What is the HIPAA Security Rule?

The HIPAA Security Rule establishes national standards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI) through administrative, physical, and technical safeguards.

What is considered a HIPAA violation in cybersecurity?

A HIPAA violation occurs when PHI or ePHI is impermissibly used or disclosed or insufficiently safeguarded. Common causes include weak access controls, missing risk analyses, unencrypted devices, improper workforce training, and delayed breach reporting.

What are administrative, physical, and technical safeguards?

Administrative safeguards are policies, procedures, and training. Physical safeguards protect facilities and devices. Technical safeguards include access controls, audit logging, transmission security, and encryption.

Is a HIPAA risk assessment required annually?

HIPAA requires a regular and thorough risk analysis but does not mandate a specific frequency. Many organizations perform it annually and whenever significant changes occur, such as new systems, vendors, or workflows.

What should a HIPAA risk assessment include?

It should identify where ePHI resides, evaluate threats and vulnerabilities, assess likelihood and impact, review current controls, document risk levels, and define prioritized remediation steps and timelines.

What is the role of encryption in HIPAA compliance?

Encryption is an addressable implementation specification. If reasonable and appropriate, it should be implemented for data at rest and in transit. If not implemented, the decision must be documented and an equivalent alternative safeguard applied.

What is a Business Associate under HIPAA?

A Business Associate is any person or organization, other than a workforce member of a covered entity, that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Examples include cloud providers, IT support, billing services, and certain consultants. A Business Associate Agreement (BAA) is required before PHI access.

Do business associates need to be HIPAA compliant?

Yes. Business associates must implement appropriate safeguards for PHI, comply with applicable HIPAA requirements, enter into a BAA, report incidents and breaches, and ensure their subcontractors that handle PHI also comply.

What happens if a business associate causes a breach?

Both the covered entity and the business associate have obligations. The business associate must investigate, mitigate, and notify the covered entity. Breach notifications to individuals, HHS, and in some cases the media may be required based on the incident size and circumstances.

How do I secure remote access to ePHI?

Use VPN or zero-trust access, require multi-factor authentication, enforce least-privilege access, encrypt devices, manage endpoints and patches, disable local data storage when possible, and monitor logs for suspicious activity.

Can employees use personal devices under HIPAA?

Yes, if governed by a BYOD policy that enforces device encryption, screen locks, remote wipe, mobile device management, separation of work data, and prohibits storing ePHI in unsecured apps or locations.

What is considered a HIPAA data breach?

A breach is an impermissible use or disclosure of unsecured PHI that compromises its security or privacy, such as ransomware, lost or stolen devices, misdirected emails, or unauthorized access, unless a documented risk assessment shows a low probability of compromise.

How soon must a HIPAA breach be reported?

Affected individuals must be notified without unreasonable delay and no later than 60 days after discovery. Reporting to HHS depends on the number of affected individuals; large breaches (500 or more) require more immediate reporting and, in some cases, media notice.

What are the penalties for HIPAA violations?

HIPAA penalties vary by tier based on level of culpability, with per-violation amounts and annual caps per violation type. Enforcement may include corrective action plans, settlement amounts, and monitoring. Actual amounts depend on the facts and current HHS guidance.

Can my practice be audited for HIPAA compliance?

Yes. HHS’s Office for Civil Rights conducts audits and investigations, particularly after breaches or complaints. Maintaining documentation, training records, and current risk analyses helps demonstrate compliance readiness.

What documentation is required to prove HIPAA compliance?

Keep current risk analyses, remediation plans, security and privacy policies, workforce training logs, incident response procedures, business associate agreements, access audit logs, and evidence of ongoing monitoring and evaluations.

Four AI BAA Clauses That Raise Red Flags for Healthcare Buyers

Jun 18

Written By L Trotter II

Last week, a client asked me to review an AI vendor's BAA before signing the contract.

At first glance, the agreement referenced HIPAA Compliance and included standard security language.

Then I reviewed the actual terms.

The security commitments were too vague.

Several provisions gave the vendor more control over patient data than I would advise a healthcare organization to accept.

The BAA did not create enough confidence for me to recommend signing it.

I spend a lot of time reviewing AI vendors on behalf of healthcare organizations.

Healthcare runs on trust.

Patients trust their providers.

Providers trust the technology they use.

Healthcare organizations must trust the vendors they allow to handle patient data.

That trust has to be supported by clear contractual commitments.

