Join hosts Phoebe Gutierrez and Dr. Leo Damasco as they discuss why compliance is crucial from day one in health tech, from certifications like HITRUST and LegitScript to avoiding roadblocks in contracts, funding, and scaling, framing it as a key driver for revenue rather than just regulation.
What if prioritizing compliance in your health tech startup could unlock contracts, funding, and growth instead of hindering it?
In this episode, Phoebe Gutierrez and Dr. Leo Damasco explain how compliance, often delegated from federal rules to states, contractors, and companies, impacts health tech founders aiming to sell to hospitals, insurers, or consumers. She emphasizes building around certifications like HITRUST for privacy and security, which can take 7-12 months and involve audits, interviews, and demos, warning that skipping it leads to rework (up to 70% of a product) and lost opportunities.
For telemedicine services selling peptides or GLP-1s, LegitScript certification is essential for Meta ads and Stripe payments, preventing suppression or payment issues. Phoebe highlights that even direct-to-consumer models evolve toward B2B, where HITRUST, SOC 2, FedRAMP, or PCI compliance become mandatory for series funding or government contracts. She advises starting with checklists, mapping workflows early, and understanding buyer contracts to avoid negative optics or pipeline shutdowns, noting offshore dev teams may miss healthcare standards.
They share real-world examples of certification delays and costs, underscoring the need for informed decisions from the MVP stage.
Three Actionable Takeaways:
About the Show:
Telemedicine Talks explores the evolving world of digital health, helping physicians navigate new opportunities, regulatory challenges, and career transitions in telemedicine.
About the Hosts:
[00:00:00]
Speaker 2: Hey everyone. Welcome back to another episode of Telemedicine Talks. It is one of your hosts, Phoebe Gutierrez. And we have Dr. Damas, who is probably in his board shorts at the moment.
am, oh my gosh.
Speaker 1: Knew it,
Speaker 2: but I put on a collared shirt. It's the formal wear I have a collar and button down on.
Speaker 1: Yeah. You know, I'll take it as a win. A collared shirt. Shorts . You probably got some flip flops on. we
Speaker 2: don't wear anything in the house.
You're an Asian household. You should know That. But yes. Aloha.
Speaker 1: Yeah. Well, welcome back. So today we are gonna be talking about a topic that has been kind of bubbling up with a lot of the clients that I'm working with, especially in the health tech space, in the sense of I'm building a product or a tool or an app, or I'm building something for consumers and.
What should I focus on [00:01:00] first when it comes to compliance and why does compliance matter in the beginning? So I am gonna dive into all of those things and try in my best way to explain, Why I harp so heavily with my health tech founders on the compliance side, not so much from a regulatory sense or even like a legal sense, but from a revenue and growth sense.
Speaker 2: And this is an interesting take, I think. Becausebeing in a lot of startups or seeing a lot of startups in the platforms, right? people are definitely focused on the money side first, right? And, so it's gonna be interesting to hear, in that sense, 'cause a lot of times we hear about the regulatory sense, right?
We hear about state laws, so forth and so on. And a lot of these new company leaders, they kind of just brush it off saying, oh, we could kind of scoot by, right? We could get by, we have a low profile, you know, the target's not on us. And as they scale, then [00:02:00] they look back and we're like, oh man, now we gotta worry about that.
Now we to change our processes, but. yeah, no, I'm definitely interested to hear kind of on the money side why it's so important as well.
Speaker 1: Well, I think one thing that I've tried to explain kind of ad nauseum is compliance is always delegated, right? So it starts at the top level. You have your government, which says these are the rules, right?
Like. Hipaa, and some of the like federal regulations, and then it goes down and they delegate certain things to the states, and then the states delegate those things down to certain, contractors and then it's just so on, so and so on until it reaches, a physician or a company or a consumer.
Right? So the idea is it's this massive chain of, gosh, so many rules and regulations and just building blocks on like how you are supposed to operate. The interesting piece for me is especially in the health tech space everyone is like, well, I'm trying to sell to this avatar.
