{"id":22929,"date":"2026-05-21T09:34:15","date_gmt":"2026-05-21T09:34:15","guid":{"rendered":"https:\/\/engineerbabu.com\/blog\/?p=22929"},"modified":"2026-05-21T09:39:20","modified_gmt":"2026-05-21T09:39:20","slug":"build-hipaa-compliant-products-from-india","status":"publish","type":"post","link":"https:\/\/engineerbabu.com\/blog\/build-hipaa-compliant-products-from-india\/","title":{"rendered":"The 2026 US Founder&#8217;s Guide to Building a Regulated Healthcare Product From India"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">In April 2021, I got a message at 11:30 PM IST from a Boston-based digital health founder, Series A, $9M raised, building a chronic care platform for Medicaid populations. She had been working with a self-described &#8220;HIPAA-compliant development agency&#8221; for seven months.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Her board meeting was six weeks out. Her CTO had just quit. And her compliance attorney had sent a three-page memo explaining that the AWS S3 buckets storing patient encounter notes were sitting outside any Business Associate Agreement.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">She wasn&#8217;t naive. She had asked her previous agency in writing whether the product was HIPAA-compliant. They said yes.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">What nobody told her: <a href=\"https:\/\/www.hhs.gov\/hipaa\/index.html\" target=\"_blank\" rel=\"noopener\">HIPAA<\/a> compliance is not a certification. There is no badge from HHS. No government approval letter you frame on the wall. HIPAA compliance is a continuous operating posture, it lives in your architecture, your vendor contracts (45 CFR \u00a7164.308 requires written agreements with every Business Associate), your audit logs, your incident response runbook, and your team&#8217;s daily behavior.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Her vendor built a working product. They never built a compliant one.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Her board meeting was pushed eight weeks. The S3 migration, audit log backfill, and BAA renegotiation with AWS cost her $67,000 and eleven weeks.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">I&#8217;ve been on 2,000+ calls with US founders since 2014. That story is not unusual. It&#8217;s not even particularly bad. I&#8217;ve seen a mental health platform serving 14 states discover, on the week of their payer contract signature, that their therapist session notes were stored in a database with no encryption at rest, violating \u00a7164.312(a)(2)(iv). Three-month delay. Lost the payer contract. Never recovered it.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This guide exists because I&#8217;m tired of watching US healthcare founders pay that tax twice.<\/span><\/p>\n<h2><b>Eight Questions US Healthcare Founders Ask Us First<\/b><\/h2>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Can an Indian agency actually build a HIPAA-compliant product?<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Yes, if they treat HIPAA compliance as architecture, not a feature toggle. <\/span><a href=\"http:\/\/engineerbabu.com\"><span style=\"font-weight: 400;\">EngineerBabu<\/span><\/a><span style=\"font-weight: 400;\"> has shipped 140+ HIPAA-aware products for US healthcare founders since 2020. That means: ePHI data classification before any schema design, BAA coverage for every sub-processor in the stack, AES-256 encryption at rest, TLS 1.2+ in transit, immutable audit logs retained 6+ years per the HIPAA Security Rule (45 CFR \u00a7164.312), and a signed BAA with you on Day 1 of the engagement.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>What does a HIPAA-compliant healthcare build actually cost in 2026?<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">A HIPAA-ready <\/span><a href=\"https:\/\/engineerbabu.com\/services\/mvp-development\"><span style=\"font-weight: 400;\">Lean MVP<\/span><\/a><span style=\"font-weight: 400;\">, designed to minimize ePHI scope and get you to first patient interaction fast, runs $75K\u2013$135K over 12\u201316 weeks. A full HIPAA + SOC 2-track healthcare MVP runs $140K\u2013$260K over 16\u201324 weeks. These numbers come from our 2026 EB Healthcare Build Report (n=140 US healthcare products shipped since 2020). Not included in either number: your SOC 2 Type II audit ($45K\u2013$95K plus tooling at $12K\u2013$36K\/year with Vanta, Drata, or Secureframe), penetration testing ($8K\u2013$22K), or your legal counsel fees.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Can you sign a BAA?<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Yes. We sign BAAs governed by Delaware law. We maintain active <\/span><a href=\"https:\/\/engineerbabu.com\/blog\/what-is-hipaa-baa-healthcare-apps-usa\/\"><span style=\"font-weight: 400;\">HIPAA BAAs<\/span><\/a><span style=\"font-weight: 400;\"> with AWS for HIPAA-eligible services and with GCP under the covered service list. Every sub-processor that touches ePHI in your product: Twilio, SendGrid, your LLM provider, carries a BAA. We give you the full sub-processor registry on Day 1 of handover.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>What&#8217;s the time zone reality?<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">IST is 10.5 hours ahead of PST, 9.5 ahead of EST. Our standard US-overlap window is 7:30\u201310:30 AM PST daily. For Series A+ founders who need more real-time coverage, we staff a US-based client lead in your timezone. That adds $4K\u2013$7K\/month. We say that upfront, not in month three.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Do your engineers understand FHIR and HL7?<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Yes, with a caveat. Understanding the FHIR R4 spec and building a production-grade FHIR integration for Epic&#8217;s SMART on FHIR sandbox are two different things. We have engineers with live Epic, Cerner, and Athenahealth integrations in production. We tell you which ones on the discovery call, not after you&#8217;ve signed.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>What happens if there&#8217;s a breach?<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Every engagement includes an incident response runbook delivered at handover. <a href=\"https:\/\/www.hhs.gov\/hipaa\/for-professionals\/breach-notification\/index.html\" target=\"_blank\" rel=\"noopener\">HIPAA&#8217;s Breach Notification Rule<\/a> (45 CFR \u00a7164.400) requires notification to affected individuals within 60 days. We build breach detection into the audit log architecture, not as an afterthought. We&#8217;re not your CISO. But we build products that make your CISO&#8217;s job possible.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Can you work with OpenAI or Anthropic on a clinical product?<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">OpenAI and Anthropic both offer BAAs, but availability, scope, and which services are covered changes. As of 2026, OpenAI&#8217;s BAA covers the API under an Enterprise agreement. Anthropic&#8217;s BAA coverage requires direct enterprise negotiation. For clinical products where you can&#8217;t risk an uncovered LLM call touching ePHI, we default to AWS Bedrock (which falls under the AWS BAA) or Azure OpenAI with HIPAA mode enabled. We walk you through this choice in Week 1 of discovery, not Week 8 of build.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>What&#8217;s the honest failure mode of working with an Indian agency on a healthcare product?<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Time zone friction on compliance-critical decisions, engineers who understand the HIPAA Security Rule in theory but haven&#8217;t worked through a real OCR audit scenario, and, most commonly, an agency that treats compliance as a delivery checklist rather than a product design constraint. I&#8217;ll say more about this in section 13.<\/span><\/p>\n<h2><b>Is Your Product Actually a HIPAA-Regulated Build?<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Before we talk about what we build and how, you need to know whether HIPAA actually applies to your product, because the answer is not always obvious, and getting it wrong costs more than getting it right from Day 1.<\/span><\/p>\n<h3><b>The 12-question founder readiness audit:<\/b><\/h3>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Does your product create, receive, maintain, or transmit Protected Health Information (PHI) on behalf of a Covered Entity (a hospital, clinic, insurer, or healthcare clearinghouse)? If yes, you are likely a Business Associate under 45 CFR \u00a7160.103. You need a BAA before you touch a single byte of real patient data.<\/span><\/span>&nbsp;<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Does your product store patient encounter notes, diagnoses, lab results, prescription history, or any individually identifiable health information? If yes, ePHI is in scope. Encryption at rest (AES-256) and in transit (TLS 1.2+) are not optional; they are required under \u00a7164.312.