What is the HIPAA Security Rule?

The HIPAA Security Rule establishes national standards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI) through administrative, physical, and technical safeguards.

What is considered a HIPAA violation in cybersecurity?

A HIPAA violation occurs when PHI or ePHI is impermissibly used or disclosed or insufficiently safeguarded. Common causes include weak access controls, missing risk analyses, unencrypted devices, improper workforce training, and delayed breach reporting.

What are administrative, physical, and technical safeguards?

Administrative safeguards are policies, procedures, and training. Physical safeguards protect facilities and devices. Technical safeguards include access controls, audit logging, transmission security, and encryption.

Is a HIPAA risk assessment required annually?

HIPAA requires a regular and thorough risk analysis but does not mandate a specific frequency. Many organizations perform it annually and whenever significant changes occur, such as new systems, vendors, or workflows.

What should a HIPAA risk assessment include?

It should identify where ePHI resides, evaluate threats and vulnerabilities, assess likelihood and impact, review current controls, document risk levels, and define prioritized remediation steps and timelines.

What is the role of encryption in HIPAA compliance?

Encryption is an addressable implementation specification. If reasonable and appropriate, it should be implemented for data at rest and in transit. If not implemented, the decision must be documented and an equivalent alternative safeguard applied.

What is a Business Associate under HIPAA?

A Business Associate is any person or organization, other than a workforce member of a covered entity, that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Examples include cloud providers, IT support, billing services, and certain consultants. A Business Associate Agreement (BAA) is required before PHI access.

Do business associates need to be HIPAA compliant?

Yes. Business associates must implement appropriate safeguards for PHI, comply with applicable HIPAA requirements, enter into a BAA, report incidents and breaches, and ensure their subcontractors that handle PHI also comply.

What happens if a business associate causes a breach?

Both the covered entity and the business associate have obligations. The business associate must investigate, mitigate, and notify the covered entity. Breach notifications to individuals, HHS, and in some cases the media may be required based on the incident size and circumstances.

How do I secure remote access to ePHI?

Use VPN or zero-trust access, require multi-factor authentication, enforce least-privilege access, encrypt devices, manage endpoints and patches, disable local data storage when possible, and monitor logs for suspicious activity.

Can employees use personal devices under HIPAA?

Yes, if governed by a BYOD policy that enforces device encryption, screen locks, remote wipe, mobile device management, separation of work data, and prohibits storing ePHI in unsecured apps or locations.

What is considered a HIPAA data breach?

A breach is an impermissible use or disclosure of unsecured PHI that compromises its security or privacy, such as ransomware, lost or stolen devices, misdirected emails, or unauthorized access, unless a documented risk assessment shows a low probability of compromise.

How soon must a HIPAA breach be reported?

Affected individuals must be notified without unreasonable delay and no later than 60 days after discovery. Reporting to HHS depends on the number of affected individuals; large breaches (500 or more) require more immediate reporting and, in some cases, media notice.

What are the penalties for HIPAA violations?

HIPAA penalties vary by tier based on level of culpability, with per-violation amounts and annual caps per violation type. Enforcement may include corrective action plans, settlement amounts, and monitoring. Actual amounts depend on the facts and current HHS guidance.

Can my practice be audited for HIPAA compliance?

Yes. HHS’s Office for Civil Rights conducts audits and investigations, particularly after breaches or complaints. Maintaining documentation, training records, and current risk analyses helps demonstrate compliance readiness.

What documentation is required to prove HIPAA compliance?

Keep current risk analyses, remediation plans, security and privacy policies, workforce training logs, incident response procedures, business associate agreements, access audit logs, and evidence of ongoing monitoring and evaluations.

The AI Questions Healthcare Buyers Are Asking: Inside a Governance Committee

May 7

Written By L Trotter II

A vendor demo just got stopped cold by a single question.

I watched it happen from inside the room.

A few months ago, I joined a healthcare governance committee that meets regularly to evaluate AI vendors as part of their transformation strategy.

In one of our recent sessions, a vendor came up for review.

The product had a valid use case.

The demo was clean.

Then two questions surfaced.

Did the vendor have a BAA in place?

What controls did they have to prevent their own workforce from entering PHI into the system?

The room paused.

Nobody on the committee had thought to ask those questions early on.

They came up during discussions and no one knew the answers.

That's the inside view you never get as a health tech vendor.

The questions healthcare buyers are asking aren't always technical.

And they're getting sharper every meeting.

The rest of this issue covers what's happening inside these rooms, and what it means for your next deal.

What governance committees discuss

Healthcare governance committees have expanded what they evaluate.

Vendors are now being assessed as extensions of their own workforce.

This changes the discussion completely.

A few months ago, the conversation in these rooms was: "Does this AI tool work?"

Today the conversation is: "If we let our staff use this tool, what's the risk that PHI ends up somewhere it shouldn't?"

That question lives in governance, not product.

And it's the question that decides whether you're in the conversation or not.

The fear inside healthcare governance committees now is that staff will use AI in ways the vendor didn't anticipate.

Pasting clinical notes.

Uploading care plans.

Running consumer-grade tools because they're free, convenient and fast.

Healthcare buyers are responding by raising the bar on every AI vendor they evaluate.

Three things changed:

The yes/no AI gate now exists. "Do you use AI in your product?" is now a question that determines whether more extensive due diligence is necessary.
Vendor scrutiny extends to the vendor's own workforce. Buyers want to know how your engineering and customer success teams handle PHI when they're using internal AI tools.
HIPAA Compliance became the ground floor, not the ceiling. A documented compliance program is the entry requirement. Trustworthy AI governance is what closes the deal.

