Dr. Chris Stock, Managing Director of Medical Affairs at Health2047, speaks with Marilyn Hanzal, JD, Health2047 advisor and policy expert, about key compliance considerations for healthcare startups. This conversation has been edited and condensed for clarity.

Chris Stock: Marilyn, let’s start with the basics. What do founders need to know about HIPAA compliance?

Marilyn Hanzal: First, not every healthcare startup is covered by HIPAA. Founders need to determine if they qualify as a covered entity or a business associate. A common mistake is assuming that because you’re handling health data, you must be HIPAA compliant. The reality is that it depends on whether the data you’re handling are Protected Health Information (PHI) under the law. If you assume compliance is required when it isn’t, you can waste resources implementing unnecessary controls. Conversely, if you fail to comply when required, you open yourself up to regulatory scrutiny and legal risk.

CS: So, step one is understanding if HIPAA applies. What’s next?

MH: The first thing a founder should ask is: ‘What kind of data am I dealing with?’ You need to determine whether it’s PHI, consumer health data, or something else entirely, because each has different rules. HIPAA regulates PHI, but it’s not the only framework governing data privacy. Some health-related information falls under state privacy laws, the Federal Trade Commission (FTC) health breach notification rule, or other regulations entirely. Founders should categorize their data: Who is it about? Where is it coming from? How is it being used? This distinction is critical because different categories of data require different approaches to compliance.

CS: Many startups look for shortcuts to develop policy documentation. Can they use generic policies?

MH: I’ve seen startups take policies from hospitals and just swap out the names. That’s not going to work. Regulators will ask if your policies reflect what you actually do, and if they don’t, it’s worse than having nothing at all. A policy is only effective if it accurately reflects your business’ operations. Copying another company’s policies creates a false sense of security. If regulators or investors ask for your compliance framework and you provide a mismatched template, it signals you don’t truly understand your obligations. Policies should be tailored to your business model, your workflows, and the data you handle.

CS: Let’s talk about best practices. What do founders need to prioritize?

MH: You don’t want to be scrambling to put compliance in place when an investor or partner asks. It’s much easier to build it into your operations from the start. Even if a full-scale compliance program seems excessive at first, having foundational security controls in place from the beginning makes scaling much easier. Simple steps—like encrypting sensitive data, limiting access controls, and ensuring internal policies are documented—can prevent major compliance headaches down the road.

Another important step is engaging legal and compliance experts early on. I know founders often try to minimize costs, but regulatory missteps can be far more expensive than investing in the right expertise upfront. Cybersecurity insurance is also worth considering—it can mitigate financial and legal exposure in the event of a data breach.

CS: What about the term ‘HIPAA-compliant’? Startups hear that a lot.

MH: I always tell founders, just because a vendor says they’re HIPAA-compliant doesn’t mean you are. You have to configure their tools correctly and implement your own policies, or it won’t matter. The correct term is ‘HIPAA-ready.’ That means a product has security controls that allow compliance—but it’s still up to the startup to configure and use those controls properly. For example, cloud service providers like AWS and Microsoft offer HIPAA-ready environments, but if a startup doesn’t implement the required safeguards within those systems, they won’t be compliant. Compliance isn’t about buying a solution; it’s about implementing the right policies and procedures around that solution.

CS: What are some other pitfalls founders should avoid?

MH: One of the biggest mistakes I see is startups assuming they can ‘figure it out later.’ Regulatory compliance isn’t something you can bolt on after launching—it needs to be built into your business strategy from the start. Another mistake is assuming that small-scale operations aren’t subject to regulations. If your product processes even one patient’s PHI, you’re subject to HIPAA. The same goes for certain state laws—many apply regardless of company size.

Another mistake is not training employees adequately. Compliance isn’t just about having policies—it’s about making sure your team understands them and knows how to implement them in daily operations. Regular training sessions can help ensure that everyone is on the same page and prevent accidental violations.

CS: Any final thoughts for founders?

MH: Compliance should be seen as a strategic advantage rather than a burden. Investors, partners, and customers all value companies that take data privacy seriously. Prioritizing compliance from the outset builds trust and credibility, which can be a competitive differentiator in the long run.

Also, don’t be afraid to ask for help. Whether it’s engaging with compliance consultants, using specialized legal services, or working with industry groups, leveraging expertise can make a huge difference. The more proactive you are about compliance, the fewer problems you’ll face down the line.

CS: Great insights, Marilyn. Thanks for your time!