HIPAA passed in 1996. Most HealthTech startups still treat it like a checkbox they file once and forget. The ones that don't — the ones that treat compliance as an ongoing engineering discipline rather than a legal formality — tend to be the ones that close enterprise health system contracts at Series B. The ones that do treat it as a checkbox tend to find out why that was a mistake during their first enterprise security review.
Why the Compliance Stakes Change Between Series A and Series B
At Series A, you're usually working with smaller healthcare organizations or individual providers. The compliance bar is lower because the deal size is lower.
At Series B, you're targeting health systems, large group practices, and regional networks. These buyers have compliance and security teams. They will run a vendor assessment. They will ask specific questions about your BAA process, your access controls, your audit logging, and your incident response plan. And the answers you give will determine whether the deal closes.
Here are the five compliance mistakes that consistently surface in that transition.
Mistake 1: Treating HIPAA as a One-Time Certification
HIPAA compliance is not a certificate you earn. There is no HIPAA certification. There is no annual audit that, once passed, proves ongoing compliance.
What HIPAA requires is a set of ongoing practices: documented policies, regular risk assessments, employee training, access controls, audit logs, and the ability to demonstrate all of this when asked.
The most common version of this mistake is the company that brought in a consultant at Series A to "get them HIPAA compliant," received a report, and then treated that as done. Meanwhile, engineers have joined, access permissions have expanded, new data flows have been created, and the policies from two years ago no longer reflect the actual system.
A health system's security team won't ask "are you HIPAA compliant?" They'll ask to see your most recent risk assessment, your training completion records, and your breach response policies. If the last risk assessment is dated eighteen months ago and references an architecture that no longer exists, the deal stalls.
What getting this right looks like: a risk assessment cadence (at minimum annually, plus when architecture changes), ongoing employee training with completion tracking, and policies reviewed and updated regularly.
Mistake 2: Signed BAAs That Nobody Enforces
A Business Associate Agreement is the legal contract between a covered entity and a vendor that handles Protected Health Information. Most HealthTech companies at Series A have a BAA template. Many have signed them with their cloud providers, their EHR partners, their analytics vendors.
The mistake is treating a signed BAA as the end of the conversation.
BAAs require that your vendors are actually handling PHI in the way the agreement specifies. If your analytics vendor's BAA says they don't train their models on your patient data but you haven't confirmed how they actually process it, you have a signed contract that doesn't reflect what's happening technically.
This becomes a material problem when an enterprise buyer asks: "Who are all your sub-processors that touch PHI, and what are the terms of those relationships?"
If you have to go look it up, and what you find doesn't match what's actually happening in your data flows, you have a compliance gap — regardless of what the BAA says.
What getting this right looks like: a maintained inventory of all vendors who touch PHI, mapped to their BAAs, with a documented process for reviewing those relationships when your product architecture changes.
Mistake 3: Building Compliance In After the Architecture
This is the most expensive mistake on this list, and the hardest to fix.
HealthTech companies that move fast at the pre-Series A stage often make architecture decisions optimized for speed. Data is stored in ways that make compliance logging hard to retrofit. Access controls are coarse-grained because fine-grained permission systems take time to build. Audit trails are incomplete because they were added after the core system rather than designed in.
By Series B, the system has thousands of users. The architecture is load-bearing. Adding proper audit logging to a system not designed for it means touching every data write path in the codebase. Adding field-level encryption to data stored in plaintext means a migration. Adding proper access controls to a system where most business logic runs under a single privileged service account means a significant engineering project.
These retrofits are expensive. More importantly, they happen at exactly the wrong moment — when your engineering team should be shipping the features your enterprise prospects need to sign.
What getting this right looks like: compliance as a design requirement from the first production system. Specifically: audit logging at the data layer from day one, RBAC built before you have more than a handful of user types, encryption at rest implemented during infrastructure setup.
Mistake 4: Confusing SOC 2 with HIPAA Compliance
SOC 2 and HIPAA are different frameworks with different scopes and different audiences.
SOC 2 demonstrates that your organization has appropriate controls around security, availability, processing integrity, confidentiality, and privacy. It's audited by a third party and results in a report you can share with customers.
HIPAA compliance applies specifically to entities that handle Protected Health Information. It's self-attested — not audited by a third party under normal circumstances — but the attestation needs to be backed by real practices and documentation.
You can have SOC 2 Type II without being HIPAA compliant. You can be genuinely HIPAA compliant without having SOC 2.
Enterprise health system buyers will often ask for both. The mistake is assuming one covers the other.
What getting this right looks like: understanding which of your buyers require what, and building a roadmap that addresses both — typically HIPAA practices first (operational requirements), SOC 2 audit second (sales enablement asset).
Mistake 5: No Documented Incident Response Plan
Under HIPAA's Breach Notification Rule, if PHI is accessed or disclosed without authorization, you have 60 days from discovery to notify affected individuals, HHS, and potentially the media for breaches affecting more than 500 individuals in a state.
Sixty days sounds like a lot. It isn't when you're in the middle of a security incident and your leadership team is disagreeing about whether it constitutes a breach, your engineering team is still investigating scope, and your legal counsel is reviewing notification requirements for the first time.
An incident response plan that has been documented, reviewed by legal, and tested before you need it changes the calculus entirely. Your team knows who declares a breach, who does the technical investigation, who drafts the notification, and who makes the call to HHS.
Most HealthTech companies at Series A don't have this. Health system buyers at Series B will ask for it.
What getting this right looks like: a documented incident response plan covering breach identification, containment, notification requirements, and designated roles. Tested at least once before you have a real incident.
What Compliance-First Development Actually Looks Like
Building a HealthTech product compliance-first doesn't mean slow. It means compliance requirements are part of the technical specification from the beginning — not retrofitted at the end.
Your data model is designed with PHI classification in mind. Your logging is built at the data layer. Your deployment pipeline includes security scanning. Your access control model is designed for the organization structure your enterprise customers will actually have.
> Ontoborn has built production healthcare software — including HealthQRS — with compliance requirements designed into the architecture from day one. If you are evaluating a development partner for a HealthTech product, we can speak to these requirements directly. We have been through enterprise health system security reviews and know what buyers ask for.
It also means that when an enterprise health system sends you their security questionnaire — which runs to 150 questions in the longer versions — you don't need three weeks to answer it. Because you already know the answers.
The compliance gap between where most Series A HealthTech companies are and where Series B enterprise buyers expect them to be is real. But it's also a gap with a clear path through it.
At Ontoborn, we have been the long-term software partner for enterprises, universities, and growing businesses for over a decade. We do not just build and move on. We stay.
If you are looking for a partner — not just a vendor — we would like to talk.
Ontoborn Technologies is a custom software development and maintenance company trusted by enterprises, universities, and growing businesses for over a decade. We build software that lasts — and stay with you after launch.
Ready to talk?
No sales pressure — just an honest conversation about your software.
Talk to Our Team →Ontoborn Technologies — custom software trusted by enterprises, universities, and growing businesses.
Back to All Articles