What is the HIPAA Security Rule?

The HIPAA Security Rule establishes national standards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI) through administrative, physical, and technical safeguards.

What is considered a HIPAA violation in cybersecurity?

A HIPAA violation occurs when PHI or ePHI is impermissibly used or disclosed or insufficiently safeguarded. Common causes include weak access controls, missing risk analyses, unencrypted devices, improper workforce training, and delayed breach reporting.

What are administrative, physical, and technical safeguards?

Administrative safeguards are policies, procedures, and training. Physical safeguards protect facilities and devices. Technical safeguards include access controls, audit logging, transmission security, and encryption.

Is a HIPAA risk assessment required annually?

HIPAA requires a regular and thorough risk analysis but does not mandate a specific frequency. Many organizations perform it annually and whenever significant changes occur, such as new systems, vendors, or workflows.

What should a HIPAA risk assessment include?

It should identify where ePHI resides, evaluate threats and vulnerabilities, assess likelihood and impact, review current controls, document risk levels, and define prioritized remediation steps and timelines.

What is the role of encryption in HIPAA compliance?

Encryption is an addressable implementation specification. If reasonable and appropriate, it should be implemented for data at rest and in transit. If not implemented, the decision must be documented and an equivalent alternative safeguard applied.

What is a Business Associate under HIPAA?

A Business Associate is any person or organization, other than a workforce member of a covered entity, that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Examples include cloud providers, IT support, billing services, and certain consultants. A Business Associate Agreement (BAA) is required before PHI access.

Do business associates need to be HIPAA compliant?

Yes. Business associates must implement appropriate safeguards for PHI, comply with applicable HIPAA requirements, enter into a BAA, report incidents and breaches, and ensure their subcontractors that handle PHI also comply.

What happens if a business associate causes a breach?

Both the covered entity and the business associate have obligations. The business associate must investigate, mitigate, and notify the covered entity. Breach notifications to individuals, HHS, and in some cases the media may be required based on the incident size and circumstances.

How do I secure remote access to ePHI?

Use VPN or zero-trust access, require multi-factor authentication, enforce least-privilege access, encrypt devices, manage endpoints and patches, disable local data storage when possible, and monitor logs for suspicious activity.

Can employees use personal devices under HIPAA?

Yes, if governed by a BYOD policy that enforces device encryption, screen locks, remote wipe, mobile device management, separation of work data, and prohibits storing ePHI in unsecured apps or locations.

What is considered a HIPAA data breach?

A breach is an impermissible use or disclosure of unsecured PHI that compromises its security or privacy, such as ransomware, lost or stolen devices, misdirected emails, or unauthorized access, unless a documented risk assessment shows a low probability of compromise.

How soon must a HIPAA breach be reported?

Affected individuals must be notified without unreasonable delay and no later than 60 days after discovery. Reporting to HHS depends on the number of affected individuals; large breaches (500 or more) require more immediate reporting and, in some cases, media notice.

What are the penalties for HIPAA violations?

HIPAA penalties vary by tier based on level of culpability, with per-violation amounts and annual caps per violation type. Enforcement may include corrective action plans, settlement amounts, and monitoring. Actual amounts depend on the facts and current HHS guidance.

Can my practice be audited for HIPAA compliance?

Yes. HHS’s Office for Civil Rights conducts audits and investigations, particularly after breaches or complaints. Maintaining documentation, training records, and current risk analyses helps demonstrate compliance readiness.

What documentation is required to prove HIPAA compliance?

Keep current risk analyses, remediation plans, security and privacy policies, workforce training logs, incident response procedures, business associate agreements, access audit logs, and evidence of ongoing monitoring and evaluations.

Hidden Risks Health Tech Can't Ignore

Nov 20

Written By L Trotter II

TL;DR

Health systems aren’t only evaluating your product, they’re assessing your entire ecosystem. For health tech vendors selling into these systems, unmanaged third-party risk can kill deals before you even demo. Here are the crucial vendor and supply-chain risks you must control, and what you should do about them today.

👉 DM me "Vendor" and I'll send you a checklist for your next vendor assessment.

Why Third-Party Risk Is Health Tech’s Biggest Blind Spot

You build innovative solutions.

But when you integrate tools, APIs, or rely on external vendors, they're often your weakest link and become your liability.

• Studies show that 72% of healthcare data breaches are linked to third-party vendors. (Censinet)

• Supply-chain attacks have nearly doubled in 2025, with attackers targeting vendors to access critical networks. (Cybel)

• For health systems, vendor risk is procurement reality. They expect you to manage it before you sit at the contract table.

