That’s a comment from 2013, now 9 years ago. Since then, healthcare technology has really changed. Compliance and auditing are pretty standard with easy to follow playbooks, and there are plenty of off the shelf tools HIPAA-compliant as soon as you sign a BAA with them. If you’re in health tech, this is the floor, not a high bar.
That said, there can be a few times when your comment accurately describes what’s going on:
- a non health tech vendor needs to comply with a healthcare client’s needs and they are navigating HIPAA and HITECH for the first time.
- this is often paired with a situation where the company never refactored their SaaS software past mvp prototype phase and so they have no logging or controls and effectively need to rebuild their entire system to be security first, and healthcare regulations are just one of the factors they need to consider as they expand markets they service.
- a company is concurrently trying to get SOC and/or other certifications. Those get pretty intense.
For situations 1 and 2, that’s when a lot of vendors will explicitly say they aren’t HIPAA compliant and choose not to serve healthcare partners (vendor evaluation in healthtech is a pain in the butt because of that). For situation 3, yes, that’s a pain. My own team went through that and it was a year-long process.
That said, there is an initial upfront cost with regards to documentation. However what most people complain about are the requirements to retrain all employees semi-annually on data privacy and protection best practices, which kills a full day or two of company productivity.
https://news.ycombinator.com/item?id=6619188