I'm [00:03:00] trying to sell to this person or this consumer that's my buyer. I really wanna sell into hospitals, or I really wanna sell, direct to consumer, but, maybe to insurance plans or I wanna, do all these different things. And that's where it always gets to me, I always go back to, well, you do realize that entering into any sort of agreement, you are going to be met with a contract.
That contract is gonna very much stipulate what you have to comply with, and most likely that company is going to delegate some compliance risk down to you. And you have to meet those. And so for example, like a health system or a health insurance company is never going to give you a value-based care contract if you don't pass their compliance review.
Like it's just not gonna happen. So the idea that you're pitching these programs when even if you make your foot in the door and you get a contract, [00:04:00] they're going to look under the hood, they're going to be asking questions, and you have to prepare yourself For that. I think where it even gets more granular is the more established programs that you are contracting with, they actually delegate their compliance oversight to third party entities.
Leo, have you ever heard of like High-Trust? Yeah, absolutely. one of the companies that I'm the med director for is High Trusts certified. It took a year and a half to do so. And everything that we do straight from tech to processes to money has to pass high trusts. Now, do I know what the hell that means?
Speaker 2: I don't because our compliance officer takes care of it. But Please educate me what that means.
Speaker 1: So I think the interesting thing is everybody comes into healthcare and they're like, look like. We have HIPAA privacy safeguards, right? We have a privacy policy, you know, our terms of service, it protects us.
we have a, b, a, A. We can share, you know, [00:05:00] personal data back and forth. High-trust is gonna come in and go, I wanna review the thousand policies and procedures that says that you comply with all of these things. One thing that most people don't know is, and physicians or any clinician who uses an EHR will know exactly what this is, but every single, tool or app or anything in the healthcare space has to have user roles and permissions. Who can view PHI, who can't, who can edit it? Who can delete things? When you're building in health tech. No, all of our employees are getting all the same access. That's that. That is a big one where it's like, I imagine you have built a very, very, very complex tool and you don't have user roles and permissioning.
Speaker 2: You're gonna have to go back and map all your different functionality. You're gonna have to figure out how the hell to lock things, how that interacts with all the different functionality. Right. this is funny because that's the specific scenario that [00:06:00] we had to go through two months ago with this company I was talking about.
we were trying to find a way to really just talk amongst each other and talk amongst the providers, but yeah, it took a month and a half and a few thousand dollars a month extra. To find a solution that was high trust certified.
'Cause again, it was something that we never really thought we needed initially, but then, now that we're high trust certified and now needing a new process. Yeah. So that's funny you say that 'cause that specific scenario.
Speaker 1: Yeah. Well, and I think the interesting piece when you think about it is, that's just one example, right?
So anybody can Google and like look at what a high-trust certification checklist is and like what the compliance rules are to get high-trust certified, build your product around that, incorporate that day one. I'm working with a client right now and my biggest thing is like, I'm really sorry that you [00:07:00] have, built this product and you wanted to do compliance last because now we need to basically rework 70% of it. I'm so sorry, but like you are not gonna actually be able to get any contracts and make any money like you have in your business plan and your strategy because you're missing these foundational elements.
Mainly the certification. So to your point, Leo, what's gonna happen is you are going to have legal teams that just go, we can only contract people that are high trusts certified. Right? And that is one certification of many that is layered into these contractual discussions and these contractual, you know, kind of like obligations in these vetting scenarios that you would have to go through to land these contracts.
Speaker 2: Now let's say. you're building out your telemedicine practice, right? if you're building it out direct to consumer and it's just you to straight to consumer, does this really matter? If you're [00:08:00] not gonna like, work with third party, you're not gonna work with contracts or anything else, or is it more important, or does this scenario really, come in an importance when you're trying to work with health systems, you're trying to work with payers, or you're trying to work, you know, with entities other.
that require that?
