When Your Biggest Customer Requires More Than a Promise
The CEO of a healthtech platform had been chasing a contract with a regional hospital network for seven months. The product — an AI-assisted care coordination platform used by clinical staff — was genuinely differentiated. The hospital loved it. The clinical outcomes data was compelling.
Then the hospital's IT security and compliance team got involved.
The requirements were non-negotiable: SOC 2 Type II, a signed Business Associate Agreement (BAA), documented HIPAA Security Rule compliance, and evidence of annual employee security training. Without all four, the contract — worth $380,000 in year one with multi-year expansion potential — wouldn't move.
The healthtech team had 8 people. No compliance background. A deeply technical founding team that had built a genuinely excellent product while treating compliance as a "post-PMF problem."
PMF had arrived. So had the problem.
The Challenge
Healthcare is the hardest compliance environment we work in. The regulatory surface is broader, the data is more sensitive, and the buyers — hospital security teams and procurement departments — have seen enough vendor breaches to be genuinely skeptical.
The specific situation this team faced:
- PHI (Protected Health Information) flowing through the system without formal data flow documentation. They knew where the data went conceptually. They couldn't demonstrate it to an auditor or a hospital security team.
- No Business Associate Agreements with their vendors. They used AWS, Twilio, SendGrid, Notion, and Intercom. Several processed or could access PHI. None had signed BAAs in place.
- Encryption configuration was inconsistent. Their main application database was encrypted at rest. Their file storage for clinical documents was not.
- Employee security awareness: zero. Eight people had never completed security awareness training. Phishing, social engineering, safe data handling — none of it formalized.
- Audit logging was application-level only. They logged user actions in their product. They had no infrastructure-level audit trail. For a platform touching PHI, this was a critical gap.
- No formal risk assessment. HIPAA requires a documented Security Risk Assessment (SRA). They'd never done one.
The auditor they engaged had a specific concern: given the HIPAA overlay, they estimated 5–7 months for a standard Type II engagement. We proposed a different path — 3 weeks to control implementation, then hand off to the auditor for the observation period.
Our Approach
Healthcare compliance has two parallel tracks that must both be satisfied: the SOC 2 Trust Services Criteria (the auditor's framework) and the HIPAA Security Rule (the regulatory requirement). We ran them in parallel, identifying where the requirements overlapped (most of the technical controls) and where HIPAA added unique requirements beyond SOC 2 (the SRA, BAAs, and specific workforce training).
Days 1–3: Data Flow Mapping + Risk Assessment
Before touching a single configuration, we mapped every data flow that touched PHI:
- Clinical staff input in the web app
- Data processing in their Python/FastAPI backend
- Storage in RDS (PostgreSQL) and S3
- Outbound: Twilio (SMS notifications to patients), SendGrid (email summaries to care managers), and Intercom (support chat — which needed to be explicitly scoped out of PHI touch points)
From the data flow map, we ran a formal Security Risk Assessment — identifying threats, evaluating likelihood and impact, and documenting mitigation controls. This document became the spine of their HIPAA compliance posture.
We also immediately initiated BAA requests with all PHI-adjacent vendors. AWS and Twilio have standard BAA processes; we completed both within 48 hours. SendGrid required a custom BAA — completed by Day 5.
Days 4–10: Technical Control Implementation
Encryption:
- Enabled S3 server-side encryption on all buckets storing clinical documents
- Confirmed RDS encryption settings and verified key management via AWS KMS
- Audited all data in transit — enforced TLS 1.2+ across all endpoints and internal services
Access Control:
- Implemented role-based access control (RBAC) at the application layer — clinical staff, care managers, and admins had distinct permission scopes
- Audited AWS IAM — removed over-permissive roles, enforced MFA on all human IAM users
- Documented access provisioning and de-provisioning procedures
Audit Logging:
- Enabled CloudTrail across all AWS services and regions
- Enabled RDS audit logging — capturing all queries touching PHI tables
- Built a log aggregation pipeline into CloudWatch with 7-year retention (HIPAA requirement)
- Configured alerting for suspicious access patterns (bulk exports, off-hours access, failed authentication spikes)
Vulnerability Management:
- Ran an initial vulnerability scan of their application using OWASP ZAP
- Remediated 2 medium-severity findings (insecure cookie flags, missing security headers)
- Added dependency scanning to their CI/CD pipeline
Days 11–17: Policy, Training & Workforce Requirements
HIPAA places specific requirements on workforce management that go beyond typical SOC 2 controls.
