Back to Details

healthtech-advisor

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Healthtech Advisor

医疗科技顾问

Strategic frameworks for digital health and healthtech founders, operators, and product leaders. Complements (does not replace) the RA/QM compliance domain. RA/QM covers regulatory and quality management for medical devices; this skill covers business-side strategy for health software companies.
Disclaimer: Frameworks and orientation only. Not legal, regulatory, clinical, or compliance advice. Healthtech businesses need licensed counsel (HIPAA, FDA, fraud-and-abuse), clinical advisors, and qualified RA/QM specialists. Use this skill to organize strategy; engage specialists for binding decisions.
面向数字健康及医疗科技创始人、运营人员与产品负责人的战略框架。**补充(而非替代)**RA/QM合规领域的内容。RA/QM涵盖医疗设备的监管与质量管理;本技能则针对医疗软件公司提供业务层面的战略指导。
免责声明: 仅提供框架与方向指引,不构成法律、监管、临床或合规建议。医疗科技企业需聘请持牌法律顾问(负责HIPAA、FDA、反欺诈相关事务)、临床顾问及合格的RA/QM专家。可使用本技能梳理战略,但需咨询专家以作出具有约束力的决策。

Table of Contents

目录

Keywords

关键词

healthtech, digital health, HIPAA, PHI, BAA, business associate, covered entity, FDA SaMD, software as medical device, EHR, EMR, FHIR, HL7, telehealth, digital therapeutics, DTx, payor, provider, value-based care, fee-for-service, RPM, remote patient monitoring
healthtech, digital health, HIPAA, PHI, BAA, business associate, covered entity, FDA SaMD, software as medical device, EHR, EMR, FHIR, HL7, telehealth, digital therapeutics, DTx, payor, provider, value-based care, fee-for-service, RPM, remote patient monitoring

Quick Start

快速入门

10-Minute Scope Check

10分钟范围核查

  1. Write a 1-paragraph description of what your product does and what data it touches
  2. Run 
    python scripts/phi_scope_checker.py description.txt
  3. Use the output to scope HIPAA exposure and identify whether you're a Business Associate, Covered Entity, neither, or both
  1. 撰写一段文字,描述你的产品功能及涉及的数据类型
  2. 运行 
    python scripts/phi_scope_checker.py description.txt
  3. 根据输出结果确定HIPAA适用范围,判断你属于业务关联方(Business Associate)、受保实体(Covered Entity)、两者皆非还是两者皆是

Pick a GTM

选择GTM策略

  1. Read 
    references/gtm_patterns.md
  2. Identify your buyer: payor, provider, employer, individual, pharma, government
  3. Each GTM has a different sales motion, contract length, and economics — pick before committing engineering
  1. 阅读 
    references/gtm_patterns.md
  2. 明确你的目标客户:支付方、医疗服务提供方、企业、个人、药企或政府
  3. 不同的GTM策略对应不同的销售流程、合同周期与经济模式——在投入工程资源前先确定策略

Core Workflows

核心工作流

Workflow 1: HIPAA Scope and BAA Strategy

工作流1:HIPAA范围与BAA策略

Goal: Determine whether HIPAA applies, in what capacity (Covered Entity, Business Associate, neither), and what BAAs you need with whom.
Steps:
  1. Run PHI scope checker on your product description
  2. Identify: do you handle PHI on behalf of a Covered Entity (you're a BA), are you a CE yourself, or are you handling consumer-generated health data outside HIPAA?
  3. Map BAA requirements: with which Covered Entities you operate as BA, with which subcontractors you operate as BA-of-BA
  4. Engage HIPAA-specialist counsel to review scope before launch
  5. Operationalize: BA-grade hosting, encryption, access controls, audit logs, breach notification process
Time Estimate: 4-8 weeks for first scope and BAA template.
目标: 确定HIPAA是否适用,适用身份(受保实体、业务关联方、两者皆非),以及需要与哪些主体签订BAA。
步骤:
  1. 针对产品描述运行PHI范围核查工具
  2. 明确:你是否代表受保实体处理PHI(作为业务关联方)、本身就是受保实体,还是处理HIPAA监管范围外的消费者生成健康数据?
  3. 梳理BAA要求:作为业务关联方与哪些受保实体合作,作为次级业务关联方与哪些分包商合作
  4. 启动前聘请HIPAA专业法律顾问审核范围
  5. 落地执行:符合业务关联方标准的托管服务、加密措施、访问控制、审计日志、 breach通知流程
时间预估: 首次范围核查与BAA模板制定需4-8周。