Speaker 1: I think it ultimately depends on the overall strategy. I mean, privacy, security, compliance, all these things are important for all of us, right? Like they're, state, federal rules. is a consumer gonna go. You guys aren't high trusts certified.
So instead of using your tool, I'm gonna go use this one. I highly doubt a consumer knows what High Trusts certified means. however. The piece where I think it does matter is most of the companies that are in this space are going to reach a certain point where they're gonna wanna go get funding.
Speaker 2: Yeah.
Speaker 1: And I wanna go through my series A or my series B, and again, these are all questions that [00:09:00] you are going to have to answer in order to, proceed. Kind of on that path. I don't think I've ever met a health tech company that solely was focused on the direct to consumer side. I think everybody uses direct to consumer because it's the easiest point of entry to kind of get your customer base.
But ultimately everybody is, the end all be all is like, I want government contracts, I wanna be in hospitals, I wanna be in medical groups, like I wanna be a software. That's where the money's at.
Speaker 2: Yeah.
Speaker 1: And that's where all these different certifications come into play. And so, to me it's like, you have high trust, you have, so two, which is, you know, basically another, privacy, security, certification you have FedRAMP, which is if you do anything government related, which is a go.
A beast in itself. I mean, I know the government. I probably can't get past a FedRAMP certification because it's so tedious and just in the weeds. and then on [00:10:00] the flip side, let's take it not so much just about a product or a platform, but let's talk about like telemedicine in a service.
let's say you wanna do a telemedicine business and you want to sell peptides and GLP ones my favorite topic of. You also have to go through marketing certifications in order to do that. Anything in that space, you have to get what's called legit script certified. So that is, your privacy policy Correct.
Is your terms of service correct. Are you disclosing all this information on your website correctly and appropriately? And Legits script is interesting because. It's not so much that the health tech company has to get certified by them. They are contracted with specific vendors, and it's their responsibility to vet their vendor relationships.
The two big vendors that [00:11:00] do legit scripts are meta and stripe, so try to participate in. Marketing without doing Google ads and collecting payment without Stripe. So it's this interesting thing where, again, you have companies that are like, we don't need to focus on compliance. Now I'm ready to do Google ads.
Their Google ads don't perform because meta suppresses everything because they don't have the appropriate certifications to be approved for ads on meta for, you know, LPs, for example.
Speaker 2: So there's actually a gatekeeper. Me, actually has a gatekeeper to see if you are strict ship certified, or did I say that right ?
Legit, strict certified.
Speaker 1: or before they'll do that.
Yeah. Interesting. so like to put it into terms of like how, Leo, me and you work, right? If you have a potential, you know, opportunity that comes your way and you come to me and I'm like. I looked at their website, [00:12:00] they look shady.
I wouldn't do it. You are gonna go, yeah, I'm not gonna do it. Right. Like, I don't care. Like,
Speaker 2: yeah,
Speaker 1: Phoebe, I'm not saying that I make the decisions, but I'm just saying, we've done some sort of like validation. It does not look legitimate. And because of that, for your own risk, you're gonna turn that opportunity away.
Yeah. Legit script's responsibility is to make sure that meta complies with their requirements, which meta cannot be doing false advertisements, which, technically if you're doing, illegal compounding or you're doing some of those things that are not technically allowed, they put a kibosh to it.
Same thing on the Stripe side, right? They go you know. If you claim to be a healthcare provider and you are taking monthly subscriptions for, let's say, GLP ones, and you don't have that legit script certification, Stripe is going to not accept those payments for you. So imagine [00:13:00] a telemedicine company trying to collect payment with no way to collect electronic payment because Stripe, has a huge kind of monopoly on it.
To be honest. So those are just some of the, hurdles you'll have to cross when you get to that point. And so to me, you know, my biggest thing is think about those things now because legit script certification I think takes like three months. High trust certification, I think takes damn near a year.
