Building a healthtech business

You're in HIPAA's scope when:

• You're a Covered Entity (provider, plan, clearinghouse) OR
• You're a Business Associate of a Covered Entity (you receive Protected Health Information on their behalf)

Many consumer health apps are NOT in HIPAA scope because the patient is the user and there's no clinician relationship. A direct-to-consumer wellness app may be entirely outside HIPAA. The moment a provider's data flows through you, you're a Business Associate.

Practical implications:

• Sign a BAA (Business Associate Agreement) with every Covered Entity customer
• All PHI must be encrypted at rest + in transit
• Access controls + audit logs + breach-notification protocol required (HIPAA Security Rule)
• Penetration tests + annual risk assessments

Cost: ~$30-150k/year ongoing once you're in scope. A HIPAA-compliant infrastructure provider (Aptible, Datica, AWS with BAA) charges 2-3x standard rates.

Software as Medical Device (SaMD):

• FDA Class I (low risk): notification, not full clearance. Includes some wellness apps.
• Class II (moderate risk): 510(k) clearance required. Typical cost: $500k-$2M, 6-18 months.
• Class III (high risk): PMA (Premarket Approval) — $10M+ and 3-5 years.

Most digital health startups try to stay out of SaMD scope by framing their product as wellness, lifestyle, or workflow rather than diagnosis/treatment. The line is real and FDA-policed. Get regulatory counsel before claiming "tracks blood pressure" vs "monitors hypertension" — those are very different regulatory regimes.

Clinical evidence is what separates B2B healthtech that gets bought from B2B healthtech that gets demos. The bar:

• Pilot data (your first 1-3 customers' results, summarised) — table-stakes for any healthtech sales conversation
• Outcomes study (IRB-style, third-party validated) — required for mid-market provider sales
• Peer-reviewed publication — required for large health-system sales and payer reimbursement

Building clinical evidence costs time and money. Budget a "research partner" line item — typically an academic medical centre that runs the study in exchange for early access, co-authorship, and ~$50-200k of grant-equivalent payment.

The payer (insurance company) question decides your TAM:

• Self-pay only (consumer pays directly): TAM is bounded by what consumers will spend. Real, but small.
• Provider-paid (your customer is the hospital / clinic): TAM is much larger, but procurement cycles are 12-24 months.
• Payer-reimbursed (insurance pays for the service your product enables): largest TAM, longest sales cycle, requires CPT codes or alternative billing pathways.

Reimbursement pathways:

• New CPT code application: 2-4 years
• Existing CPT code mapping: 6-12 months
• Value-based contracts with health systems / employers: 6-18 months

Healthtech founders who don't decide their payer strategy in year 1 spend year 3 confused why nobody buys.

Rough budget gates for a US healthtech startup over 4 years:

Year 1 — Validation ($0-100k regulatory):

• Wellness positioning, no PHI, no provider customers
• Legal review of marketing claims ($5-15k)
• Privacy policy + ToS drafted by a healthtech-aware lawyer ($5-10k)

Year 2 — First provider customers ($100-400k):

• HIPAA infrastructure (BAA-eligible cloud, encryption, access logs)
• BAA template + sign with each customer
• Annual security audit ($15-30k)
• Pilot study with 1-3 customers ($30-100k)

Year 3 — Scale ($400k-1.5M):

• SOC 2 Type II audit ($30-80k/yr)
• HITRUST certification if selling to large health systems ($100-300k initial)
• First peer-reviewed publication ($50-150k all-in)
• Regulatory counsel on retainer ($100-300k/yr)

Year 4 — Regulatory clearance OR maturity (variable):

• 510(k) if SaMD path: $500k-$2M
• Payer engagement / CPT code work: $200-800k
• Mature clinical evidence package (multiple studies): $300-700k/yr

Some healthtechs stay in "year 1 / year 2" forever by design — that's a valid strategy. The trap is staying in year 1 budget while making year 4 claims; founders get sued and lose the company.