<\/span><\/span>&nbsp;<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Are you a direct-to-consumer wellness app that never touches clinical data, only self-reported mood logs, steps, or sleep? Then you may be outside HIPAA&#8217;s scope entirely. FTC&#8217;s Health Breach Notification Rule may still apply. This is a legal question. Spend $500 on a healthcare attorney&#8217;s hour before you spend $200K on a build.<\/span><\/span>&nbsp;<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Does your product handle substance use disorder treatment records? If yes, 42 CFR Part 2 applies on top of HIPAA, with stricter consent requirements for disclosure. Most agencies miss this entirely.<\/span><\/span>&nbsp;<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Does your product involve clinical decision support that meets the FDA&#8217;s definition of Software as a Medical Device (SaMD) under the 21st Century Cures Act? If yes, you have an FDA regulatory pathway question that lives upstream of your engineering decisions.<\/span><\/span>&nbsp;<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Do you have a signed BAA with your cloud provider (AWS, GCP, Azure) for the specific services you intend to use? Not your account generally, the specific services. Not all AWS services are HIPAA-eligible. The list is at aws.amazon.com\/compliance\/hipaa-eligible-services-reference. If your previous agency used Lambda functions or S3 buckets that aren&#8217;t on that list without a corresponding BAA, you have a problem.<\/span><\/span>&nbsp;<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Have you identified which US states your product will operate in and confirmed the telehealth licensure requirements for each? The Interstate Medical Licensure Compact (IMLC) covers 40+ states for physicians. PSYPACT covers psychologists across 42 states. But not every provider type is covered by a compact, and not every state has joined.<\/span><\/span>&nbsp;<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Do you have a documented risk analysis and risk management process? \u00a7164.308(a)(1) makes this mandatory. Not optional. Not &#8220;we&#8217;ll do it before Series B.&#8221; Mandatory before you go live with real patient data.<\/span><\/span>&nbsp;<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Have you identified all the vendors in your product stack who will touch ePHI, your EHR integration partner, your video platform (if telehealth), your analytics tool, your email provider, and confirmed each has a BAA?<\/span><\/span>&nbsp;<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Are you building for payer or health system enterprise sales? If yes, SOC 2 Type II is the floor. HITRUST CSF certification is the ceiling many large payers and health systems require. Build for SOC 2 from Day 1; it takes 6\u201312 months minimum.<\/span><\/span>&nbsp;<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">What is your incident response plan for a data breach? HIPAA requires notification to affected individuals within 60 days of discovery of a breach under \u00a7164.412. If the answer is &#8220;we&#8217;ll figure it out,&#8221; that&#8217;s a gap, and a liability.<\/span><\/span>&nbsp;<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">What is your board&#8217;s timeline? If you have a board meeting or fundraise in 12 weeks and you don&#8217;t yet have a HIPAA-compliant architecture, you are behind. Not catastrophically, but you need to start the compliance mapping in Week 1 of discovery, not in QA.<\/span><\/li>\n<\/ol>\n<p><b>EB Index 2026:<\/b><span style=\"font-weight: 400;\"> Across 140 US healthcare products we&#8217;ve shipped since 2020, the median time from BAA signed to first ePHI write in production was 11 days. The MVPs that hit launch on time had one shared trait: HIPAA mapping happened in Week 1 of discovery, not Week 1 of QA.<\/span><\/p>\n<h2><b>Why US Healthcare Founders Choose India, And What They Get Wrong<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">The honest reason US healthcare founders come to EngineerBabu is economics. A senior full-stack engineer with FHIR experience in Boston costs $180K\u2013$240K\/year in salary alone.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The same engineer in Indore, on our team, trained on HIPAA Security Rule architecture, <\/span><a href=\"https:\/\/engineerbabu.com\/blog\/epic-fhir-integration-guide-usa\/\"><span style=\"font-weight: 400;\">FHIR integration<\/span><\/a><span style=\"font-weight: 400;\"> patterns, and US healthcare UX standards, costs you $22K\u2013$38K\/month for a full dedicated pod, not per engineer, for the team.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">That&#8217;s real. That math works. That&#8217;s why 140 US healthcare founders have shipped with us.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">But here&#8217;s what founders consistently get wrong about working with an Indian engineering partner:<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Wrong assumption #1: &#8220;HIPAA is just a compliance layer we add at the end.&#8221;<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">No US healthcare founder would say this out loud. But their vendor selection behavior says it constantly. They hire for engineering speed, then ask about HIPAA in month three. HIPAA is not a layer. It is a constraint that shapes every data model, every API contract, every third-party integration decision. The founders who ship on time treat it as a product design constraint from Day 1.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Wrong assumption #2: &#8220;Any good engineer can figure out FHIR.&#8221;<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">FHIR R4 is a specification. Epic&#8217;s SMART on FHIR implementation of that specification, with its specific OAuth 2.0 scopes, its sandbox quirks, its production launch review process, and its requirements for app certification, that is a different thing. We have engineers who have been through Epic&#8217;s App Orchard process in production. We have engineers who have read the FHIR spec but never shipped a live Epic integration. We tell you which is which on the discovery call.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Wrong assumption #3: &#8220;The time zone gap is manageable.&#8221;<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">It is manageable, with structure. Our US-overlap window (7:30\u201310:30 AM PST) covers three hours of synchronous work daily. For most product decisions, that&#8217;s enough. For compliance-critical decisions, like an architecture review that surfaces an ePHI handling question, or a BAA negotiation that needs your attorney and our team in the same conversation, three hours can feel very thin. We build async escalation protocols into every engagement for exactly this reason.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Wrong assumption #4: &#8220;We can skip SOC 2 until we have enterprise customers.&#8221;<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">The moment you start talking to a health system, a large payer, or a Series A investor who has done healthcare deals before, SOC 2 Type II comes up. Not as a nice-to-have. As a procurement gate. We build SOC 2 readiness into the architecture from Day 1, not because it&#8217;s cheap, but because retrofitting it into a product that wasn&#8217;t designed for it costs 3\u20134\u00d7 more than building it in.<\/span><\/p>\n<p><b>From a US founder call:<\/b><span style=\"font-weight: 400;\"> &#8220;I spent $180K with an agency that built a technically beautiful product. When I got to my first enterprise demo, the hospital&#8217;s procurement team asked for our SOC 2 Type II report. We didn&#8217;t have one. We didn&#8217;t even have the policies in place to start the audit clock. That was eight months and $95K ago.&#8221;, Series A telehealth founder, Atlanta.<\/span><\/p>\n<p><b>Red flag:<\/b><span style=\"font-weight: 400;\"> Any agency that tells you SOC 2 is &#8220;something we handle after launch&#8221; has never actually worked with a US healthcare enterprise buyer. Walk away.<\/span><\/p>\n<h2><b>The Three Engagement Models for US Healthcare Products<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">We run three models for US healthcare founders. Here&#8217;s the honest matrix:<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Model 1: Fixed-Scope HIPAA-Ready MVP<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><b>What it is:<\/b><span style=\"font-weight: 400;\"> A time-boxed, fixed-price engagement to ship a <\/span><a href=\"https:\/\/engineerbabu.com\/blog\/build-a-hipaa-compliant-app-in-the-usa\/\"><span style=\"font-weight: 400;\">HIPAA-compliant app<\/span><\/a><span style=\"font-weight: 400;\"> with defined scope. Discovery \u2192 compliance mapping \u2192 build \u2192 QA \u2192 handover. One team, one sprint, one deliverable.