← All posts
Vertical / ICP-Specific

A Fractional CTO Guide for Healthtech Founders

What healthtech founders specifically need from a fractional CTO — HIPAA, BAAs, AI in regulated workflows, the cost of compliance, and the trade-offs unique to building in healthcare.

Craig Hoffmeyer8 min read

Healthtech founders face a particular flavor of the fractional CTO question. Their version is not just "what does engineering need to look like at this stage" but also "how do I do all of this in an environment where compliance, regulation, and patient safety are not optional and where moving fast can get you sued, fined, or shut down." The standard fractional CTO playbook applies, but it has to be modified in specific ways to work in healthcare.

I have helped healthtech founders at multiple stages and across multiple sub-verticals — clinical workflow, patient-facing, payer/provider operations, and AI-assisted diagnostics — and the pattern of what they actually need is consistent. This article is the version of that pattern I would hand a healthtech founder who is considering a fractional CTO and wants to know what is different about their context.

Where the standard playbook still applies

A lot of the fractional CTO playbook works the same in healthtech as in any other SaaS. The team needs the right roles. The codebase needs the basic disciplines. The roadmap needs to be honest. The cloud bill needs to be audited. The hiring needs to be careful.

If you have read my other articles on the first 30 days of a fractional CTO, the seed-stage stack, or your first three engineering hires, almost all of that advice still applies. Healthtech does not change the fundamentals of building software or running an engineering team.

What healthtech changes is the constraints. Specifically, four areas require dramatically more attention than they would at a generic SaaS startup.

Constraint 1: HIPAA and the BAA chain

If your product touches Protected Health Information (PHI), you are subject to HIPAA. In practice, that means you and every vendor you use that handles PHI need to have a Business Associate Agreement (BAA) signed with you, and you need to be able to prove the chain.

This affects technology choices in a way founders do not always anticipate. You cannot just pick the SaaS tools you like. You can pick the SaaS tools that will sign a BAA. The list is shorter. Here is what that looks like in practice for a typical healthtech stack:

  • Hosting: AWS, GCP, and Azure all sign BAAs for their HIPAA-eligible services. Vercel signs BAAs on enterprise plans. Fly.io's posture has been evolving — verify before committing.
  • Database: Managed Postgres on AWS RDS or GCP Cloud SQL works. Supabase has a HIPAA-compliant tier on their team plan. Neon's posture has also evolved — verify the current state.
  • Auth: Clerk and Auth0/Okta both offer BAAs. WorkOS does as well.
  • Email: Postmark signs BAAs. Some others do not. Verify before sending any email containing PHI.
  • Observability: Datadog signs BAAs on enterprise plans. Sentry has a HIPAA-compliant offering. Be careful about what gets logged — PHI in error messages is a violation.
  • AI APIs: Anthropic and OpenAI have offered BAAs for some plans; verify the specific offering you are on. Do not assume.

A first-week task on every healthtech engagement I take is auditing the BAA chain. Every vendor that touches PHI needs a signed BAA. Any vendor that does not sign a BAA cannot be used for that purpose, even if the product is otherwise great.

The follow-on cost: HIPAA-eligible plans on most of these tools are more expensive than the standard plans. Build it into the budget.

Constraint 2: PHI handling in the codebase

Beyond the vendor BAAs, the codebase itself needs to be careful about PHI. A few rules I install at every engagement:

  • PHI never goes in logs. Loggers strip or mask any field that could contain PHI before writing. This is harder than it sounds because PHI can sneak into logs in unexpected places — error messages, request URLs, stack traces, third-party SDK telemetry.

  • PHI never goes in URLs. URL parameters end up in browser history, server logs, and referer headers. PHI in URL parameters is an exposure even if your own logs are clean.

  • PHI access is audited. Every read and write of PHI by an internal user (employee) is logged with who, when, and what was accessed. This is required by HIPAA's audit controls and also useful for incident response.

  • PHI is encrypted at rest and in transit. Standard practice everywhere, but mandatory in healthtech.

  • PHI is segregated by tenant. Multi-tenant architectures need real isolation, not just a tenant_id column. A bug that lets one tenant see another's data is a HIPAA breach, not just a quality issue.

The discipline these rules require is real. It changes how engineers write code. The fractional CTO's job is to install the discipline early, before the codebase has accumulated 18 months of accidents that have to be fixed retroactively.

Constraint 3: AI in regulated workflows

This is where things get particularly interesting in 2026. Almost every healthtech founder I talk to is building or thinking about building an AI feature. The same general principles from build vs. buy vs. wrap apply, but with three additional considerations.

The model vendor's posture matters more. A foundation model API that offers zero data retention and a BAA is the only option for any feature that processes PHI. Verify the specific contract you are on and the specific data flow. The vendor's marketing page is not the contract.