👉 If you want to see how your AI governance scores against what healthcare buyers are evaluating, the Health Tech AI Readiness Self-Assessment walks you through it section by section. Get your score here.

Why AI expands your HIPAA Compliance footprint

The moment AI touches PHI, your compliance scope expands in ways many health tech vendors haven't accounted for.

AI inputs are PHI.

AI outputs can become PHI.

Training data lineage matters under HIPAA.

Model access controls fall under HIPAA's technical safeguards.

The blind spot health tech companies have isn't the AI itself.

It's where AI governance lives inside the company.

Typically, AI oversight sits inside the product team.

The engineers who built the model also decide how it's monitored.

Compliance reviews happen quarterly, if at all.

Healthcare buyers see this as an operational risk.

AI governance belongs inside your compliance program, not your product roadmap.

This operational shift changes how buyers evaluate you.

The four questions that decide if you're in the conversation

These are the questions I'm hearing most often in committee discussions about vendors with AI features.

If you can't answer all four with documented evidence in a reasonable time, you're not ready for the next round of questionnaires.

1. How is the model validated?

Not how it was trained. How it's tested for accuracy, drift, and bias on an ongoing basis.

2. How is model drift managed?

When the model's performance shifts over time, accuracy degrades, outputs change, and behavior drifts from baseline. Who monitors it, how is it updated, and how fast? Drift in a clinical context is a patient safety question and one of the main reasons AI ends up on shelves.

3. Where did the training data originate?

Was PHI used in training? Was the data de-identified? Is the lineage documented? Healthcare buyers will ask. They're being asked the same question by their boards.

4. Who has access to model endpoints?

Inside your company and outside. Vendors, contractors, third-party integrations. Every endpoint is a potential access point to PHI.

If those questions caught you off guard, that's your gap.

👉 If those four questions exposed a gap, the Health Tech AI Readiness Self-Assessment maps it for you. 48 questions across problem definition, vendor selection, and implementation. You'll know exactly where you stand before your next questionnaire. Take the assessment.

HIPAA Compliance is the gate. AI governance is the differentiator.

Healthcare buyers aren't choosing between vendors based on AI features.

They're choosing based on which vendor they trust to handle their data without becoming a liability.

HIPAA Compliance gets you in the room.

AI governance closes the deal.

The vendors winning contracts right now have one thing in common.

They walked into the security review with documented answers, a defensible compliance program, and an AI governance framework that lives outside the product team.

They didn't get lucky.

They built for this moment before the questions were asked.

What this means for the next 90 days

Healthcare procurement cycles are tightening.

Governance committees are meeting more often.

Boards are asking sharper questions.

Security teams are adding AI-specific sections to vendor questionnaires.

The vendors who wait until they're asked will lose deals to the vendors who already have the answers.

The window to get ahead of this is now.

If your AI governance lives inside product, move it.

If your HIPAA Compliance program is informal, document it.

If your team can't answer the four questions above with evidence, build the evidence before your next questionnaire arrives.

👉 If you're building toward enterprise health system deals and want to know exactly what they're evaluating in AI vendors, take the Health Tech AI Readiness Self-Assessment. It's the same framework I use when evaluating vendors on the governance committee.

Get your score here.

- Larry | Founder & Principal CISO, Inherent Security

FAQ Section — HIPAA Compliance for AI Vendors

Q: What is HIPAA Compliance for AI vendors?

HIPAA Compliance for AI vendors means meeting the same Privacy and Security Rule requirements as any other business associate handling Protected Health Information (PHI), with additional considerations for how AI systems process, store, and learn from that data. This includes documented policies, signed Business Associate Agreements, technical safeguards on model access, and risk analysis covering AI-specific exposure points like training data lineage and model outputs.

Q: What do healthcare buyers evaluate in AI-enabled vendors?

Healthcare buyers evaluate four things: how the model is validated for accuracy and bias, how model drift is monitored and managed, where the training data originated, and who has access to model endpoints. They also assess whether the vendor's own workforce has controls preventing PHI from being entered into unapproved AI tools. HIPAA Compliance is the entry requirement; AI governance is the differentiator.

Q: Is HIPAA Compliance enough for AI vendors?

No. HIPAA Compliance is the gate that lets you into the conversation, but it does not address AI-specific risks like model drift, training data lineage, or workforce misuse of generative AI tools. Healthcare buyers expect AI vendors to demonstrate both HIPAA Compliance and a defensible AI governance framework that lives outside the product team.

Q: How is AI governance different from HIPAA Compliance?

HIPAA Compliance governs how a vendor handles PHI across all systems and processes. AI governance specifically addresses how AI models are validated, monitored, updated, and controlled throughout their lifecycle. The two overlap on data handling and access controls, but AI governance covers risks HIPAA was not written to address — including model behavior, training data sources, and ongoing performance monitoring.

L Trotter II

As Founder and CEO of Inherent Security, Larry Trotter II is responsible for defining the mission and vision of the company, ensuring execution aligns with the business purpose. Larry has transformed Inherent Security from a consultancy to a cybersecurity company through partnerships and expert acquisitions. Today the company leverages its healthcare and government expertise to accelerate compliance operation for clients.

Larry has provided services for 12 years across the private industry developing security strategies and managing security operations for Fortune 500 companies and healthcare organizations. He is influential business leader who can demonstrate the value proposition of security and its direct link to customers.

Larry graduated from Old Dominion University with a bachelor’s degree in Business Administration with a focus on IT and Networking. Larry has accumulated certifications such as the CISM, ISO27001 Lead Implementer, GCIA and others. He serves on the Board of Directors for the MIT Enterprise Forum DC and Baltimore.

https://www.inherentsecurity.com