<\/span><\/p>\n<p><b>Best for:<\/b><span style=\"font-weight: 400;\"> Pre-seed to Seed founders with $75K\u2013$180K in product budget, a defined core use case, and a clear launch goal (first 100 patients, first pilot site, fundraise demo).<\/span><\/p>\n<p><b>Cost range:<\/b><span style=\"font-weight: 400;\"> $75K\u2013$180K depending on ePHI scope, integrations (EHR, video, lab), and AI features.<\/span><\/p>\n<p><b>Timeline:<\/b><span style=\"font-weight: 400;\"> 12\u201320 weeks.<\/span><\/p>\n<p><b>Compliance ownership:<\/b><span style=\"font-weight: 400;\"> We deliver the HIPAA risk assessment, system security plan, data flow diagrams, and BAA registry. You own ongoing compliance operations post-launch. We recommend you hire a part-time fractional CISO or use a compliance automation platform (Vanta, Drata) from month one of launch.<\/span><\/p>\n<p><b>Honest limitation:<\/b><span style=\"font-weight: 400;\"> Fixed scope means fixed scope. Every FHIR integration you add mid-sprint, every new ePHI data type you decide to store, every additional state&#8217;s telehealth requirement you discover, these are change orders. We price them transparently and in advance. We are not a scope-creep-friendly model. Founders who know what they&#8217;re building do very well here. Founders who are still figuring it out mid-build struggle.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Model 2: Dedicated Pod with Embedded Compliance Lead<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><b>What it is:<\/b><span style=\"font-weight: 400;\"> A dedicated 4\u20138 person product engineering pod, PM, tech lead, 2\u20133 engineers, QA, and a HIPAA compliance lead embedded in the team, on a monthly retainer. You drive product direction. We execute.<\/span><\/p>\n<p><b>Best for:<\/b><span style=\"font-weight: 400;\"> Series A founders post-MVP who are scaling features, adding EHR integrations, expanding to new states, or moving toward SOC 2 Type II audit readiness.<\/span><\/p>\n<p><b>Cost range:<\/b><span style=\"font-weight: 400;\"> $22K\u2013$38K\/month depending on pod size and compliance lead seniority.<\/span><\/p>\n<p><b>Timeline:<\/b><span style=\"font-weight: 400;\"> Minimum 6-month commitment. We&#8217;ve had healthcare founders on this model for 3+ years.<\/span><\/p>\n<p><b>Compliance ownership:<\/b><span style=\"font-weight: 400;\"> Our embedded compliance lead owns the risk register, the vendor sub-processor list, the incident response runbook, and the SOC 2 readiness checklist on an ongoing basis. This is the closest thing to having an internal compliance team without the $300K\/year hiring cost.<\/span><\/p>\n<p><b>Honest limitation:<\/b><span style=\"font-weight: 400;\"> You need a strong product manager on your side, either internal or our embedded PM. The pod is only as good as the product direction it receives. Founders who are still in discovery mode burn through the first two months of a pod engagement without meaningful output.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Model 3: Tech Co-Founder Engagement<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><b>What it is:<\/b><span style=\"font-weight: 400;\"> For non-technical healthcare founders, clinicians, operators, former payer executives, who need not just engineering but technical leadership and architecture ownership. We act as your CTO and engineering team simultaneously.<\/span><\/p>\n<p><b>Best for:<\/b><span style=\"font-weight: 400;\"> Pre-seed clinical founders who have deep domain knowledge (a physician building an RPM tool, a hospital administrator building a prior auth automation product) but no technical co-founder.<\/span><\/p>\n<p><b>Cost range:<\/b><span style=\"font-weight: 400;\"> $18K\u2013$28K\/month (smaller team, but higher strategic involvement from our side).<\/span><\/p>\n<p><b>Timeline:<\/b><span style=\"font-weight: 400;\"> 6\u201318 months, until you&#8217;re ready to hire your first in-house CTO.<\/span><\/p>\n<p><b>Compliance ownership:<\/b><span style=\"font-weight: 400;\"> We own it end to end. Architecture decisions, vendor selection, BAA negotiations, HIPAA risk assessments, all of it. We recommend your first in-house compliance hire at the point where you&#8217;re approaching 10,000+ active patients or entering enterprise payer contracts.<\/span><\/p>\n<p><b>Honest limitation:<\/b><span style=\"font-weight: 400;\"> This only works if you trust us with technical decisions. Founders who want to make every stack choice but don&#8217;t have the technical background to evaluate trade-offs create friction that slows the product and frustrates the team. The right frame is: you own clinical and business decisions, we own technical and compliance decisions, and we check in at every meaningful intersection.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-22932\" src=\"https:\/\/engineerbabu.com\/blog\/wp-content\/uploads\/2026\/05\/img3_engagement_models.png\" alt=\"\" width=\"1800\" height=\"1194\" title=\"\"><\/p>\n<h2><b>The Real Cost Stack: What No One Tells You Upfront\u00a0<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">US healthcare founders consistently underestimate the total cost of a regulated build. Not because they&#8217;re bad at math, because their vendors only quote the engineering line item. Here is the full picture.<\/span><\/p>\n<h3><b>The engineering line (what you pay us):<\/b><\/h3>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">HIPAA-ready Lean MVP: $75K\u2013$135K<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Full HIPAA + SOC 2-track MVP: $140K\u2013$260K<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">AI-native clinical product MVP: $130K\u2013$290K<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Dedicated pod post-MVP: $22K\u2013$38K\/month<\/span><\/li>\n<\/ul>\n<h3><b>The compliance infrastructure line (what you pay, not us):<\/b><\/h3>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">SOC 2 Type II audit: $45K\u2013$95K depending on auditor and scope (A-LIGN, Schellman, and Prescient Assurance are the auditors we&#8217;ve worked alongside most often for healthcare clients)<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">SOC 2 compliance tooling: $12K\u2013$36K\/year (Vanta, Drata, or Secureframe, we recommend Vanta for most early-stage healthcare founders)<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">HITRUST CSF assessment (if payer enterprise sales required): $80K\u2013$150K<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Penetration testing: $8K\u2013$22K (required for most SOC 2 audits and all enterprise payer procurement processes)<\/span><\/li>\n<\/ul>\n<h3><b>The legal line (what you pay your attorney):<\/b><\/h3>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Healthcare attorney review of BA$3K\u2013$8K<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">State telehealth licensure legal review: $5K\u2013$15K depending on number of states<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Privacy policy and terms of service for a HIPAA-covered product: $4K\u2013$10K<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">HIPAA-specific DPA drafting for enterprise customers: $2K\u2013$6K per contract<\/span><\/li>\n<\/ul>\n<h3><b>The silent taxes:<\/b><\/h3>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">EHR sandbox access fees (Epic App Orchard): $5K\u2013$25K\/year<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Video infrastructure with HIPAA BAA (Daily.co, Vonage, Twilio Video under BAA): $0.5K\u2013$3K\/month depending on volume<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Cloud infrastructure for HIPAA-eligible services only: 20\u201335% more expensive than equivalent non-HIPAA infrastructure due to logging requirements, encryption overhead, and eligible service constraints<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Fractional CISO post-launch: $4K\u2013$10K\/month until you hire in-house<\/span><\/li>\n<\/ul>\n<p><b>EB Index 2026:<\/b><span style=\"font-weight: 400;\"> The median total first-year cost for a US healthcare MVP, engineering + compliance infrastructure + legal + cloud, was $287,000. The median engineering line item was $142,000. Founders who budget only for engineering are 50\u201360% short before their first enterprise demo.<\/span><\/p>\n<p><b>What we&#8217;d cut:<\/b><span style=\"font-weight: 400;\"> If you&#8217;re pre-seed with under $2M raised and a consumer health use case that can be designed to minimize ePHI scope (think: a wellness app that refers out to providers rather than storing clinical data), the HIPAA surface area shrinks dramatically. Design the ePHI scope out of your MVP. Ship to your first 500 users. Raise. Then build the full clinical data layer. We&#8217;ve helped 22 founders do exactly this.<\/span><\/p>\n<p><b>Compliance trap:<\/b><span style=\"font-weight: 400;\"> Founders who use AWS without specifically checking the HIPAA Eligible Services list at aws.amazon.com\/compliance\/hipaa-eligible-services-reference\/ end up with ePHI on services not covered by the AWS BAA. The most common offenders: Amazon Rekognition (image analysis), Amazon Comprehend Medical (often used for clinical NLP), and certain Lambda configurations. Check the list before you architect. Then check it again before you go live.