Having implemented HIPAA compliant software, the technical requirements arent very difficult. If you're following developments beat practices, you have 99% of technical requirements covered. The challenge with HIPAA is building process and documentation that demonstrates compliance.
It's particularly challenging at the edges of your engineering org where people tend to use tools that abstract the technical details.
Exactly, as someone who recently helped finish a HITRUST (which focuses on HIPAA compliance) audit, the real work is in proving that the org has policies, procedures and actually follows them.
Technical controls are the easy part. I've often dreamed of some type of way to streamline the policy --> process --> documentation pipeline.
It also requires you to actually think about these problems. As you said, it’s not necessarily hard to do, but if you’re a small startup all these best practices are usually shortcut to get product market fit. If you’re a health care startup, it really slows you down (but for good reason). It also creates criminal/financial reinforcement behind it, something not even Equifax has to be accountable to (which is insane).
It's particularly challenging at the edges of your engineering org where people tend to use tools that abstract the technical details.