Workflow 2: FDA SaMD Classification

工作流2:FDA SaMD分类

Goal: Determine whether your software is regulated as a medical device by the FDA, and at which classification.
Steps:
  1. Read 
    references/fda_samd_basics.md
  2. Apply IMDRF risk categorization framework: severity of healthcare situation × significance of information
  3. Determine FDA class (I, II, III) or unregulated wellness category
  4. If regulated: pair with 
    ra-qm-team/fda-compliance/
    and 
    ra-qm-team/iec-62304-compliance/
    for the implementation work
  5. If unregulated wellness: document why, and avoid claims that would cross into regulated territory
Time Estimate: 4-12 weeks for classification, then RA/QM-driven submission timelines.
目标: 确定你的软件是否受FDA医疗设备监管,以及对应的分类等级。
步骤:
  1. 阅读 
    references/fda_samd_basics.md
  2. 应用IMDRF风险分类框架:医疗场景的严重程度 × 信息的重要性
  3. 确定FDA分类等级(I、II、III类)或非监管健康品类
  4. 若属于监管范畴:结合 
    ra-qm-team/fda-compliance/
    ra-qm-team/iec-62304-compliance/
    开展落地工作
  5. 若属于非监管健康品类:记录原因,避免作出会触及监管范畴的声明
时间预估: 分类需4-12周,后续按RA/QM要求的提交流程推进。

Workflow 3: GTM Selection

工作流3:GTM策略选择

Goal: Pick the buyer segment and sales motion that matches your product.
Steps:
  1. Read 
    references/gtm_patterns.md
  2. Map your product's value proposition to each buyer's purchase criteria
  3. Recognize the constraints: payor 24-36 month sales cycles, provider IT integration, employer benefits-cycle timing
  4. Pick one primary motion to start; expand later
  5. Build the team that matches the motion — payor sales is different from provider sales is different from D2C
Time Estimate: 4-8 weeks for GTM strategy decision.
目标: 选择与产品匹配的客户群体及销售流程。
步骤:
  1. 阅读 
    references/gtm_patterns.md
  2. 将产品价值主张与各客户群体的采购标准对应
  3. 认清约束条件:支付方的销售周期为24-36个月、医疗服务提供方的IT集成要求、企业福利周期的时间节点
  4. 先选择一种核心模式起步;后续再拓展
  5. 搭建匹配该模式的团队——支付方销售、医疗服务提供方销售与D2C销售完全不同
时间预估: GTM策略决策需4-8周。

Tools

工具

phi_scope_checker.py

phi_scope_checker.py

Scans a product description for indicators of PHI handling and HIPAA scope. Identifies whether you're likely a Covered Entity, Business Associate, both, or operating outside HIPAA (consumer wellness data).
bash
python scripts/phi_scope_checker.py description.txt
python scripts/phi_scope_checker.py description.txt --json
扫描产品描述,识别PHI处理及HIPAA适用范围的相关指标,判断您可能属于受保实体(Covered Entity)、业务关联方(Business Associate)、两者皆是,或在HIPAA监管范围之外(消费者健康数据)。
bash
python scripts/phi_scope_checker.py description.txt
python scripts/phi_scope_checker.py description.txt --json