Deals stall when a vendor’s BAA does not meet the buyer’s security and compliance requirements.

Broad data rights and vague commitments signal that the vendor’s compliance program may not be ready for enterprise healthcare buyers.

As I reviewed this BAA, I flagged four provisions that needed to be amended before I could recommend signing.

I advised my client not to accept the BAA as written.

If the vendor was unwilling to meet those requirements, my recommendation would be to find another vendor.

1. Broad Rights to Use De-Identified Data for AI Training

One provision allowed the vendor to use aggregated and de-identified data for internal business purposes, including artificial intelligence and machine learning training.

This is becoming increasingly common in AI vendor agreements.

I would not advise a healthcare organization to give a vendor unrestricted rights to use de-identified patient data for AI training.

For an AI vendor, that language is too broad without clear limitations on model training and development.

Before approving the BAA, I would require it to:

Define how the data will be de-identified
Prohibit attempts to re-identify the data
Limit the approved uses of the data

Healthcare organizations need to know where their patient data goes, how it is transformed, and how it may be used in the future.

The agreement did not provide enough information to establish that trust.

2. Unclear Boundaries Around AI Models

The BAA allowed the vendor to use data to improve and enhance its services.

I flagged that language immediately.

“Improve the service” could include model training, tuning, validation, or the development of future AI products. The BAA did not set clear limits.

When AI is involved, enterprise buyers want explicit boundaries around what data can and cannot be used for.

If those boundaries aren't clear, expect follow-up questions.

3. Limited Visibility Into the AI Supply Chain

Modern AI products rarely operate alone.

Most depend on cloud providers, AI services, APIs, etc.

Before recommending an AI vendor, I want to understand who touches the data and how those relationships are governed.

Healthcare organizations are responsible for understanding the full chain of vendors handling their patient data.

An AI vendor should disclose its relevant subcontractors, confirm that required BAAs are in place, and remain accountable for the providers it selects.

If PHI is shared with third-party AI providers, buyers want to know who those providers are, whether BAAs are in place, and whether patient data can be used for model training or improvement.

The more visibility you provide into your AI supply chain, the easier it is for buyers to trust how patient data is being handled.

If you want to know what else your buyers are scoring in vendor agreements, the Security Review Playbook breaks it down. Request it here.

4. Security Commitments That Need Specificity

The BAA referenced HIPAA Compliance and security safeguards.

A general statement of HIPAA compliance does not provide enough protection for the buyer.

The BAA should include clear commitments covering:

Encryption at rest and in transit
Multifactor authentication
Access controls and access reviews
Audit logging and monitoring
Vulnerability management
Penetration testing
Endpoint protection
Security awareness training
Incident response testing
Disaster recovery
Independent security assessments

Vendors that make specific security commitments demonstrate that they understand the responsibilities that come with handling PHI.

Relying on vague references to “appropriate safeguards” is too risky.

Why This Matters for Health Tech

I've reviewed enough AI vendors to notice a pattern.

The vendors that create the least friction are the ones whose BAAs already meet the security and compliance expectations of enterprise healthcare buyers.

If your BAA gives you broad rights to customer data, hides the AI supply chain, or makes vague security commitments, expect redlines, delays, and possible rejection.

I review these agreements for healthcare buyers.

When the terms create too much risk, I advise my clients not to sign.

Your next buyer’s security and compliance team may reach the same conclusion.

👉 If you want to know where your AI governance strategy stands before your next deal, take the AI Readiness Self-Assessment. Request it here.

Larry | Founder & Principal CISO, Inherent Security

L Trotter II

As Founder and CEO of Inherent Security, Larry Trotter II is responsible for defining the mission and vision of the company, ensuring execution aligns with the business purpose. Larry has transformed Inherent Security from a consultancy to a cybersecurity company through partnerships and expert acquisitions. Today the company leverages its healthcare and government expertise to accelerate compliance operation for clients.

Larry has provided services for 12 years across the private industry developing security strategies and managing security operations for Fortune 500 companies and healthcare organizations. He is influential business leader who can demonstrate the value proposition of security and its direct link to customers.

Larry graduated from Old Dominion University with a bachelor’s degree in Business Administration with a focus on IT and Networking. Larry has accumulated certifications such as the CISM, ISO27001 Lead Implementer, GCIA and others. He serves on the Board of Directors for the MIT Enterprise Forum DC and Baltimore.

https://www.inherentsecurity.com