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-22934 size-full\" src=\"https:\/\/engineerbabu.com\/blog\/wp-content\/uploads\/2026\/05\/img1_cost_stack-1.png\" alt=\"\" width=\"1800\" height=\"567\" title=\"\"><\/p>\n<h2><b>The Compliance-First Discovery Loop<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">The single biggest difference between our healthcare builds that launch on time and the ones that don&#8217;t is where compliance enters the conversation.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Agencies that bolt compliance on at the end treat discovery as a product conversation, user flows, wireframes, feature lists, and treat HIPAA as something the QA team handles in the final sprint. This always fails.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">It fails because an ePHI handling gap discovered in QA is a rebuild, not a fix. It fails because a data flow that wasn&#8217;t mapped for minimum necessary access (\u00a7164.502(b)) requires schema changes that cascade through the entire product. It fails because an audit log that wasn&#8217;t designed from Day 1 can&#8217;t be retrofitted without downtime.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Here&#8217;s how we run discovery for every US healthcare product:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Week 1, Day 1\u20133: Jobs-to-be-Done and User Flows<\/b><span style=\"font-weight: 400;\"> Before a single wireframe is drawn: who is the primary user, what job are they hiring this product to do, what data does the product need to do that job, and is any of that data PHI?<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Week 1, Day 3\u20135: ePHI Data Classification<\/b><span style=\"font-weight: 400;\"> We map every data element the product needs to create, receive, maintain, or transmit. We classify each one: is it PHI? Is it ePHI? Is it de-identified under the Safe Harbor method (\u00a7164.514(b)) or the Expert Determination method? Can we design the MVP to not touch ePHI at all in the first version?<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Week 1, Day 5: HIPAA Scoping Decision<\/b><span style=\"font-weight: 400;\"> Based on the data classification, we make an explicit decision: what is the HIPAA surface area of this product? Where does ePHI live? Where does it move? Who has access? This scoping decision drives every architecture choice that follows.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Week 2: BAA Mapping and Vendor Selection<\/b><span style=\"font-weight: 400;\"> We identify every third-party service the product will use, cloud infrastructure, video, email, analytics, LLM, and confirm BAA availability for each. For any service where a BAA is not available and the service will touch ePHI, we find an alternative. This week is also when we co-sign the BAA with you, the founder.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Week 2\u20133: Mid-Fidelity Prototype and User Test<\/b><span style=\"font-weight: 400;\"> Only after the compliance scoping is done do we move to mid-fidelity wireframes. Every user flow is annotated with the ePHI it touches, the access control required, and the audit log event it triggers.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Week 3\u20134: Architecture Review and Security Design<\/b><span style=\"font-weight: 400;\"> Data model, <\/span><a href=\"https:\/\/engineerbabu.com\/services\/api-development\"><span style=\"font-weight: 400;\">API development<\/span><\/a><span style=\"font-weight: 400;\">, encryption strategy, audit log schema, access control model (RBAC minimum, ABAC where needed), emergency access (&#8220;break glass&#8221;) protocol, and the backup and disaster recovery plan.<\/span><\/li>\n<\/ul>\n<p><b>From a US founder call:<\/b><span style=\"font-weight: 400;\"> &#8220;I came to Mayank after two previous agencies. Both of them told me about HIPAA in the first call and never mentioned it again until I asked. Mayank&#8217;s team was showing me the data flow diagram with ePHI annotated on Day 5 of discovery. That was the first time I felt like my compliance risk was actually being managed.&#8221;, Seed-stage RPM founder, Seattle.<\/span><\/p>\n<p><b>Red flag:<\/b><span style=\"font-weight: 400;\"> Any discovery engagement that produces wireframes and a feature list in week one without a data classification map is not a HIPAA-compliant discovery process. It is a general product discovery process with &#8220;HIPAA-compliant&#8221; in the pitch deck.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-22939\" src=\"https:\/\/engineerbabu.com\/blog\/wp-content\/uploads\/2026\/05\/img4_discovery_loop-1.png\" alt=\"\" width=\"1800\" height=\"1816\" title=\"\"><\/p>\n<h2><b>The 11\u201314 Week HIPAA-Ready MVP Sprint<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">This is our standard timeline for a Lean HIPAA-Ready MVP, designed to minimize ePHI scope and hit a first-patient-interaction milestone.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Weeks 1\u20132: Discovery and Compliance Scoping<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">ePHI data classification, BAA mapping, vendor selection, architecture decision record, HIPAA risk assessment draft, BAA signed. The engineering team does not write a line of production code in these two weeks. That is intentional.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Week 2: BAA Signed<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">We sign the BAA in Week 2. Not Week 6. Not &#8220;before launch.&#8221; Week 2. If a founder pushes back on this timeline, that is a signal that they don&#8217;t yet understand why the BAA can&#8217;t wait.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Weeks 3\u20134: Architecture and Environment Setup<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">HIPAA-eligible infrastructure provisioned (AWS or GCP). VPC configuration. Encryption at rest enabled on every data store. TLS 1.2+ enforced at every network boundary. Audit log infrastructure set up, append-only, tamper-evident, retained 6+ years. CI\/CD pipeline with security scanning (SAST via Semgrep or Snyk). Role-based access control framework implemented.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Weeks 5\u20139: Core Feature Build<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Feature build against the scoped product. Every pull request is reviewed against the data classification map, any new ePHI data element requires an explicit compliance review before merge. The audit log records every ePHI access, modification, and deletion event.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Week 10: Internal QA + Compliance Review<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Full test coverage for ePHI flows. Security regression testing. HIPAA risk assessment updated to reflect the as-built product. Any gaps against the risk assessment are triaged and resolved before the penetration test.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Week 11: Penetration Testing<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">We recommend engaging a third-party pen-testing firm (not our internal team) for this step, it costs $8K\u2013$22K and takes 1\u20132 weeks. The pen test report becomes part of your SOC 2 audit evidence package and your enterprise sales compliance folder. We pause the deployment to production until the pen test is complete and critical findings are remediated.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Week 12: UAT and Clinical User Testing<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">User acceptance testing with real clinicians or patients (under appropriate consent frameworks). This is also when we validate that the product UX handles edge cases specific to regulated healthcare contexts, session timeouts that protect ePHI, minimum necessary access in the UI, patient consent flows that meet state-specific requirements.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Week 13: SOC 2 Readiness Review<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">For founders on the SOC 2 track: we engage your compliance automation platform (Vanta, Drata) to begin the audit readiness assessment. The SOC 2 audit clock doesn&#8217;t start until you have 6 months of operational evidence. We start the clock here, not post-launch. This is a parallel workstream, not a sequential one.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Week 14: Handover and Launch<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Handover pack delivered: HIPAA risk assessment (final), system security plan, data flow diagrams with ePHI annotated, audit log specifications, incident response runbook, BAA registry (every sub-processor), vendor sub-processor list, penetration test report. Source code delivered to your repository. Infrastructure access transferred. Launch.