Two Chairs Journey to a HIPAA Compliant Growth Stack
I didn’t know this when I got started but setting up a HIPAA compliant tech stack at a digital health startup requires more than just a BAA.
Scotty Abramson, Two Chairs
Digital health companies are at a crossroads as they scale from nascent startups to institutionally backed growth rocketships. How do they move fast like any data-driven growth focused startup while also staying HIPAA compliant?
To help pass along some valuable learnings and lessons, we sat down with Two Chairs’ Director of Growth Scotty Abramson to learn more about his company's journey to a HIPAA compliant tech stack.
Read on for a summary of what Scotty shared with us. Want the deeper dive? You can listen to the entire Two Chairs’ story here.
The Journey to a CDP
The backbone of any customer focused tech stack is capturing data and sending it to the business tools that drive product decisions and go to market campaigns. So, we first wanted to hear from Scotty how he came to the realization that Two Chairs needed a Customer Data Platform to manage that.
I think a lot of people wind up realizing that they need a CDP or want something like a CDP as the number of destinations that they're sending data to and the number of events they’re tracking start to grow.
Growth-focused companies want to be able to enable destinations to increase their visibility and understanding of their users and customers journey
And it just becomes like you're sending the same information to three different places with three different pieces of code, and it all starts to build and become pretty complex. And there's this question of, wait, why can't I just kind of have one consistent event schema and then send all of that different stuff to the different destinations that I want to?
And if you have asked yourself that question, you've kind of begun to stumble onto one of the core use cases of a CDP.
But What Happens When PHI is Involved?
Two Chairs was dealing with the challenge of a growing number of customer events and destinations to send their data, but Scotty realized that for a growth-focused healthcare company the solution was going to be a bit more complicated given the PHI in their customer data.
This layer that you have on your website, on your web app, connected to your server that's kind of helping you send events to different destinations. There's going to be a significant amount of PHI in those events, so that third party that you choose to engage with, you're going to want to feel really, really good about the security and the HIPAA compliance of a vendor that they're willing to sign a BAA.
And in this process, what's going to happen is you'll probably begin to think about all the destinations that maybe you already have enabled or would like to enable but you're not feeling great about the compliance of.
And this is when we start to face the reality of what is considered PHI, device identifiers and serial numbers. Oh man, internet protocol addresses, IP addresses, every tool I know, basically collects IP addresses. And you're like, "Okay, cool." So even if we get a CDP that's willing to sign a BAA, we're still going to need to manage all of the data that goes to our various third party vendors. And not only do we not have a BAA with certain platforms, they won't even sign one.
On analytics platforms, some will, but only without redlines plus tens of thousands of dollars in additional annual contract costs. So you're kind of in this weird place where you're like, "Okay, great. Just because my CDP is covered and I feel good about the data there, if I'm then passing that data onto other platforms that aren't covered, I'm in violation of HIPAA. And so what now?"
The “Aha” Moment
There are certainly options for how a growth focused digital health startup can handle PHI in their analytics:
- You can stop using destinations that collect sensitive data by default.
- You can sign BAAs with all of those destinations that collect PHI. That’s either going to be very expensive or those vendors won’t even sign one in the first place.
- You can build and manage multiple data pipes (one for HIPAA compliant and one for non-HIPAA compliant destinations) but that’s going to be an engineering burden equivalent to one full time developer.
- You can just be in violation of HIPAA.
This is where Scotty said he had his “aha” moment. When he realized he was going to need more than just a BAA.
So not only are you going to need a CDP that's willing to sign a BAA, but you're going to need a CDP that's willing to partner with you to build out a feature set that enables your growth stack to be HIPAA compliant, or one that has already built that feature set by working with other healthcare companies.
I can honestly say, I hadn't realized the full implication of all the destinations that we wanted to send our data to and what was going to be necessary to really make sure that our growth stack was genuinely compliant.
Ultimately, I think the biggest learning for me as I went down the path of trying to build a HIPAA compliant growth stack was that when we first started, we couldn't really find any customer data platforms that were willing to sign a BAA. And we kind of, when we started working with Freshpaint and realized that they would, we kind of thought that was the victory. And the lesson was that was just the first inning and that there was a lot of work to come in order to kind of make the whole stack genuinely compliant.
Scotty's "aha" moment helped him realize that in addition to working with a CDP partner that would sign a BAA, he also needed one that could help him actually manage which destinations could receive PHI or not.
Vendor Considerations
Scotty went deep on his research on what tools to bring into his tech stack, so we asked him to share some of those learnings with us.
The first is don't be afraid to sign BAAs. While BAAs can take some time to negotiate and generally apply a higher annual cost, they're really mission critical for certain types of software. And I think notably your CDP and your CRM.
With all the tools that work on the back end that all the destinations are going to need, it really, really, really is going to be super challenging to build the compliance stack without at least your CDP with a BAA.
And then I think the other one for us was CRM. And I think this one is possible to do without, but really just becomes very cumbersome because you can't build any of your audiences and filters within the tool. You have to do it all outside of the tool and then bring it in, which is doable. But if you're trying to move fast, it's just an extra layer of complexity. So, on these two pieces of infrastructure, we were kind of very kind of willing to sign BAAs.
The other thing I'd say is keep it simple. Grow the complexity of your stack over time. When we launched, first launched with Freshpaint, I think we had literally two destinations turned on. And we've kind of grown that over time as we've kind of gotten more comfortable with the features and kind of increased our ability to consume information in a productive way.
What’s the list of vendors Scotty looked at (bold indicates his final choice)?
- CRM: Salesforce, Freshworks, Bittrex, and LeadSquared
- Product Analytics: Mixpanel and Amplitude
- Marketing Automation: Iterable and Braze. Ultimately decided to go with the automation within LeadSquared.
- Customer Data Platform: Freshpaint and Segment
Pushing Towards the Cutting Edge
The final thing we discussed with Scotty was what the cutting edge of customer data looks like for a digital health startup.
What does it look like to be on the cutting edge? I thought I would just plug a HIPAA compliant product analytics with hash common identifiers. Essentially, it's like when somebody raises their digital hand, it says, "Hey, I'm Scotty”. And I've been on some other devices where I've also told you that I'm Scotty. You can merge all of that to have a clear, comprehensive view of the user journey.
The challenge there is, without device IDs or email addresses passed to the product analytics tool, it can be really, really hard to actually realize is the power of consolidating this event data across different device IDs.
But this for me is the coolest thing that we have going on with our Freshpaint CDP is when you add identify plus ID hashing, we can actually create these full, complete, really rich user slash client journeys without needing to send any PHI to the destination. And it's been really, really powerful for us to get the complete picture of what our kind of perspective clients, but then also clients are doing, but keeping their data and their information safe.
If you're an early stage digital health startup looking for a better way to build a HIPAA compliant customer data stack, Freshpaint can help. Sign up and try Freshpaint for free.