DevOps for healthcare startups: what HIPAA actually means for your infrastructure

HIPAA compliance is an infrastructure configuration problem, not a product you buy. Build it in from the start and it costs about a week of extra setup. Retrofit it later and it costs 3 to 6 months of a senior engineer's time. The price difference is roughly 10x.

TL;DR

• Decisions made during initial setup are about 10x cheaper than retrofitting.
• Most healthcare startups trip on the same three things: unencrypted data at rest, missing audit logs, and overly permissive IAM. All preventable.
• A cloud provider's BAA covers their infrastructure. The other 90% of violations are configuration mistakes on your side.
• Compliant infrastructure runs 10 to 20% more than non-compliant. A breach costs far more.

1. Sign the BAA before you deploy

A Business Associate Agreement must be in place before any PHI enters your cloud. Activate it through AWS Artifact, the Google Cloud console, or Azure's Online Service Terms. The classic mistake: run on AWS for six months storing PHI, then realize the BAA was never signed.

2. Encrypt everything, at rest and in transit

Every database, bucket, volume, cache, and backup holding PHI needs AES-256 at rest and TLS 1.2+ in transit. Encryption is not always the default, so enforce it with infrastructure-as-code policies that block unencrypted resources from being created at all.

3. Audit-log everything that touches PHI

You must be able to answer who accessed what PHI, when, and from where. That means CloudTrail or equivalent across all accounts, application-level access logging on PHI endpoints, database audit logging (pgAudit for PostgreSQL), six-year retention, and immutable storage (S3 object lock). Most teams have CloudTrail on but lack the application-level logs, so they can't say which patient records were touched.

4. Isolate PHI workloads on the network

Put PHI services in dedicated VPCs or subnets: no direct internet (egress via NAT, ingress via load balancers only), tight security groups, VPC flow logs, and databases in private subnets.

5. Enforce least-privilege identity

SSO with MFA for all engineer access, IAM roles for services (IRSA on EKS, Workload Identity on GKE), database access via IAM auth or a secrets manager with rotation, and Kubernetes RBAC that restricts who can reach the PHI database. No shared credentials, no long-lived access keys.

6. Plan for incidents and breach notification

HIPAA requires a documented incident-response plan and breach notification within 60 days. In practice: a written plan with named responsibilities, alerting on anomalous PHI access, tested containment runbooks, and quarterly tabletop exercises.

What this looks like in practice

An eight-month-old seed healthtech startup came to a hospital security review with an unsigned BAA, RDS encryption disabled, no CloudTrail in the bucket's region, admin IAM for all five engineers, and no application-level access logging. Four weeks of remediation closed every gap. Infrastructure cost rose about 12%, mostly from logging and encryption. They passed the review on the first attempt.

What to avoid

• Don't buy a "HIPAA-compliant cloud" product as a shortcut. The work is in your configuration.
• Don't over-scope controls onto non-PHI services.
• Don't skip the BAA. It is a five-minute activation.
• Don't build a custom audit-logging framework when CloudTrail, structured logging, and aggregation already do it.

HIPAA vs SOC 2

HIPAA is mandatory if you handle PHI. SOC 2 is voluntary but often required by enterprise buyers. About 60% of the controls overlap, so doing them together is much cheaper than one after the other.

What to do next

A Cloud Infrastructure Assessment includes a compliance gap check across exactly these six areas, with a prioritized plan to close them.