We delivered:
- HIPAA Security Rule compliance documentation — mapping each required safeguard to their technical and administrative controls
- Employee security awareness training — we built a custom 45-minute training module covering HIPAA basics, phishing, device security, and incident reporting. All 8 employees completed it on Day 14; completion certificates generated for audit evidence.
- Sanction Policy — documenting consequences for PHI mishandling
- Workforce Clearance Procedure — formal process for granting access to PHI systems
- Contingency Plan — backup and disaster recovery procedures specific to PHI systems, with documented RPO/RTO targets and a tested restore procedure
Days 18–21: Evidence Package, BAA Confirmation & Audit Handoff
We compiled the complete evidence package: data flow diagrams, SRA report, BAA copies, training completion records, access reviews, configuration screenshots, and policy documents. We delivered a HIPAA Security Rule checklist with explicit evidence mapping — the document their hospital buyer's compliance team could review directly.
The auditor received the package on Day 21 and confirmed they could begin the observation period immediately.
Timeline
| Week | Focus | Key Deliverables | |------|-------|-----------------| | Week 1 | Data flow mapping, SRA, BAA execution, encryption + logging | SRA complete, all BAAs signed, PHI encryption confirmed | | Week 2 | Access control, RBAC, policy writing, vulnerability remediation | 24 policies signed, RBAC deployed, 0 open HIGH vulns | | Week 3 | Employee training, contingency planning, evidence package | 100% workforce trained, complete evidence package delivered |
Results
- ✅ SOC 2 Type II observation period began on Day 22 of the engagement
- ✅ HIPAA Security Rule compliance documentation accepted by the hospital's compliance team
- ✅ All BAAs signed — AWS, Twilio, SendGrid, and 3 additional vendors
- ✅ $380,000 hospital contract signed — 3 weeks after audit evidence package delivered
- ✅ Zero critical findings in the Type II audit; 1 low-severity finding with documented remediation plan
- ✅ Multi-year expansion contract already in negotiation — compliance posture used as a competitive differentiator with 2 additional hospital systems
- 💰 ROI: Compliance sprint cost recovered in the first month of the hospital contract
The hospital's CISO reviewed their SRA and BAA documentation and called it "the most thorough vendor compliance package we've received from a startup." That language made it into the case for using 100x Engineering in their vendor recommendation to the procurement committee.
Key Learnings
1. Data flow documentation is your first deliverable. In healthcare, you cannot assess risk or implement controls without knowing exactly where PHI lives and moves. This step is non-negotiable — and most startups haven't done it.
2. BAAs are blockers; start them on Day 1. Business Associate Agreements with vendors can take days to weeks depending on the vendor. There is no compliance without them. Initiate every BAA request before you touch anything else.
3. HIPAA and SOC 2 overlap significantly — but not completely. The technical controls map well across both frameworks. The HIPAA-specific additions (SRA, BAAs, sanction policies, workforce training) are the places where most healthtech startups have the biggest gaps.
4. The SRA is not a checkbox. A real Security Risk Assessment is a working document that drives your entire compliance posture. Auditors and hospital security teams can tell when it's a template fill-in versus a genuine risk exercise. Do it for real.
5. Security training must be evidenced. It's not enough to hold a lunch-and-learn and call it training. You need completion records, dated certificates, and documented curricula. Build the paper trail as you go.
6. Compliance is a sales asset in healthcare. Enterprise hospital buyers have been burned by vendor breaches. A strong compliance posture — especially with Type II certification — is a genuine competitive differentiator, not just a procurement checkbox.
100x Engineering runs SOC 2 and HIPAA compliance sprints for healthtech startups. If you're facing a hospital or enterprise healthcare contract requirement, let's talk about your timeline.