What is the HIPAA Security Rule?

The HIPAA Security Rule establishes national standards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI) through administrative, physical, and technical safeguards.

What is considered a HIPAA violation in cybersecurity?

A HIPAA violation occurs when PHI or ePHI is impermissibly used or disclosed or insufficiently safeguarded. Common causes include weak access controls, missing risk analyses, unencrypted devices, improper workforce training, and delayed breach reporting.

What are administrative, physical, and technical safeguards?

Administrative safeguards are policies, procedures, and training. Physical safeguards protect facilities and devices. Technical safeguards include access controls, audit logging, transmission security, and encryption.

Is a HIPAA risk assessment required annually?

HIPAA requires a regular and thorough risk analysis but does not mandate a specific frequency. Many organizations perform it annually and whenever significant changes occur, such as new systems, vendors, or workflows.

What should a HIPAA risk assessment include?

It should identify where ePHI resides, evaluate threats and vulnerabilities, assess likelihood and impact, review current controls, document risk levels, and define prioritized remediation steps and timelines.

What is the role of encryption in HIPAA compliance?

Encryption is an addressable implementation specification. If reasonable and appropriate, it should be implemented for data at rest and in transit. If not implemented, the decision must be documented and an equivalent alternative safeguard applied.

What is a Business Associate under HIPAA?

A Business Associate is any person or organization, other than a workforce member of a covered entity, that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Examples include cloud providers, IT support, billing services, and certain consultants. A Business Associate Agreement (BAA) is required before PHI access.

Do business associates need to be HIPAA compliant?

Yes. Business associates must implement appropriate safeguards for PHI, comply with applicable HIPAA requirements, enter into a BAA, report incidents and breaches, and ensure their subcontractors that handle PHI also comply.

What happens if a business associate causes a breach?

Both the covered entity and the business associate have obligations. The business associate must investigate, mitigate, and notify the covered entity. Breach notifications to individuals, HHS, and in some cases the media may be required based on the incident size and circumstances.

How do I secure remote access to ePHI?

Use VPN or zero-trust access, require multi-factor authentication, enforce least-privilege access, encrypt devices, manage endpoints and patches, disable local data storage when possible, and monitor logs for suspicious activity.

Can employees use personal devices under HIPAA?

Yes, if governed by a BYOD policy that enforces device encryption, screen locks, remote wipe, mobile device management, separation of work data, and prohibits storing ePHI in unsecured apps or locations.

What is considered a HIPAA data breach?

A breach is an impermissible use or disclosure of unsecured PHI that compromises its security or privacy, such as ransomware, lost or stolen devices, misdirected emails, or unauthorized access, unless a documented risk assessment shows a low probability of compromise.

How soon must a HIPAA breach be reported?

Affected individuals must be notified without unreasonable delay and no later than 60 days after discovery. Reporting to HHS depends on the number of affected individuals; large breaches (500 or more) require more immediate reporting and, in some cases, media notice.

What are the penalties for HIPAA violations?

HIPAA penalties vary by tier based on level of culpability, with per-violation amounts and annual caps per violation type. Enforcement may include corrective action plans, settlement amounts, and monitoring. Actual amounts depend on the facts and current HHS guidance.

Can my practice be audited for HIPAA compliance?

Yes. HHS’s Office for Civil Rights conducts audits and investigations, particularly after breaches or complaints. Maintaining documentation, training records, and current risk analyses helps demonstrate compliance readiness.

What documentation is required to prove HIPAA compliance?

Keep current risk analyses, remediation plans, security and privacy policies, workforce training logs, incident response procedures, business associate agreements, access audit logs, and evidence of ongoing monitoring and evaluations.

13% of AI Models Were Breached in 2025 (But in Healthcare, the Crisis Looks a Lot Worse.)

Jan 15

Written By L Trotter II

TL;DR: Why Healthcare Data Breaches Still Dominate

Healthcare once again topped the list for the most expensive data breaches in 2025, averaging a staggering $7.42M per incident. That’s 12 straight years at the top, and the reasons haven’t changed: outdated tech stacks, slow breach response, and lack of CISO governance.

