Healthtech Advisor
Strategic frameworks for digital health and healthtech founders, operators, and product leaders. Complements (does not replace) the RA/QM compliance domain. RA/QM covers regulatory and quality management for medical devices; this skill covers business-side strategy for health software companies.
Disclaimer: Frameworks and orientation only. Not legal, regulatory, clinical, or compliance advice. Healthtech businesses need licensed counsel (HIPAA, FDA, fraud-and-abuse), clinical advisors, and qualified RA/QM specialists. Use this skill to organize strategy; engage specialists for binding decisions.
Table of Contents
Keywords
healthtech, digital health, HIPAA, PHI, BAA, business associate, covered entity, FDA SaMD, software as medical device, EHR, EMR, FHIR, HL7, telehealth, digital therapeutics, DTx, payor, provider, value-based care, fee-for-service, RPM, remote patient monitoring
Quick Start
10-Minute Scope Check
- Write a 1-paragraph description of what your product does and what data it touches
- Run
python scripts/phi_scope_checker.py description.txt
- Use the output to scope HIPAA exposure and identify whether you're a Business Associate, Covered Entity, neither, or both
Pick a GTM
- Read
references/gtm_patterns.md
- Identify your buyer: payor, provider, employer, individual, pharma, government
- Each GTM has a different sales motion, contract length, and economics — pick before committing engineering
Core Workflows
Workflow 1: HIPAA Scope and BAA Strategy
Goal: Determine whether HIPAA applies, in what capacity (Covered Entity, Business Associate, neither), and what BAAs you need with whom.
Steps:
- Run PHI scope checker on your product description
- Identify: do you handle PHI on behalf of a Covered Entity (you're a BA), are you a CE yourself, or are you handling consumer-generated health data outside HIPAA?
- Map BAA requirements: with which Covered Entities you operate as BA, with which subcontractors you operate as BA-of-BA
- Engage HIPAA-specialist counsel to review scope before launch
- Operationalize: BA-grade hosting, encryption, access controls, audit logs, breach notification process
Time Estimate: 4-8 weeks for first scope and BAA template.
Workflow 2: FDA SaMD Classification
Goal: Determine whether your software is regulated as a medical device by the FDA, and at which classification.
Steps:
- Read
references/fda_samd_basics.md
- Apply IMDRF risk categorization framework: severity of healthcare situation × significance of information
- Determine FDA class (I, II, III) or unregulated wellness category
- If regulated: pair with
ra-qm-team/fda-compliance/
ra-qm-team/iec-62304-compliance/
- If unregulated wellness: document why, and avoid claims that would cross into regulated territory
Time Estimate: 4-12 weeks for classification, then RA/QM-driven submission timelines.
Workflow 3: GTM Selection
Goal: Pick the buyer segment and sales motion that matches your product.
Steps:
- Read
references/gtm_patterns.md
- Map your product's value proposition to each buyer's purchase criteria
- Recognize the constraints: payor 24-36 month sales cycles, provider IT integration, employer benefits-cycle timing
- Pick one primary motion to start; expand later
- Build the team that matches the motion — payor sales is different from provider sales is different from D2C
Time Estimate: 4-8 weeks for GTM strategy decision.
Tools
phi_scope_checker.py
Scans a product description for indicators of PHI handling and HIPAA scope. Identifies whether you're likely a Covered Entity, Business Associate, both, or operating outside HIPAA (consumer wellness data).
bash
python scripts/phi_scope_checker.py description.txt
python scripts/phi_scope_checker.py description.txt --json
Reference Guides
references/hipaa_basics.md
references/fda_samd_basics.md
references/gtm_patterns.md
references/value_based_care_primer.md
Templates
assets/hipaa_scope_template.md
Best Practices
- Engage HIPAA counsel before architecture decisions. Same point as fintech: regulatory shapes infrastructure.
- Don't claim HIPAA compliance — be HIPAA compliant. Marketing claims attract regulator attention; the actual program protects the company.
- Don't conflate HIPAA and FDA. They cover different things. HIPAA = data; FDA = device.
- PHI vs consumer health data. Apple Health data, fitness tracker data, and consumer wellness data are not always PHI. The status depends on context (Covered Entity relationship), not the data type alone.
- Plan for state laws. California (CMIA), Washington (My Health My Data), and others extend beyond HIPAA. Texas, NY have their own.
- EHR integrations are slow. Epic, Cerner, athenahealth integrations take months and require partnership programs. Plan accordingly.
Integration Points
- for medical-device-grade compliance work (ISO 13485, MDR, FDA, IEC 62304)
- for BAA / DPA templates and contract review
engineering/cs-security-engineer
business-growth/pricing-strategy
c-level-advisor/cs-fundraising-advisor