<\/span><\/p>\n<p><b>Compliance trap:<\/b><span style=\"font-weight: 400;\"> Founders who push to skip the Week 11 penetration test to hit a board date are making a $15K saving that creates a $150K liability. If an OCR audit surfaces a vulnerability post-launch that a pen test would have caught, the lack of a pen test report is itself evidence of insufficient safeguards under \u00a7164.308(a)(1). Do the pen test.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-22935\" src=\"https:\/\/engineerbabu.com\/blog\/wp-content\/uploads\/2026\/05\/img2_sprint_gantt.png\" alt=\"\" width=\"2150\" height=\"1388\" title=\"\"><\/p>\n<h2><b>Tech Stack Decisions for US Healthcare Products<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Every stack decision in a HIPAA-regulated product starts with one question: where does ePHI live, and who can touch it?<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Frontend:<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">React (web), <\/span><a href=\"https:\/\/engineerbabu.com\/technologies\/react-native-development-services\"><span style=\"font-weight: 400;\">React Native<\/span><\/a><span style=\"font-weight: 400;\"> or Flutter (mobile). For clinical products, EHR-adjacent tools, clinical scribes, RPM dashboards, React with a strong TypeScript foundation and server-side rendering via Next.js. Session management with automatic logout after 15 minutes of inactivity is a HIPAA requirement under \u00a7164.312(a)(2)(iii), not a nice-to-have.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Backend:<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><a href=\"https:\/\/engineerbabu.com\/technologies\/nodejs-development-services\"><span style=\"font-weight: 400;\">Node.js<\/span><\/a><span style=\"font-weight: 400;\">\/NestJS for API-first products with high concurrency (telehealth platforms, patient portals), Python\/FastAPI for AI-native clinical products (clinical scribes, decision support, NLP pipelines). Go for high-throughput data pipelines where ePHI volume is large and latency matters (RPM data ingestion).<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Database:<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">PostgreSQL as the primary ePHI store, mature, well-understood encryption options, strong audit log support. Redis for session management (never for ePHI at rest). We avoid NoSQL databases for primary ePHI storage unless there is a specific clinical data model reason, the schema flexibility that makes NoSQL appealing also makes consistent access control and audit logging harder to implement correctly.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Cloud:<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">AWS with HIPAA-eligible services only (confirmed against the published eligible services list before any architecture decision). For products with Google Workspace or Google Health integrations, GCP under the BAA-covered service list. Azure with HIPAA mode for Microsoft-ecosystem products or products requiring Azure OpenAI.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>FHIR Layer:<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">HAPI FHIR server for products that need to expose or consume FHIR R4 resources. Smile CDR for larger health system integrations. Firely SDK for .NET environments. We do not build our own FHIR implementations, the specification is complex enough that rolling your own is a reliability and compliance risk.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Video (telehealth):<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Daily.co (BAA available), Vonage Video API (BAA available), Twilio Video under the Twilio BAA. We do not recommend consumer video platforms, Zoom, Google Meet, Teams, for PHI-containing clinical sessions unless the specific HIPAA BAA configuration has been confirmed with legal counsel. The free tiers of these platforms are not covered.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Audit Logging:<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Immutable, append-only audit logs in a separate data store from the application database. We use AWS CloudTrail + CloudWatch Logs with log integrity validation enabled for infrastructure-level audit events. Application-level ePHI audit events (who accessed what patient record, when, from what IP) go into a dedicated audit log table with a write-only service account, no application process can delete or modify audit log entries.<\/span><\/p>\n<p><b>What we&#8217;d cut:<\/b><span style=\"font-weight: 400;\"> For a HIPAA-ready Lean MVP designed to get to first-patient interaction, we aggressively scope out any ePHI data element that isn&#8217;t strictly necessary for the core use case. A telehealth MVP does not need to store the patient&#8217;s full medication history to enable the first video visit. Store what you need. Define what you need explicitly. Store nothing else. Minimum necessary access (\u00a7164.502(b)) is a legal requirement, but it also makes the build faster, cheaper, and safer.<\/span><\/p>\n<h2><b>AI-Native Clinical Builds in 2026<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">The most common AI use cases we&#8217;re building for US healthcare founders in 2026:<\/span><\/p>\n<p><b>Clinical AI scribes<\/b><span style=\"font-weight: 400;\">, LLM-based ambient documentation that listens to a patient encounter and generates a structured clinical note in the provider&#8217;s EHR. The ePHI risk surface here is significant: audio of a patient encounter is PHI. The transcript is PHI. The generated note is PHI. Every step of the pipeline needs BAA coverage, encryption in transit, and a retention and deletion policy.<\/span><\/p>\n<p><b>AI-assisted clinical decision support<\/b><span style=\"font-weight: 400;\">, Rule-based or LLM-assisted systems that surface relevant clinical information, flag potential drug interactions, or suggest diagnostic considerations. The FDA&#8217;s clinical decision support guidance under the 21st Century Cures Act determines whether your CDS tool is exempt from FDA regulation or classified as a SaMD. Get this classification question answered by a regulatory attorney before you build, not after.<\/span><\/p>\n<p><b>Patient-facing AI<\/b><span style=\"font-weight: 400;\">, Symptom checkers, medication adherence chatbots, mental health support tools. These carry the highest clinical risk profile because the end user is a patient, not a clinician. The UX must include explicit &#8220;I am not a doctor&#8221; framing, escalation paths to human providers, and crisis intervention flows for mental health products (suicide and self-harm screening is not optional for a mental health AI product serving US consumers).<\/span><\/p>\n<h3><b>The LLM selection decision tree for clinical products:<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Does the LLM call touch ePHI? If no, use whatever performs best for your use case. If yes, the options in 2026 are:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>AWS Bedrock<\/b><span style=\"font-weight: 400;\">, Covered under the standard AWS BAA. Claude (Anthropic), Llama, Mistral, and others available. Our default recommendation for most clinical AI builds because the BAA situation is unambiguous and the service is in the HIPAA-eligible list.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Azure OpenAI with HIPAA mode<\/b><span style=\"font-weight: 400;\">, Strong option for GPT-4 class models where Azure&#8217;s enterprise compliance posture aligns with your stack. Requires Azure enterprise agreement with HIPAA configuration confirmed.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>OpenAI API with Enterprise BAA<\/b><span style=\"font-weight: 400;\">, Available as of 2026 under an OpenAI Enterprise agreement. Review the BAA scope carefully with your healthcare attorney, what services and data uses are covered matters.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Self-hosted open-source models (Llama, Mistral, Mixtral)<\/b><span style=\"font-weight: 400;\">, Maximum privacy control, no BAA dependency, but significant infrastructure overhead. We recommend this only for products where the sensitivity of the clinical data makes any cloud LLM a non-starter with your legal team or your enterprise customers.<\/span><\/li>\n<\/ul>\n<p><b>Hallucination guardrails for clinical AI:<\/b><span style=\"font-weight: 400;\"> Every clinical AI output in a product we build includes: source citation (what clinical data or guideline does this response reference), confidence framing (&#8220;Based on the information available, a possible consideration is\u2026&#8221;, not &#8220;You have [diagnosis]&#8221;), a human-in-the-loop escalation path, and an explicit &#8220;This is not medical advice and does not replace clinical judgment&#8221; disclaimer surfaced in the UI, not buried in the terms of service.