FWIW the only way you can really avoid it by the structure of your operations is either:

1) Never handle any US protected health information in any way at all, or 2) Push this off entirely to a partner.

If you are operating in the US in healthcare, at the very least you will need to audit yourself to ensure (1).