Compliance

Everything Starlight needs to legally and operationally handle electronic protected health information (ePHI), pass enterprise procurement gates, and stay defensible.

The inversion (Erik, May 2026): the conventional vendor narrative is "compliance takes 12–18 months." We're flipping it — front-load HIPAA + SOC 2 alignment fast, then CI/CD forward with confidence against the foundation. Compliance work that happens after a product is built is retrofitting; compliance work that happens as the product is built is engineering hygiene.

One workstream, four pillars:

1. HIPAA — the federal regulation. Always working from the source, not vendor checklists.
2. SOC 2 — the procurement-floor audit we'll need anyway for invoicing/financing partners.
3. Regulated SDLC guardrails — what HIPAA-aligned software development looks like in practice.
4. Starlight's own plan — the opinionated roadmap as gating milestones, not calendar months. Includes the peer-review pact and synthetic-data substrate.

Plus the existing detailed mapping of our AWS substrate to HIPAA-eligible services.

How this section is organized

📄️ HIPAA

A plain-language summary of every HIPAA rule that matters for Starlight, with direct links to the actual regulation and HHS guidance so we always work from the source, not from a vendor's checklist.

📄️ SOC 2

Why we care about SOC 2 too a solid HIPAA Security Rule build does ~70–80% of the SOC 2 work for free.

📄️ Regulated SDLC Guardrails

How software development changes when ePHI is in scope. Industry-standard guardrails first; Starlight's specific application is on the next page.

📄️ Starlight's Plan

How we actually do this — without the consultant theater. This is the opinionated doc. Other compliance pages explain the law and the industry; this one captures what we'll actually do at Starlight.

📄️ AWS HIPAA Stack

Last updated: March 2026

Operating principles (the through-line)

These show up across every page; they're the spine of our approach:

1. The work is the work. No "HIPAA compliance package" purchases. Risk analysis, documentation, training, IR runbooks — we write them, we own them.
2. Build it once, audit it twice. Every engineering control satisfies HIPAA and SOC 2 simultaneously. Roughly 70–80% of the work overlaps.
3. Synthetic data first; production access by exception. Engineers never need real PHI to develop, debug, or demo.
4. Egress as a feature, not a risk. Patients can export their full chart in well-structured JSON, anytime. The four egress safeguards are baked into the product, not bolted on.
5. Peer review with another real shop, not a consultant. Once operational, partner with a similar-sized indie healthtech shop for mutual HIPAA review.

What we are not doing

• Buying a "HIPAA compliance" certification — there isn't one for software vendors.
• Buying a generic compliance platform as a substitute for doing the work (we may adopt one as an evidence-collection tool when we engage the SOC 2 auditor at gate G6 — but that's tooling, not strategy).
• Paying for a HITRUST stamp before a paying customer requires it.
• Treating ToS disclaimers as a liability shield in the AI-medical-advice context.

The full opinionated plan lives in Starlight's Compliance Plan.