<\/span><\/p>\n<p><b>From a US founder call:<\/b><span style=\"font-weight: 400;\"> &#8220;We launched a clinical decision support tool without a hallucination guardrail that flagged when the model&#8217;s response had no grounded citation. In month two, a physician flagged a response that confidently cited a drug dosing guideline that didn&#8217;t exist. We caught it before harm, but the near-miss cost us the first enterprise pilot.&#8221;, Series A clinical AI founder, NYC.<\/span><\/p>\n<p><b>Compliance trap:<\/b><span style=\"font-weight: 400;\"> Building a clinical AI scribe that stores audio recordings of patient encounters without a documented retention and deletion policy violates HIPAA minimum necessary requirements. Under \u00a7164.502(b), you may only use and disclose PHI to the minimum extent necessary to accomplish the intended purpose. Define your audio retention policy before you build the storage layer.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-22936\" src=\"https:\/\/engineerbabu.com\/blog\/wp-content\/uploads\/2026\/05\/img6_llm_decision_tree.png\" alt=\"\" width=\"1800\" height=\"1338\" title=\"\"><\/p>\n<h2><b>The Contract &amp; IP Stack for US Healthcare Founders\u00a0<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">This is the section most Indian agencies skip. I&#8217;m going to give it to you straight.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Master Services Agreement (MSA):<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Governed by Delaware law. Dispute resolution by AAA or JAMS arbitration in Delaware, not Indian courts, not Indian arbitration. US healthcare founders need to be able to enforce their contracts in a US jurisdiction without a 3-year international legal process. Every EngineerBabu MSA with a US client is Delaware-governed.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Business Associate Agreement (BAA):<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Signed in Week 2 of every healthcare engagement, before any ePHI is shared or processed. The BAA specifies: permitted uses and disclosures of PHI, safeguards we implement, breach notification obligations (we notify you within 24 hours of discovering a suspected breach, well inside the HIPAA 60-day window to give you time to notify affected individuals), and sub-processor obligations.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>IP Assignment on Creation:<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">All intellectual property, code, architecture documents, design assets, data models, are assigned to you on creation, not on final payment. You own the work as it is built. We don&#8217;t hold IP hostage to payment disputes. This is in the MSA. Read it before you sign.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Source Code and Infrastructure Access from Day 1:<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">You have access to the source code repository and the cloud infrastructure from Day 1 of the engagement. Not at handover. Day 1. If an agency tells you they&#8217;ll give you access to the repo &#8220;when the project is complete,&#8221; walk away. That is a leverage mechanism, not a delivery model.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Statement of Work (SOW):<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Every feature, every compliance deliverable, every handover artifact is listed in the SOW. If it&#8217;s not in the SOW, it&#8217;s not in scope. We are explicit about this because scope clarity is the single biggest predictor of a healthy engagement. Founders who sign vague SOWs get vague products.<\/span><\/p>\n<p><b>The EB Handover Protocol:<\/b><span style=\"font-weight: 400;\"> Every regulated healthcare engagement ends with this package: HIPAA risk assessment (final, as-built), system security plan, data flow diagrams with ePHI annotated, audit log specifications, incident response runbook, BAA registry (every sub-processor with BAA status), vendor sub-processor list, penetration test report, SOC 2 readiness summary. Delivered in Week 14 (or final sprint week). Not promised. Delivered.<\/span><\/p>\n<p><b>Red flag:<\/b><span style=\"font-weight: 400;\"> Any agency that does not offer a BAA, or that offers a BAA &#8220;once we&#8217;ve confirmed the scope,&#8221; is not structured to be a Business Associate under HIPAA. They are either ignorant of their obligations or deliberately deferring them. Either way: walk away.<\/span><\/p>\n<h2><b>Post-Launch: SOC 2, Scaling, and Graduating to In-House\u00a0<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Launch is not the finish line for a regulated healthcare product. It is the start of the compliance operations phase.<\/span><\/p>\n<h3><b>The 6-month post-launch playbook:<\/b><\/h3>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Month 1:<\/b><span style=\"font-weight: 400;\"> Compliance automation platform live (Vanta, Drata, or Secureframe). Policies written and signed by your leadership. SOC 2 Type II audit clock started, the observation period begins now. You need at least 6 months of evidence before an auditor can issue a Type II report.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Month 2\u20133:<\/b><span style=\"font-weight: 400;\"> First internal access review (quarterly cadence). Audit log review. Vendor sub-processor list reviewed and updated. Any new third-party service that touches ePHI gets a BAA before it goes live, not after. Penetration test finding remediations verified.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Month 4:<\/b><span style=\"font-weight: 400;\"> SOC 2 readiness assessment with your compliance automation platform. Gap analysis against the Trust Services Criteria. Remediate gaps before the auditor engages.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Month 5:<\/b><span style=\"font-weight: 400;\"> Auditor engaged. We recommend A-LIGN, Schellman, or Prescient Assurance for early-stage healthcare companies. Budget 8\u201312 weeks for the audit process itself. Budget $45K\u2013$95K for the audit fee.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Month 6:<\/b><span style=\"font-weight: 400;\"> First enterprise payer or health system pilot, now you have a SOC 2 Type I (point-in-time) report to show in procurement. SOC 2 Type II (observation period) report follows at month 12 of operations minimum.<\/span><\/li>\n<\/ul>\n<h3><b>When to hire your first in-house compliance role:<\/b><\/h3>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">You are approaching 10,000 active patients<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">You are entering a payer or large health system contract<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">You are starting your Series B fundraise<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Your SOC 2 Type II report is due for renewal<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">The first in-house hire is typically a VP of Engineering or Head of Security and Compliance, not a CISO. The CISO comes at Series B+. Before that, a fractional CISO ($4K\u2013$10K\/month) and a compliance automation platform cover most of the operational need.<\/span><\/p>\n<p><b>The graduation plan:<\/b><span style=\"font-weight: 400;\"> We build every engagement with the explicit goal of making ourselves replaceable. By month 12 of a dedicated pod engagement, you should have enough internal engineering knowledge, through co-documentation, architecture decision records, and our weekly knowledge transfer sessions, to hire your first in-house engineers with confidence. We do not make ourselves the single point of knowledge on your product. That is a trap for you, and a trap we won&#8217;t set.<\/span><\/p>\n<h2><b>When an Indian Agency Is the Wrong Call for Your Healthcare Product<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">I am going to give you 150 honest words here, because you deserve them before you sign anything.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">An Indian product engineering partner is the wrong call if: your product requires FedRAMP High or CJIS authorization from Day 1, these US government security frameworks require US-person handling of certain data that creates compliance gaps with an offshore team.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">If your product is so deeply PHI-adjacent that even architectural conversations need to happen with US-based, BAA-covered staff on a cleared basis, certain DoD health programs are in this category.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">If your clinical workflow is so domain-specific that meaningful product decisions require a clinician in the room at 9 AM EST three times a week, and you&#8217;re not willing to fund the US-overlap staffing model to make that work.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">If your founding team will struggle with the 10.5-hour time zone gap on a personal level, not every working style adapts to async-first communication, and founders who need synchronous energy to make decisions will be frustrated.