Reference Guides

参考指南

  • references/hipaa_basics.md
     — HIPAA scope, Covered Entity vs Business Associate, BAA requirements, common pitfalls
  • references/fda_samd_basics.md
     — Software as Medical Device classification, IMDRF framework, US vs EU
  • references/gtm_patterns.md
     — Payor, provider, employer, individual, pharma, government — sales cycles, contract structures, decision criteria
  • references/value_based_care_primer.md
     — Fee-for-service vs VBC, capitation, shared savings, ACOs, common models
  • references/hipaa_basics.md
     —— HIPAA适用范围、受保实体与业务关联方的区别、BAA要求、常见误区
  • references/fda_samd_basics.md
     —— 软件类医疗设备(SaMD)分类、IMDRF框架、美国与欧盟对比
  • references/gtm_patterns.md
     —— 支付方、医疗服务提供方、企业、个人、药企、政府——销售周期、合同结构、决策标准
  • references/value_based_care_primer.md
     —— 按服务收费与价值导向型医疗对比、总额付费、共享储蓄、责任医疗组织(ACOs)、常见模式

Templates

模板

  • assets/hipaa_scope_template.md
     — Document template for capturing HIPAA scope decisions and BAA inventory
  • assets/hipaa_scope_template.md
     —— 用于记录HIPAA范围决策与BAA清单的文档模板

Best Practices

最佳实践

  • Engage HIPAA counsel before architecture decisions. Same point as fintech: regulatory shapes infrastructure.
  • Don't claim HIPAA compliance — be HIPAA compliant. Marketing claims attract regulator attention; the actual program protects the company.
  • Don't conflate HIPAA and FDA. They cover different things. HIPAA = data; FDA = device.
  • PHI vs consumer health data. Apple Health data, fitness tracker data, and consumer wellness data are not always PHI. The status depends on context (Covered Entity relationship), not the data type alone.
  • Plan for state laws. California (CMIA), Washington (My Health My Data), and others extend beyond HIPAA. Texas, NY have their own.
  • EHR integrations are slow. Epic, Cerner, athenahealth integrations take months and require partnership programs. Plan accordingly.
  • 在架构决策前聘请HIPAA法律顾问。 与金融科技领域同理:监管要求决定基础设施设计。
  • 不要宣称符合HIPAA标准——切实做到符合HIPAA要求。 营销宣传会吸引监管机构注意;真正的合规体系才能保护公司。
  • 不要混淆HIPAA与FDA。 两者监管范畴不同:HIPAA针对数据;FDA针对设备。
  • 区分PHI与消费者健康数据。 Apple Health数据、健身追踪器数据及消费者健康数据并非始终属于PHI。其状态取决于场景(与受保实体的关系),而非数据类型本身。
  • 为州级法律做好规划。 加利福尼亚州(CMIA)、华盛顿州(My Health My Data)等地的法律要求超出HIPAA范围;德克萨斯州、纽约州也有各自的规定。
  • EHR集成耗时久。 与Epic、Cerner、athenahealth的集成需要数月时间,且需加入合作项目。需提前规划。

Integration Points

集成对接点

  • ra-qm-team/
     for medical-device-grade compliance work (ISO 13485, MDR, FDA, IEC 62304)
  • legal/
     for BAA / DPA templates and contract review
  • engineering/cs-security-engineer
     — healthtech security goes beyond standard SaaS
  • business-growth/pricing-strategy
     — healthtech pricing has unusual constraints (PMPM, capitation, fee-for-service)
  • c-level-advisor/cs-fundraising-advisor
     — healthtech investor expectations differ from generic SaaS
  • ra-qm-team/
     用于医疗设备级合规工作(ISO 13485、MDR、FDA、IEC 62304)
  • legal/
     用于BAA/DPA模板与合同审核
  • engineering/cs-security-engineer
     —— 医疗科技安全要求远超标准SaaS
  • business-growth/pricing-strategy
     —— 医疗科技定价存在特殊约束(PMPM、总额付费、按服务收费)
  • c-level-advisor/cs-fundraising-advisor
     —— 医疗科技投资者的预期与通用SaaS不同