Complara is a compliance tracking platform built for startups. It gives you plain-English checklists for frameworks like SOC 2, GDPR, ISO 27001, HIPAA, DORA, NIS2, and vendor security — with evidence management, team collaboration, and readiness reports in one place.

Which compliance frameworks are supported?

SOC 2, GDPR, ISO 27001, HIPAA, DORA, NIS2, EU AI Act, and Vendor Security. Each framework includes a complete checklist with actionable items and guidance. All future frameworks are included on the Pro plan.

How much does Complara cost?

Complara starts with a free 10-day trial. The Pro plan is $10/month with unlimited checklist items, evidence uploads, team invites, and CSV readiness reports. No per-seat fees.

Founders, CTOs, and engineering teams at startups that need to prove compliance to enterprise customers, investors, or regulators — without hiring a consultancy or spending months on spreadsheets.

Can I use Complara for multiple frameworks at once?

Yes. You can track as many frameworks as you need simultaneously. Many startups combine SOC 2 + GDPR, or SOC 2 + ISO 27001, since the controls overlap significantly.

How is Complara different from enterprise GRC tools?

Enterprise GRC platforms cost $10,000+/year, take weeks to configure, and are designed for large compliance teams. Complara is purpose-built for startups: you can set up your first checklist in under 10 minutes, and the interface is simple enough for engineers, not just auditors.

HIPAA Compliance Guide for Startups

Complara Team·2026-04-13·8 min read

If your startup handles health data in the United States — whether you’re building a health-tech product, an HR platform, or a benefits tool — you almost certainly need to comply with HIPAA (Health Insurance Portability and Accountability Act). Getting it wrong can mean fines up to $2.1 million per violation category per year, plus criminal penalties for willful neglect.

This guide breaks HIPAA into actionable pieces for startups that don’t have a dedicated compliance team.

What Is HIPAA?

HIPAA is a U.S. federal law enacted in 1996 that sets national standards for protecting sensitive patient health information. For startups, the two most relevant parts are:

The Privacy Rule — Governs how Protected Health Information (PHI) can be used and disclosed
The Security Rule — Requires administrative, physical, and technical safeguards for electronic PHI (ePHI)

There’s also the Breach Notification Rule, which requires you to notify affected individuals, HHS, and sometimes the media if a breach occurs.

What Is Protected Health Information (PHI)?

PHI is any individually identifiable health information. This includes:

Names, addresses, dates of birth, Social Security numbers
Medical records, diagnoses, treatment information
Health insurance information and claim data
Any unique identifier linked to health data (medical record numbers, device IDs)

If your system stores, processes, or transmits any combination of identifiable info + health data, you’re handling PHI.

Covered Entities vs Business Associates

Covered entities are health plans, healthcare providers, and healthcare clearinghouses. Business associates are companies that handle PHI on behalf of a covered entity — this is where most startups fall. If a hospital or insurer uses your software and it touches PHI, you’re a business associate.

As a business associate, you must sign a Business Associate Agreement (BAA) with every covered entity you work with, and you’re directly liable for compliance.

HIPAA Compliance Checklist for Startups

1. Determine if HIPAA applies to you

Ask: Does your product store, process, or transmit PHI? If yes — even indirectly — HIPAA applies. Common scenarios: health apps, telehealth platforms, insurance tech, employee benefits tools, and analytics products that process health data.

2. Appoint a Security Officer and Privacy Officer

HIPAA requires designated individuals responsible for security and privacy compliance. At a startup, this is often one person (the CTO or a senior engineer). Document who they are and what their responsibilities include.

3. Conduct a risk assessment

The Security Rule requires a thorough risk assessment of all systems that handle ePHI. Identify threats, vulnerabilities, and the likelihood and impact of each. This is the single most important HIPAA requirement — and the one most often cited in enforcement actions.

4. Implement the Security Rule safeguards

The Security Rule has three categories of safeguards:

Administrative — Risk management policies, workforce training, access management procedures, incident response plans, and BAAs with all vendors
Physical — Facility access controls, workstation security, device disposal procedures
Technical — Access controls (unique user IDs, emergency access, automatic logoff), audit logs, data integrity controls, encryption for ePHI in transit and at rest

5. Encrypt ePHI everywhere

While HIPAA labels encryption as “addressable” (not strictly required), in practice it’s the standard. Encrypt ePHI at rest (AES-256) and in transit (TLS 1.2+). If you don’t encrypt, you must document why an alternative safeguard is equivalent — which is almost never worth the risk.

6. Implement access controls and audit logging

Every user accessing ePHI needs a unique identifier. Implement role-based access control, automatic session timeouts, and comprehensive audit logs that record who accessed what PHI and when. Retain logs for at least six years.

7. Sign BAAs with all vendors

Every cloud provider, hosting service, email platform, or analytics tool that could access PHI needs a BAA. Major providers (AWS, GCP, Azure) offer BAAs. Be careful with smaller tools — if they won’t sign a BAA, they can’t touch PHI.

8. Train your workforce

All employees who handle PHI must receive HIPAA training. Cover: what PHI is, how to handle it, how to report incidents, and what the consequences of violations are. Document all training sessions with dates and attendees.

9. Build a breach response plan

If a breach of unsecured PHI occurs, you must:

Notify affected individuals within 60 days
Notify HHS (immediately if 500+ individuals are affected)
Notify the media if 500+ individuals in a single state are affected

Document your response process before you need it.

10. Document everything

HIPAA requires that policies, procedures, and compliance records be retained for six years. Use a tool like Complara to track each requirement, attach evidence, and maintain a continuous compliance record.

Frequently Asked Questions

Does HIPAA apply to apps that collect fitness data?

Generally no — unless the app is used by or on behalf of a covered entity. Pure consumer fitness apps (like step trackers) typically fall outside HIPAA. However, if a healthcare provider prescribes your app or it integrates with EHR systems, HIPAA likely applies.

What’s the penalty for HIPAA violations?

Fines range from $141 to $2,134,831 per violation depending on the level of negligence. The HHS Office for Civil Rights (OCR) enforces HIPAA and has pursued settlements exceeding $10 million for major breaches.

How does HIPAA relate to SOC 2?

SOC 2 and HIPAA overlap significantly in security controls. A SOC 2 Type II report covering the Security and Availability criteria demonstrates many HIPAA Security Rule requirements. Many healthcare customers request both.