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">None of these are reasons most US healthcare founders face. But if any of them apply to you, I will tell you that on the first call.<\/span><\/p>\n<h2><b>The Agency Selection Scorecard\u2122, Healthcare Regulated Edition<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Use this to evaluate any agency, including us. Score each row 0 (absent), 1 (partial), or 2 (fully present). Maximum score: 70.<\/span><\/p>\n<table>\n<tbody>\n<tr>\n<td><b>#<\/b><\/td>\n<td><b>Criterion<\/b><\/td>\n<td><b>Weight<\/b><\/td>\n<td><b>Your Score<\/b><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">1<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Offers BAA signed before ePHI is shared<\/span><\/td>\n<td><span style=\"font-weight: 400;\">2\u00d7<\/span><\/td>\n<td><span style=\"font-weight: 400;\">\/4<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">2<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Named HIPAA Security Rule compliance lead on the team<\/span><\/td>\n<td><span style=\"font-weight: 400;\">2\u00d7<\/span><\/td>\n<td><span style=\"font-weight: 400;\">\/4<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">3<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Uses only HIPAA-eligible AWS\/GCP services (confirmed list)<\/span><\/td>\n<td><span style=\"font-weight: 400;\">2\u00d7<\/span><\/td>\n<td><span style=\"font-weight: 400;\">\/4<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">4<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Provides ePHI data classification map in discovery<\/span><\/td>\n<td><span style=\"font-weight: 400;\">2\u00d7<\/span><\/td>\n<td><span style=\"font-weight: 400;\">\/4<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">5<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Audit log architecture immutable, append-only, 6+ year retention<\/span><\/td>\n<td><span style=\"font-weight: 400;\">2\u00d7<\/span><\/td>\n<td><span style=\"font-weight: 400;\">\/4<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">6<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Penetration testing by third-party firm included or facilitated<\/span><\/td>\n<td><span style=\"font-weight: 400;\">1\u00d7<\/span><\/td>\n<td><span style=\"font-weight: 400;\">\/2<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">7<\/span><\/td>\n<td><span style=\"font-weight: 400;\">SOC 2 Type II readiness built into architecture from Day 1<\/span><\/td>\n<td><span style=\"font-weight: 400;\">2\u00d7<\/span><\/td>\n<td><span style=\"font-weight: 400;\">\/4<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">8<\/span><\/td>\n<td><span style=\"font-weight: 400;\">FHIR R4 live integration experience (not just spec knowledge)<\/span><\/td>\n<td><span style=\"font-weight: 400;\">1\u00d7<\/span><\/td>\n<td><span style=\"font-weight: 400;\">\/2<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">9<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Named EHR integration experience (Epic, Cerner, Athena)<\/span><\/td>\n<td><span style=\"font-weight: 400;\">1\u00d7<\/span><\/td>\n<td><span style=\"font-weight: 400;\">\/2<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">10<\/span><\/td>\n<td><span style=\"font-weight: 400;\">BAA coverage confirmed for every sub-processor in the stack<\/span><\/td>\n<td><span style=\"font-weight: 400;\">2\u00d7<\/span><\/td>\n<td><span style=\"font-weight: 400;\">\/4<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">11<\/span><\/td>\n<td><span style=\"font-weight: 400;\">IP assigned on creation (not on final payment)<\/span><\/td>\n<td><span style=\"font-weight: 400;\">2\u00d7<\/span><\/td>\n<td><span style=\"font-weight: 400;\">\/4<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">12<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Source code and infra access from Day 1<\/span><\/td>\n<td><span style=\"font-weight: 400;\">2\u00d7<\/span><\/td>\n<td><span style=\"font-weight: 400;\">\/4<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">13<\/span><\/td>\n<td><span style=\"font-weight: 400;\">MSA governed by US law (Delaware or state of choice)<\/span><\/td>\n<td><span style=\"font-weight: 400;\">2\u00d7<\/span><\/td>\n<td><span style=\"font-weight: 400;\">\/4<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">14<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Incident response runbook delivered at handover<\/span><\/td>\n<td><span style=\"font-weight: 400;\">1\u00d7<\/span><\/td>\n<td><span style=\"font-weight: 400;\">\/2<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">15<\/span><\/td>\n<td><span style=\"font-weight: 400;\">HIPAA risk assessment delivered at handover<\/span><\/td>\n<td><span style=\"font-weight: 400;\">2\u00d7<\/span><\/td>\n<td><span style=\"font-weight: 400;\">\/4<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">16<\/span><\/td>\n<td><span style=\"font-weight: 400;\">LLM-under-BAA decision tree documented<\/span><\/td>\n<td><span style=\"font-weight: 400;\">1\u00d7<\/span><\/td>\n<td><span style=\"font-weight: 400;\">\/2<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">17<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Telehealth licensure guidance provided (state-by-state)<\/span><\/td>\n<td><span style=\"font-weight: 400;\">1\u00d7<\/span><\/td>\n<td><span style=\"font-weight: 400;\">\/2<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">18<\/span><\/td>\n<td><span style=\"font-weight: 400;\">42 CFR Part 2 awareness (substance use disorder records)<\/span><\/td>\n<td><span style=\"font-weight: 400;\">1\u00d7<\/span><\/td>\n<td><span style=\"font-weight: 400;\">\/2<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">19<\/span><\/td>\n<td><span style=\"font-weight: 400;\">US founder references available (healthcare-specific)<\/span><\/td>\n<td><span style=\"font-weight: 400;\">1\u00d7<\/span><\/td>\n<td><span style=\"font-weight: 400;\">\/2<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">20<\/span><\/td>\n<td><span style=\"font-weight: 400;\">US-overlap window clearly defined and contractually committed<\/span><\/td>\n<td><span style=\"font-weight: 400;\">1\u00d7<\/span><\/td>\n<td><span style=\"font-weight: 400;\">\/2<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">21<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Named case studies in your sub-vertical<\/span><\/td>\n<td><span style=\"font-weight: 400;\">1\u00d7<\/span><\/td>\n<td><span style=\"font-weight: 400;\">\/2<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">22<\/span><\/td>\n<td><span style=\"font-weight: 400;\">FDA SaMD pathway awareness<\/span><\/td>\n<td><span style=\"font-weight: 400;\">1\u00d7<\/span><\/td>\n<td><span style=\"font-weight: 400;\">\/2<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">23<\/span><\/td>\n<td><span style=\"font-weight: 400;\">HITRUST CSF experience or partner<\/span><\/td>\n<td><span style=\"font-weight: 400;\">1\u00d7<\/span><\/td>\n<td><span style=\"font-weight: 400;\">\/2<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">24<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Honest &#8220;when we&#8217;re the wrong fit&#8221; statement<\/span><\/td>\n<td><span style=\"font-weight: 400;\">1\u00d7<\/span><\/td>\n<td><span style=\"font-weight: 400;\">\/2<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">25<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Minimum necessary access enforced in UI and API<\/span><\/td>\n<td><span style=\"font-weight: 400;\">2\u00d7<\/span><\/td>\n<td><span style=\"font-weight: 400;\">\/4<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><b>Score interpretation:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">55\u201370: Strong fit for a regulated healthcare build<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">40\u201354: Proceed with due diligence, identify which 2\u00d7 items are missing<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Under 40: Significant compliance risk, do not proceed without remediation<\/span><\/li>\n<\/ul>\n<p><b>EB Index 2026:<\/b><span style=\"font-weight: 400;\"> EngineerBabu scores 64\/70 on this scorecard. The 6 points we don&#8217;t claim: HITRUST CSF (we have partner relationships but not in-house certification), FDA SaMD pathway (we engage regulatory consultants, we are not regulatory attorneys), and CJIS\/FedRAMP (genuinely out of scope for us, see Section 13).<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-22937\" src=\"https:\/\/engineerbabu.com\/blog\/wp-content\/uploads\/2026\/05\/img7_scorecard.png\" alt=\"\" width=\"1800\" height=\"507\" title=\"\"><\/p>\n<h2><b>Closing, 30 Minutes, No Slides<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">I&#8217;ve been on 2,000+ calls with US founders over twelve years. The founders who build regulated healthcare products well, who launch on time, who pass their first enterprise procurement review, who raise their Series A with a working product the investor could actually log into, share one trait. They treated compliance as a product constraint from Day 1, not as a problem to solve after launch.