✅ As a vendor, you’re not just a tech supplier, you’re part of a larger ecosystem. Your security posture includes your vendors’ vendors.

5 Third-Party Risks That Kill Health Tech Deals

1. Unvetted Integrations and APIs

Every API, data connector, and plugin is a potential entry point.

Health systems require transparency in how you handle PHI across integrations.

Failure to prove diligence can kill the deal.

✅Maintain a vendor-integration inventory, capture data-flow diagrams, and require a pre-deployment security assessment.

2. Missing or Outdated Business Associate Agreements (BAAs)

If any tool or subcontractor touches PHI, you need a BAA.

Don't assume your internal compliance covers it.

Health systems don’t.

✅Audit all partners annually, flag missing BAAs, and implement a renewal process that ties to access revocation and off-boarding.

3. No Third-Party Inventory or Risk Triage

Health systems want proof you know your vendor universe (i.e., what they do, what data they access, and how you monitor them.)

Without that, you look unprepared.

✅Build a living inventory with classification (critical, moderate, low), set reassessment cadences, and apply deeper scrutiny for critical vendors.

4. Poor Monitoring of Sub-vendors, Cloud Tools, and Shadow Services

It’s not only direct vendors, it’s their vendors (4th parties), cloud dependencies, and SaaS you might be unaware of...especially with the rise of AI!

Many breaches start in the shadows.

✅Map your vendors supplier exposure flow down.

5. No Incident Response Plan for Vendor Failures

What happens when a vendor gets breached or goes offline? (e.g., Change Healthcare, Cloudflare)

If you don’t have a plan that covers vendor-incidents, you can’t assure a health system you can manage it.

✅Include vendor security incidents in your incident response test scenarios annually. Identify roles/responsibilities, and document fallback processes.

Your weakest vendor becomes your loudest vulnerability.

👉 DM me "Vendor" and I'll send you a checklist for your next vendor assessment.

What Health Tech Vendors Should Do Now (Actionable Checklist)

Build your vendor inventory with classification and map data touch-points.
Review and validate all BAAs and subcontractor agreements.
Map PHI flows across your tech stack and integrations.
Add vendor incident response scenario to your upcoming tabletop exercise.
Embed vendor risk criteria into your sales pitch to show health systems you control not just your platform but your ecosystem.

FAQ

Do health tech vendors need BAAs with every tool they use?

Yes, if the tool handles, stores, or transmits PHI on your behalf, a BAA is required, and HIPAA expects you to demonstrate it.

What vendor documentation will health systems ask me to provide?

Expect risk assessments, vendor inventories, BAA lists, and possibly incident response exercises for vendor incidents.

How can I monitor vendor security without large teams?

Leverage external vendor-risk platforms, automate alerts for changed vendor posture, and prioritize high-criticality vendors for oversight.

Conclusion

Innovation wins interest.

Compliance earns trust.

If you want to sell into health systems, you must manage not only your own security but your entire vendor ecosystem.

👉 DM me "Vendor" and I'll send you a checklist for your next vendor assessment.

P.S. Do you think AI can help solve these problems?

L Trotter II

As Founder and CEO of Inherent Security, Larry Trotter II is responsible for defining the mission and vision of the company, ensuring execution aligns with the business purpose. Larry has transformed Inherent Security from a consultancy to a cybersecurity company through partnerships and expert acquisitions. Today the company leverages its healthcare and government expertise to accelerate compliance operation for clients.

Larry has provided services for 12 years across the private industry developing security strategies and managing security operations for Fortune 500 companies and healthcare organizations. He is influential business leader who can demonstrate the value proposition of security and its direct link to customers.

Larry graduated from Old Dominion University with a bachelor’s degree in Business Administration with a focus on IT and Networking. Larry has accumulated certifications such as the CISM, ISO27001 Lead Implementer, GCIA and others. He serves on the Board of Directors for the MIT Enterprise Forum DC and Baltimore.

https://www.inherentsecurity.com

Hidden Risks Health Tech Can't Ignore

TL;DR

Why Third-Party Risk Is Health Tech’s Biggest Blind Spot

5 Third-Party Risks That Kill Health Tech Deals

1. Unvetted Integrations and APIs

2. Missing or Outdated Business Associate Agreements (BAAs)

3. No Third-Party Inventory or Risk Triage

4. Poor Monitoring of Sub-vendors, Cloud Tools, and Shadow Services

5. No Incident Response Plan for Vendor Failures

What Health Tech Vendors Should Do Now (Actionable Checklist)

FAQ

Conclusion

HIPAA Compliance Best Practices Every Health Tech Vendor Must Master

Connect with us on LinkedIn