Quality requirements are higher. A 92% accurate AI feature in a generic SaaS is "ship it and improve." A 92% accurate AI feature in a clinical workflow is potentially dangerous. The acceptable error rate depends on the consequences of errors and on whether a human is in the loop. Build the eval infrastructure that lets you reason about this rigorously. Do not eyeball it.

Regulatory exposure varies. Some AI features are unambiguously inside the FDA's medical device regulations (Software as a Medical Device, SaMD). Others are clearly outside. A lot of features are in a gray zone where the regulatory answer is unclear and depends on intended use, claims made in marketing, and how the output is presented to users. Get specific legal advice early. The cost of getting this wrong includes product recalls, FDA action, and existential lawsuits.

The fractional CTO is not the lawyer for any of this — but is the person who flags the risk early and pushes the founder to get the right legal input before the code calcifies.

Constraint 4: Procurement and security reviews

If you are selling to providers (hospitals, clinics, health systems) or payers (insurance companies), the procurement process is its own beast. Every potential customer will run a security review of you that is more rigorous than what you would see in any other vertical. Common requirements:

  • HIPAA Security Rule compliance evidence
  • HITRUST certification or SOC 2 Type II
  • Penetration test reports from the last 12 months
  • Vendor risk questionnaires (often 100–300 questions)
  • Specific attestations about subcontractors and BAAs
  • Sometimes: a separate security review by the customer's own security team

The cycle time on these reviews can be 3–9 months, even for a startup that is otherwise ready to move quickly. Plan for it. Start the work that produces the artifacts early — security policies, risk assessments, an incident response plan, an asset inventory, and the procurement-friendly version of your security posture documentation.

A fractional CTO who has been through these reviews before is enormously valuable here. The pattern of questions repeats. The answers are mostly the same across customers. If you have a decent answer document built once, the marginal cost of each new customer's review drops dramatically.

What this all means for the team

In a healthtech startup, the engineering team needs at least one person who takes security and compliance seriously. It does not need to be a dedicated security engineer at seed stage — that is overkill — but it cannot be nobody. The fractional CTO often plays this role for the first 12–18 months while the team grows into having their own owner.

What you do need from day one:

  • A clear designation of who is responsible for HIPAA compliance.
  • A written security policy and incident response plan.
  • A vendor management process so new SaaS tools cannot be added without checking BAA status.
  • Quarterly access reviews.
  • A mental model on the team that says "PHI is special" and translates into specific code-level discipline.

Without these, you are building a product that cannot pass an enterprise procurement review and that exposes the company to regulatory risk every day it operates.

What I do specifically for healthtech founders

When I take a healthtech engagement, the first 30 days look slightly different from a generic SaaS engagement. Specifically, the differences are:

  • Day 1–3: BAA chain audit. Inventory every vendor, verify every BAA, identify any gaps. Replace vendors where necessary.
  • Day 4–7: PHI handling audit. Read the code with an eye for places PHI could be leaking — logs, URLs, error tracking, analytics, third-party SDKs. Write tickets for every finding.
  • Day 8–14: Compliance baseline. Install or improve the security baseline (see the startup security baseline) plus the healthtech-specific additions: audit logging, PHI segregation tests, BAA tracking.
  • Day 15–21: Regulatory landscape conversation. Get the founder in front of the right regulatory counsel for their specific product. Understand whether SaMD applies. Make sure marketing claims align with regulatory posture.
  • Day 22–30: Procurement readiness. Start the security artifacts that enterprise customers will ask for. Make sure they exist before the first customer asks.

The rest of the standard playbook continues alongside this. Hiring, roadmap, observability, cost — those still happen. The healthtech-specific work runs in parallel.

Counterpoint: do not let compliance eat the product

A warning. Some healthtech startups become so consumed by compliance that they forget to build the product. The compliance work is necessary, but it is not sufficient — and it should not consume more than 20–30% of engineering capacity at seed stage. If it is consuming more, either the team is over-engineering compliance for the stage, or they have hired for the wrong skills, or they need an outside read.

The right balance is: compliance is a non-negotiable constraint, the product is what wins customers, and the founder's job is to make sure neither one starves the other.

Your next step

If you are a healthtech founder, take 30 minutes this week to inventory your BAA chain. List every vendor that touches PHI. For each one, confirm: is there a signed BAA on file, and is the plan you are on actually a HIPAA-eligible plan? Flag anything you are not sure about. That single exercise has more value than most other security work you can do at this stage.

Where I come in

Healthtech engagements are some of the most rewarding fractional CTO work I do, partly because the constraints are real and partly because the impact of getting it right matters. Book a call if you are building a healthtech product and want a CTO who understands both the engineering and the regulatory shape of the work.

Related reading: SOC 2 for Seed-Stage Startups · The Startup Security Baseline · What Is a Fractional CTO

Building a healthtech startup? Book a call.

Get in touch →