. A telemedicine company that processes clinical data on behalf of an employer health plan is a business associate. The practical implication is that most digital health companies are business associates, which means they must sign a Business Associate Agreement before receiving PHI, and they are independently liable for HIPAA compliance within their own systems.

Protected health information is any individually identifiable health information held or transmitted by a covered entity or business associate. The eighteen HIPAA identifiers — including name, address, dates, phone numbers, and social security numbers when combined with health data — define what counts as PHI. De-identification, the process of removing or generalizing these identifiers so that data can no longer reasonably be linked to an individual, is the mechanism by which data escapes PHI status and can be used more freely for analytics, research, or product development. The HIPAA Safe Harbor method requires removing all eighteen identifiers explicitly; the Expert Determination method allows statistical certification by a qualified expert. Both are legitimate, but neither is straightforward to implement without deliberate engineering investment.

The HIPAA Security Rule requires covered entities and business associates to implement administrative, physical, and technical safeguards for electronic PHI — abbreviated ePHI. Administrative safeguards include workforce training, risk analysis, and contingency planning. Physical safeguards include workstation and device controls. Technical safeguards include encryption, audit controls, and automatic logoff. The Security Rule is explicitly technology-neutral — it specifies what must be protected and how broadly, not which specific tools to use. This means the standard evolves with reasonable industry practice, and organizations that implemented a compliant posture in 2018 may find it insufficient against current enforcement standards.

Breach notification requirements under the HIPAA Breach Notification Rule impose time-bound obligations when PHI is impermissibly accessed, used, disclosed, or acquired. A breach affecting fewer than 500 individuals in a state must be reported to the Secretary of HHS within 60 days of the end of the calendar year. A breach affecting 500 or more individuals must be reported to HHS and to prominent media outlets in the affected state within 60 days of discovery. Affected individuals must be notified within 60 days regardless of scale. The clock starts at discovery, not at the breach event itself — which means a company that fails to detect a breach promptly can be exposed to both enforcement for the breach and for the detection failure.

The FTC's Health Breach Notification Rule — separate from HIPAA — extends breach notification obligations to health apps and vendors that are not HIPAA-covered entities or business associates. A fitness app, a mental health journaling product, or a direct-to-consumer telehealth service that collects health data but does not process it on behalf of a covered entity may fall entirely outside HIPAA and still be subject to FTC jurisdiction and breach notification requirements under its own rule. The 2023 FTC enforcement action against GoodRx confirmed that the agency interprets its health breach notification authority broadly, including unauthorized disclosure of health data for advertising purposes, even without a traditional data breach.

Trust in digital health is not a brand attribute — it is an operational posture that enterprise buyers audit before signing. Health systems and insurers conduct security reviews — often called vendor security assessments or third-party risk assessments — that probe infrastructure configuration, access controls, incident response procedures, and certification status. SOC 2 Type II certification, which documents that a company's security controls have operated effectively over a period of time rather than merely existing at a single point in time, has become the baseline credential required to enter procurement processes with most large health system buyers. Companies that wait to pursue SOC 2 until they have a large contract in the pipeline are often six to twelve months behind where they need to be.