Abstract

This essay argues that the most fundable, scalable health tech companies of the next decade will be built around business models that structurally avoid HIPAA’s business associate agreement requirement during their high-growth phases. OpenEvidence is the case study – it went from zero to $50M ARR, then $150M ARR, then a $12B valuation in roughly three years by operating as a physician-facing knowledge tool rather than a PHI handler, letting it grow like consumer software while healthcare enterprise companies were stuck in procurement hell. But OpenEvidence isn’t the full story. The deeper thesis is that the highest-upside opportunities remaining in health tech share a common architecture: you’re reallocating dollars, not documenting care. This essay covers three specific categories – employer healthcare control planes, patient-controlled health graph infrastructure, and healthcare financial rails – and explains the product architecture, go-to-market physics, and defensibility dynamics of each. Key data points and framing: OpenEvidence hit 40% of US physicians and 8.5M monthly consultations in roughly 24 months; self-insured employer spend exceeds $1T annually; US healthcare payments exceed $4T/yr; and none of the three categories described require real-time PHI ingestion during their core operating motion.

Table of Contents

- The BAA Is a Moat in Reverse

- OpenEvidence and the Permission Exploit

- The Structural Thesis: Reallocating Dollars vs. Documenting Care

- Category 1: Employer Healthcare Control Planes

- Category 2: Patient-Controlled Health Graph Infrastructure

- Category 3: Healthcare Financial Infrastructure

- Where the Real Moats Are

- How to Bet

The BAA Is a Moat in Reverse

Most people in health tech treat the business associate agreement as just another contract to get through. Sign it, check the box, move on. What they’re missing is that the BAA isn’t just a legal document – it’s a gravitational force that slows everything down by roughly 12 to 24 months and turns your sales cycle into a compliance negotiation. Every health system that needs to sign one has a legal team, an infosec team, a vendor assessment process, and a procurement function that exists specifically to delay your deal. Epic’s App Orchard review alone takes six to nine months just to get listed. Then each health system has to individually enable your product. Then legal review. Then BAA signature. Then IT integration. By the time you’re in production, you’ve burned cash, diluted your cap table, and watched a better-capitalized competitor catch up. The BAA is healthcare’s version of a moat – except it protects the incumbents, not the new entrant.

This isn’t some niche edge case. It’s the fundamental reason health tech has historically underperformed on a risk-adjusted basis relative to other enterprise software verticals. The capital required to survive a health system procurement cycle is enormous. The revenue that comes out the other end is lumpy and contract-dependent. And the whole thing is brittle – one renewal risk can crater your ARR. Investors know this. Operators know this. Yet the field keeps producing companies that walk straight into the BAA trap because they think the clinical data access is worth it.

Sometimes it is. EHR integrations, clinical AI tools that need real-time patient data, anything touching identified health records at the point of care – those companies have to play the game. The question is whether your idea actually requires that, or whether you’ve been pattern-matching to existing health tech archetypes without thinking hard about what data you truly need to build value. A surprising number of genuinely large opportunities in healthcare turn out to require no PHI at all. The companies that figure this out early get to grow like software companies instead of healthcare companies. The difference in outcomes is dramatic.

OpenEvidence and the Permission Exploit