These are things that you baby step towards because they take, so it is. So much work in order to do it the right way. And it's not something that you can't throw money at it and it's gonna get done faster. You can't, just kind of like turn a blind eye and go, okay, well, you know, I think everything will be fine.
We're just gonna keep ignoring it because it will just continue to hinder your growth.
Speaker 2: Yeah, no, that's interesting because, especially with, the emergence of, physician owners, it's [00:14:00] not anything that we would think of straight off hand. Right. It's, it's, you know, we're so used to just, hey, the process is being there.
That's good to know. is there other certifications that we need to worry about? Is there, in terms of kind of broader certifications, you know, in the brick and mortar sense. We have Jaco or the commissioner, I dunno what they're calling it nowadays, but it's been through so many iterations.
is there anything like that, that is required or you recommend or is it just kind of case by case basis?
Speaker 1: I like to say that, to me, compliance with all of it, there's like all these building blocks, so it's not so much as like a one and done type of a thing, right? So it is this continual building that all kind of compounds based on your strategy. So like we talk a lot about kind of like the physician compliance side and kind of what goes into that, right?
Like, I mean, a really good example is. In order for anybody to get, a physician to go through and get credentialed with a health plan, like, you better make sure that you don't have like a [00:15:00] felony and you have an active license, right? Like, those are, boxes that must be checked.
There's also a ton of boxes that are gonna be checked from the, general, privacy and security side from the marketing side. So it is very much. You have these different certifications that all cover these different elements and, depending on what market you're in or depending on where you're going after that is the best way to, kind of position yourself as you're starting to build.
So There's a lot. I mean, I just went through like PCI compliance, which is like a big thing that you have to do if you're, getting electronic payments, right? by consulting I'm like, I use QuickBooks. Like, you have to go through this compliance attest station saying how I store credit card information, how all of that is overseen, how often I'm touching it, who has access to those things, and you have to provide proof and documentation to show.
That you comply. [00:16:00] They have, your normal kind of like international security management, which is like, you know, called like an certification .
Speaker 2: Love it.
Speaker 1: Now I think the one interesting thing though is I think that When it comes time to really starting to build around a compliant infrastructure, it is not a checklist. I think a lot of people try to approach this as a, you know, this is the checklist, this is what I need to follow.
I'm gonna go write a bunch of like SOPs or policies and procedures and like, we are gonna comply and, it's a one and done. And I think the interesting thing is it does take time. It takes time to operationalize, figure out how you want different workflows to try to build something, make a couple mistakes, maybe adjust it.
But the key thing is you wanna make sure you have the right functionality at the right time. You wanna make sure you have the right safeguards. Because again, all of that stuff. Is built at the like foundational [00:17:00] architectural level. And to have to rework some of that stuff truly would be like you getting all the way up to the point where you're ready to go take your board certification and instead like, actually, we're not giving you the pediatrics test today.
We're gonna give you ob. And you're going to take an OB GYN board cert, it's like you just get the wool pulled, from over your eyes. It's kind of like night and day. Just some basic things to think about. Definitely start hitrust if anybody is in this space, just look at it.
Look at a high trusts checklist. It's overwhelming and it is potentially very costly to go through some of these things. But again, if this is something that really falls into like your long-term roadmap if you're trying to be a SaaS tool, if you're trying to do anything with any sort of like medical group or large provider network, anything, HITRUST is a mandatory thing that you are going to have to consider now or later.
Speaker 2: Yeah, no I'm looking up [00:18:00] kind of the requirements recommendations and really why it's needed. And it just sounds like, yeah. And in this day and age, right, you're gonna need to interact with that, right? Your business can't be a hundred percent direct to consumer and yeah, you're gonna have to rely
On these enterprises or these entities that will require this. So yeah, absolutely.
Speaker 1: Yeah.