If you’re building or scaling a health tech company, especially at the growth stage, the threat is a loss of trust. Deals stall. Reputation erodes. Investors hesitate. Let’s break down what’s happening behind the scenes and what smart health tech leaders can do about it.

AI Breaches Are Rising, But Healthcare Has Its Own Crisis

According to the IBM Cost of a Data Breach Report 2025: The AI Oversight Gap, 13% of AI models were breached, and 97% of those incidents were linked to poor access controls.

These stats apply across all industries but the implications for healthcare are uniquely high-risk.

AI is deeply embedded in health tech stacks from SaaS tools to patient-facing apps.

But here’s the twist: Shadow AI, or unauthorized AI deployment, accounted for 20% of breaches and had the highest average cost of all AI-related incidents.

In healthcare, the challenge is even more foundational:

The average breach lifecycle is 279 days; that's 5 weeks longer than the global average
This signal SIEM tools are either misconfigured or missing entirely
Security ops are underpowered, often without the expertise and executive-level ownership

“While AI breaches are rising across sectors, healthcare's struggle lies in governance, delayed response, and infrastructure misalignment.”

Vendor Access: Healthcare’s Silent Exposure Risk

Vendor related breaches took 267 days to detect and contain, making them the second longest lifecycle by breach type.

And in healthcare, vendors are everywhere from third-party labs to cloud storage providers and EHR integrations.

Most health tech startups rely on trusted vendor tools often without the scrutiny those relationships deserve.

Security by proxy is no longer enough.

→ Request the Health Tech Vendor Security Checklist to evaluate your third-party risks before it jeopardize your trust, data, and customers.

HIPAA Isn’t Enough Anymore (Without Strategic Cybersecurity)

Most vendors treat HIPAA like a checkbox.

But as breach costs rise, regulators and buyers are demanding proof of governance, not just your policies.

Ask yourself:

Do you have a CISO or does security sit under IT?
Is your AI prompt interactions monitored and risks assessed?
Can your organization contain a breach in under 200 days?

If not, HIPAA won’t save you...In fact, they will fine you.

→ Request the Strategic Guide for Health Tech Leaders to uncover security blind spots before your customers or regulators do.

Final Thought

You don’t need more tools.

You need strategy, trust, and visibility.

AI has changed the threat surface for health tech.

But the fundamentals haven’t changed.

Secure your vendors.

Shorten your breach lifecycle...(or avoid them.)

Build compliant products and grow.

FAQs

🟢 Is the $7.42M average breach cost specific to healthcare? Yes. Healthcare had the highest average breach cost in 2025 at $7.42 million, topping all other sectors for the 12th consecutive year.

🟢 What is shadow AI in healthcare? Shadow AI refers to unauthorized or unmanaged AI tools or models deployed without oversight. In 2025, it accounted for 20% of breaches and was the most costly AI-related threat.

🟢 Do HIPAA policies cover AI use in health tech? HIPAA doesn’t directly regulate AI or any other specific technologies, but using AI without the proper security and privacy controls specified violates the HIPAA rules.

🟢 How can I assess my vendor security risk? Use the Vendor Security Checklist to score vendors across 10 risk domains, including PHI handling, incident response, and IAM.

🟢 Who should own security in a growth-stage health tech startup? Ideally, a dedicated CISO or vCISO not engineers or developers. Security leadership is essential to HIPAA compliance and breach readiness.

L Trotter II

As Founder and CEO of Inherent Security, Larry Trotter II is responsible for defining the mission and vision of the company, ensuring execution aligns with the business purpose. Larry has transformed Inherent Security from a consultancy to a cybersecurity company through partnerships and expert acquisitions. Today the company leverages its healthcare and government expertise to accelerate compliance operation for clients.

Larry has provided services for 12 years across the private industry developing security strategies and managing security operations for Fortune 500 companies and healthcare organizations. He is influential business leader who can demonstrate the value proposition of security and its direct link to customers.

Larry graduated from Old Dominion University with a bachelor’s degree in Business Administration with a focus on IT and Networking. Larry has accumulated certifications such as the CISM, ISO27001 Lead Implementer, GCIA and others. He serves on the Board of Directors for the MIT Enterprise Forum DC and Baltimore.

https://www.inherentsecurity.com