It's a weird topic. I always laugh about how "difficult" HIPAA compliance is often portrayed as in online forums. It's a reminder to me of how important due diligence is. Of the various regulatory regimes, HIPAA is not particularly challenging, and if it is, I'd be concerned with doing business with the entity in other contexts.
What I laugh about is that more than once I have had to explain HIPAA to my corp lawyer. I've had actual discussions where the lawyers proposed an immense amount of work, followed by me explaining that our work doesn't fall into the scope of HIPAA and therefore we do not need to comply with it or get any certification or sign a BAA at all. "But... .but .... we should comply anyway just to be on the safe side!".
Few things are more annoying than a lazy attorney prioritizing personal CYA vs representing the client or employer.
My favorite example is a clown who decided when I was on vacation that we should “voluntarily comply” with IRS 1075 guidelines, in a context that had absolutely nothing to do with the IRS.
The motivation was to literally reuse work done for another, unrelated client and protect.
We totally understand! We value complete transparency at Delve. If a startup doesn't need compliance (i.e. they fall under the Safe Harbor Provision or are a consuming-facing without connection to a Covered Entity), we'll tell them upfront. We value building honest relationships with founders.