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The founders who paid the most, in money, in time, in board goodwill, treated compliance as someone else&#8217;s problem until it became their emergency.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">You don&#8217;t have to be the second kind.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Book a 30-minute product audit call with me or Aditi. No slides. No pitch deck. We look at what you&#8217;re building, we tell you what the HIPAA surface area is, we tell you what it will cost, and we tell you if we&#8217;re the right fit, or if we&#8217;re not.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">That conversation is free. The mistakes it prevents are not.<\/span><\/p>\n<h2><b>FAQ about How to Build HIPAA-Compliant Products From India<\/b><\/h2>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Can EngineerBabu sign a Business Associate Agreement?<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Yes. We sign BAAs governed by Delaware law. We are structured as a Business Associate under 45 CFR \u00a7160.103 for engagements where we handle ePHI on behalf of a Covered Entity or another Business Associate.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Which AWS services are HIPAA-eligible?<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">The full list is maintained at aws.amazon.com\/compliance\/hipaa-eligible-services-reference. It changes, AWS adds services regularly. We check this list at the start of every healthcare engagement and recheck it before adding any new AWS service to a production healthcare product.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Can I use OpenAI&#8217;s API for a HIPAA-covered clinical product?<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Under an OpenAI Enterprise agreement, OpenAI offers a BAA for the API. Review the BAA scope carefully with your healthcare attorney, what data uses are covered and under what conditions matters. For products where the BAA scope is ambiguous or insufficient, we default to AWS Bedrock (covered under the AWS BAA) or Azure OpenAI with HIPAA mode.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>How long does SOC 2 Type II take?<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">The observation period minimum is 6 months of operating evidence. Add 8\u201312 weeks for the audit process. Budget 9\u201315 months from &#8220;we need SOC 2&#8221; to &#8220;we have the Type II report.&#8221; Start the clock at product launch, not at the enterprise sales conversation where the customer asks for it.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>What is the difference between HIPAA and HITRUST?<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">HIPAA is a US federal law. HITRUST CSF is a certification framework that maps to HIPAA (and 40+ other frameworks) and is increasingly required by large health systems and payers as a procurement condition. SOC 2 Type II is table stakes for most enterprise healthcare sales. HITRUST is the bar above that. Budget $80K\u2013$150K for a HITRUST assessment. Most Seed-stage healthcare companies should focus on SOC 2 Type II first.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>How do you handle the 10.5-hour time zone gap?<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Our standard US-overlap window is 7:30\u201310:30 AM PST \/ 10:30 AM\u20131:30 PM EST daily. We run async-first communication, every decision that can be made async is made async, with a written record. Every decision that requires synchronous alignment happens in the overlap window. For Series A+ founders who need more real-time coverage, we staff a US-based client lead. That is a real cost ($4K\u2013$7K\/month) and we quote it upfront.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Do you have experience with Epic SMART on FHIR integrations?<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Yes. We have shipped live Epic integrations through the App Orchard process for two US healthcare clients. The Epic sandbox process, App Orchard certification requirements, and production launch review process are each meaningfully different from simply reading the FHIR R4 spec. We will tell you which of our engineers has live Epic experience on the discovery call.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>What happens if there&#8217;s a data breach during the engagement?<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Our BAA commits us to notifying you within 24 hours of discovering a suspected breach, well inside the 60-day window HIPAA&#8217;s Breach Notification Rule (45 CFR \u00a7164.412) gives you to notify affected individuals. We deliver an incident response runbook at handover so your team knows exactly what to do post-launch.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Can you build a SaMD product?<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">We can build the software. The FDA regulatory pathway decision, whether your software qualifies for the clinical decision support exemption under the 21st Century Cures Act or requires a 510(k) or De Novo submission, is a regulatory attorney question, not an engineering question. We have partner relationships with regulatory consultants who specialize in this. We engage them in discovery for any product where SaMD classification is ambiguous.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>What is 42 CFR Part 2 and when does it apply?<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">42 CFR Part 2 is a federal regulation that protects records related to substance use disorder (SUD) treatment with stricter confidentiality requirements than standard HIPAA. It applies any time your product stores or handles records that identify a patient as having received SUD treatment. The consent requirements for disclosure are more stringent than HIPAA, a general authorization is not sufficient. Most agencies miss this. We flag it in discovery.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>How do you handle minimum necessary access in the UI?<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Every role in the product&#8217;s access control model is mapped to the minimum data it needs to perform its function, we call this the data access matrix, and it is produced in discovery before any <\/span><a href=\"https:\/\/engineerbabu.com\/services\/ui-ux-design\"><span style=\"font-weight: 400;\">UI\/UX design<\/span><\/a><span style=\"font-weight: 400;\"> begins. The UI enforces that matrix, a billing administrator does not see clinical notes, a care coordinator does not see financial records. This is not just good UX. It is required under \u00a7164.502(b).<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>What do you deliver at handover?<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">HIPAA risk assessment (final, as-built), system security plan, data flow diagrams with ePHI annotated, audit log specifications, incident response runbook, BAA registry with every sub-processor, vendor sub-processor list, penetration test report, SOC 2 readiness summary, and all source code and infrastructure access transferred to you.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In April 2021, I got a message at 11:30 PM IST from a Boston-based digital health founder, Series A, $9M raised, building a chronic care platform for Medicaid populations. She had been working with a self-described &#8220;HIPAA-compliant development agency&#8221; for seven months. Her board meeting was six weeks out. Her CTO had just quit. And [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":22941,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1246],"tags":[],"class_list":["post-22929","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-healthtech"],"_links":{"self":[{"href":"https:\/\/engineerbabu.com\/blog\/wp-json\/wp\/v2\/posts\/22929","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/engineerbabu.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/engineerbabu.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/engineerbabu.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/engineerbabu.com\/blog\/wp-json\/wp\/v2\/comments?post=22929"}],"version-history":[{"count":3,"href":"https:\/\/engineerbabu.com\/blog\/wp-json\/wp\/v2\/posts\/22929\/revisions"}],"predecessor-version":[{"id":22942,"href":"https:\/\/engineerbabu.com\/blog\/wp-json\/wp\/v2\/posts\/22929\/revisions\/22942"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/engineerbabu.com\/blog\/wp-json\/wp\/v2\/media\/22941"}],"wp:attachment":[{"href":"https:\/\/engineerbabu.com\/blog\/wp-json\/wp\/v2\/media?parent=22929"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/engineerbabu.com\/blog\/wp-json\/wp\/v2\/categories?post=22929"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/engineerbabu.com\/blog\/wp-json\/wp\/v2\/tags?post=22929"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}