Speaker 2: I'm even Google says, Hey, you should do it in the very beginning. So
Speaker 1: you have to, I mean, I think to me that's where like I get really frustrated because I think a lot of people think. No, we're gonna get our MVP, we're gonna focus there.
We're gonna get some feedback from some customers, and then we're gonna focus on what they call in, like health tech hardening. We're gonna do a bunch of hardening, a bunch of like, we're really gonna make this like tight and solid. And know, for me, I'm like, wouldn't it make more sense to try and build it around like the right structure from day one?
So at the very least, you know, like maybe I'm not gonna do role-based permissions today, but I'm gonna have a work plan going, [00:19:00] okay, I know that's something I have to do at some point, and so we'll put it on the roadmap, but maybe we need to figure out what those roles are. Maybe we need to start mapping, some of those things.
it's really important. in this industry you have, a bunch of software developers. You have product, departments that are kind of designing and telling, you know, the engineers what the functionality needs to be. And the unfortunate thing is just, you don't know what you don't know.
And so a lot of teams either aren't specific. Or make generalized statements and then they work with, you know, sometimes these like offshore dev teams and you get something that's just completely, doesn't necessarily meet any sort of standard in the, healthcare regulatory arena.
Speaker 2: maybe it's just me, but, coming into this thing and just thinking, Hey,I know how to practice brick and mortar and it's gonna be a seamless transition.
It's just brick and mortar on video. [00:20:00] And, I'm gonna create this video platform. I am going to, send invoices via, PayPal, whatever. Right. And then everything's gonna be kosher. And it's really eyeopening to hear that, hey, but not a surprise really. But still, I don't know what I don't know.
And, yeah. Without the appropriate help. Yeah. Get yourself in this quandary where. You're stuck. Either, you're shut down, you haven't budgeted for this and you can't continue to practice. So really, while you're all talking about this, I'm taking notes and trying to figure out what the words you are saying that's coming outta your mouth really mean.
Because yeah. this is a different language for me. So it's just really, really interesting to hear.
Speaker 1: Yeah, I mean, my 2 cents and my recommendation to, the majority of people that I talk to you about this is, you know, it's really important to understand who you are selling to, right?
Because at the end of the day, you're gonna have to sign a contract if you can get your hands on what those [00:21:00] contractual obligations are going to be. It will help you understand what certifications do you need, if any, what are the key requirements that you must have in order to sign that contract? Right.
And again, I think the easiest way to think about it is like a physician. A physician cannot become a medical director if they don't have a license. It's pretty black and white. So why would a health tech company think that they can skirt the rules and not meet contractual obligations with some of these large players in the game?
So, you know, to me it's always like you wanna start there. You kind of work your way backwards and then You stay informed. You get to actually make informed decisions on what you wanna build versus what you don't. And ultimately, like, hopefully save you some money and not having to go back and forth so much.
Speaker 2: and what's timeframe of this, right? It sounds like, even if there's any chance at any point in time in your business model that you're gonna require this or that you're going to work [00:22:00] with payers, you're gonna work with Medicare, right? You're gonna work with the entities that require this, right?
What's a timeframe you're looking at? You kind of mentioned it, right? But it's not like anything you could just turn on just immediately, It's gonna take some time to do so. So, yeah, you're gonna need a little leeway or you're gonna get stuck, right? You're gonna get stuck saying, oh, you know, you have everything else in place but you can't necessarily move forward because you're missing these certs or you're missing the necessary requirements.
Speaker 1: Yeah.
So I think that that's a little different, right? So like, if you are a clinic or a health tech company that is outsourcing certain things, right? So like, let's say you are a true telemedicine company, you're outsourcing your EHR, you're doing all that stuff. Your compliance looks very different.
Because you're not gonna have to meet a lot of the privacy security elements that would need to be met. If you're building like a software in-house now, you will still have to go through different certifications, but it's a different kind of path [00:23:00] for compliance. You have companies where, I mean, we know them.
Leo, I think you're on a couple of these platforms that are proprietary platforms. That is a different workflow. Whereas like, those are the ones that have to get high trusts certified, have to meet some of those requirements. And the interesting part is usually just the process to get to be, 'cause you're opening yourself up to an audit.
that's what these do. They're third party assessors. They come in, they audit you. They tell you what to fix and then you have to keep fixing it until they go, okay, you finally passed. How long that process takes. Yeah, it's ultimately up to how ready you are. But again, they all have checklists.
So to me you need to make sure you have policies and procedures. You need to make sure that you can demo an example demonstrating that your product actually does what it says that it can do. So if you say that You have, the ability to, automated encrypted [00:24:00] backups.
Right. Automatically that happens, you have to go in with an auditor and share your screen and show from a, you know, privacy security stance that it is automatically doing that. And then they're gonna ask people at your company, so they're gonna go around and they're gonna do a random interviews, they're gonna talk to some customer support people.
They're gonna talk to, another analyst. They're gonna talk to a bunch of people to try and catch you into, basically, areas of non-compliance.
Speaker 2: Yeah. And I remember the business I was working with, that took a while there, there was multiple iterations of that, and the business I was working with they're, very dedicated in getting the high trust and, you know, there was no delay.
That was one of the big priorities that they had. Right. And it still took a good year or so to actually get that going.
Speaker 1: Yeah, I mean, there are some third party companies that'll be like, we can get you high trusts certified in, you know, six weeks or we can get you, and that's meaning like you have all your ducks in a row, which I have never seen [00:25:00] a company get high trusts certified in under seven months, eight months.
Even the ones that had government contracts, and thought they had their ducks in a row, but were kind of playing catch up and needed to make some tweaks.
Speaker 2: Yeah. that's a long while, to consider if you were counting on that income, right. If you're counting on that business.
Speaker 1: Yeah. Well, it shuts off a massive opportunity pipeline, but even worse, it opens you up to negative optics. Yeah. The last thing you wanna do is have a really great opportunity with like. Another, large hospital system or Mayo Clinic and then you have to go, oh wait, sorry.
Like, we don't have PHI controls in our app. I mean, is gonna put a negative taste in people's mouth and they're gonna automatically assume that you don't understand that you're operating in healthcare. you know, very similar to what Sunshine, our conversation with Sunshine when she was on is.
[00:26:00] They are going to very quickly kind of lose a little bit of respect for you in this space, if you approach these conversations and kind of pretend that these rules don't exist.
Speaker 2: Yeah. And it's hard to recover from that too. Right. knowing that, that's what your, reputation's gonna be,
Speaker 1: yep. Yep. If anybody has questions on this, I have a really amazing, handy dandy tracker that is very overwhelming, but we'll give you what you need.
Speaker 2: I've seen
Speaker 1: it. Shoot me an email at tv at telemedicine talks dot com. Maybe Leo will put it on the website and people can grab it from there if it's helpful.
Speaker 2: Yeah. Actually, we'll connect it over and yeah, it actually is very amazing. Right. it makes it easy for a novice like me to take a look at it and quick look and be like, oh, okay, this is what we're talking about. This is what we need and this is what I need to worry about.
But yeah.
Speaker 1: Thank y'all for another amazing telemedicine talks. Episode, episode on [00:27:00] everyone's favorite topic, privacy, security, and compliance.
Speaker 2: I'm still looking terms up, but No, I can't stress enough that, you know, just working and going through the hotel medicine journey.
it's one of the things that continuously just comes up. Especially on the admin side, it repeatedly is a roadblock to advancement and trying to scale, and it's just amazing to see that, you know, even with a lot of established people that knew how to build businesses, really, really didn't necessarily take this into account in the very beginning, and it just bit 'em in the butt later, so.
Yeah.
Speaker 1: Yep. The more you know, the more you know.
Speaker 2: It's like the afterschool special. No. Cool. Thank you all for joining and we'll see you again next time.