What is the HIPAA Security Rule?

The HIPAA Security Rule establishes national standards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI) through administrative, physical, and technical safeguards.

What is considered a HIPAA violation in cybersecurity?

A HIPAA violation occurs when PHI or ePHI is impermissibly used or disclosed or insufficiently safeguarded. Common causes include weak access controls, missing risk analyses, unencrypted devices, improper workforce training, and delayed breach reporting.

What are administrative, physical, and technical safeguards?

Administrative safeguards are policies, procedures, and training. Physical safeguards protect facilities and devices. Technical safeguards include access controls, audit logging, transmission security, and encryption.

Is a HIPAA risk assessment required annually?

HIPAA requires a regular and thorough risk analysis but does not mandate a specific frequency. Many organizations perform it annually and whenever significant changes occur, such as new systems, vendors, or workflows.

What should a HIPAA risk assessment include?

It should identify where ePHI resides, evaluate threats and vulnerabilities, assess likelihood and impact, review current controls, document risk levels, and define prioritized remediation steps and timelines.

What is the role of encryption in HIPAA compliance?

Encryption is an addressable implementation specification. If reasonable and appropriate, it should be implemented for data at rest and in transit. If not implemented, the decision must be documented and an equivalent alternative safeguard applied.

What is a Business Associate under HIPAA?

A Business Associate is any person or organization, other than a workforce member of a covered entity, that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Examples include cloud providers, IT support, billing services, and certain consultants. A Business Associate Agreement (BAA) is required before PHI access.

Do business associates need to be HIPAA compliant?

Yes. Business associates must implement appropriate safeguards for PHI, comply with applicable HIPAA requirements, enter into a BAA, report incidents and breaches, and ensure their subcontractors that handle PHI also comply.

What happens if a business associate causes a breach?

Both the covered entity and the business associate have obligations. The business associate must investigate, mitigate, and notify the covered entity. Breach notifications to individuals, HHS, and in some cases the media may be required based on the incident size and circumstances.

How do I secure remote access to ePHI?

Use VPN or zero-trust access, require multi-factor authentication, enforce least-privilege access, encrypt devices, manage endpoints and patches, disable local data storage when possible, and monitor logs for suspicious activity.

Can employees use personal devices under HIPAA?

Yes, if governed by a BYOD policy that enforces device encryption, screen locks, remote wipe, mobile device management, separation of work data, and prohibits storing ePHI in unsecured apps or locations.

What is considered a HIPAA data breach?

A breach is an impermissible use or disclosure of unsecured PHI that compromises its security or privacy, such as ransomware, lost or stolen devices, misdirected emails, or unauthorized access, unless a documented risk assessment shows a low probability of compromise.

How soon must a HIPAA breach be reported?

Affected individuals must be notified without unreasonable delay and no later than 60 days after discovery. Reporting to HHS depends on the number of affected individuals; large breaches (500 or more) require more immediate reporting and, in some cases, media notice.

What are the penalties for HIPAA violations?

HIPAA penalties vary by tier based on level of culpability, with per-violation amounts and annual caps per violation type. Enforcement may include corrective action plans, settlement amounts, and monitoring. Actual amounts depend on the facts and current HHS guidance.

Can my practice be audited for HIPAA compliance?

Yes. HHS’s Office for Civil Rights conducts audits and investigations, particularly after breaches or complaints. Maintaining documentation, training records, and current risk analyses helps demonstrate compliance readiness.

What documentation is required to prove HIPAA compliance?

Keep current risk analyses, remediation plans, security and privacy policies, workforce training logs, incident response procedures, business associate agreements, access audit logs, and evidence of ongoing monitoring and evaluations.

HIPAA Work Growth-Stage Health Tech Vendors Skip

Mar 12

Written By L Trotter II

TL;DR

Growth-stage Health Tech vendors struggle with security for 3 reasons.

They lack lack tools.

They lack proper leadership.

They lack the foundational security work that falls behind while scaling.

The HIPAA work most often skipped includes:

Maintaining a clear asset inventory
Failure to keep adequate historical logging
Closing vulnerability remediation loops
Proper vendor due diligence
Not taking security training seriously
Not enforcing Sanctions

Your HIPAA Security maturity is defined by operational discipline.

Introduction

HIPAA Security failures in healthcare come from sophisticated attackers.

But more often, they come from health tech teams never get around to doing it.

Not because they don’t care.

But because they’re busy building product and they don't have the expertise.

Development teams are shipping features.

Infrastructure teams are scaling environments.

Both are answering security questionnaires and responding to customer tickets.

And in the mix of all of it the critical HIPAA Security work falls behind.

It's not glorious work but its foundational.

And it's the work that keeps the company's product and reputation secure.

Maintaining a Clear Asset Inventory

Health Tech organizations can't answer 2 basic questions:

What systems actually exist in the environment?

What systems process PHI?

Without asset visibility, security becomes assumption.

The Founder believes controls exist.

Engineering believes asset inventory is captured.

Leadership believes the risk is managed.

But when an incident occurs, the first challenge becomes discovery.

You cannot protect what you cannot see.

Visibility is not an advanced control.

It is the foundation of every other HIPAA control.

Failure to Keep Adequate Historical Logging

Logging often exists but retention falls short with reality.

Teams may capture events for a few weeks, sometimes 30 days, occasionally 90.

But incidents are often discovered months after initial compromise.

I would even argue that storing logs for 1 year is outdated today.

Without adequate historical logs, your team and forensics cannot reconstruct what happened.

Critical questions become impossible to answer:

When did access begin?

What data was touched?

What accounts were used?

Logs are a undisputable record of truth during an incident.

And when that record disappears, so does the ability to understand the scope of a breach.

Closing Vulnerability Remediation Loops

Most growth-stage health tech vendors run vulnerability scans.

That is the easy part.

The harder part is building a remediation strategy that consistently closes the loop.

Low-severity vulnerabilities stay open because they seem harmless.

Medium-severity issues get delayed because engineering priorities shift.

Eventually the vulnerability backlog becomes background noise.

Attackers, however, are patient.

They don't require perfect exploits.

They look for neglected systems.

The work your organizations skip is not scanning.

It is remediation.

Proper Vendor Due Diligence

Modern health tech products are ecosystems.

APIs connect platforms.

Cloud services process data.

AI tools analyze patient data.

Analytics platforms monitor product usage.

Each vendor expands the attack surface.

But vendor due diligence often stops at a SOC 2 report.

Health Tech leaders assume controls exist.

And procurement assumes engineering reviewed the vendor.

In reality, shared responsibility often means no clear responsibility.

Vendor risk must be treated as part of your threat surface.

Not Taking Security Training Seriously

Security awareness training is often treated as a checkbox compliance exercise, leaving your workforce as a liability.

Employees click through slides.

Certificates are issued.

The requirement is considered complete.

But effective security training changes behavior.

It helps employees recognize phishing attempts.

It reinforces proper handling of sensitive data.

It clarifies how to report suspicious activity.

Without reviewing and communicating the importance of training, it becomes a checkbox item and your workforce remain a liability.

Securing your product is imppossible without education.

Not Enforcing Sanctions

Policies alone do not create accountability.

In fact they're just words on paper.

Organizations must also enforce consequences when policies are ignored.

When HIPAA Security violations occur without a response, employees learn that controls are optional.

Over time, compliance erodes.

Security sanctions intent don't exist to punish employees.

They exist to reinforce the importance of protecting patients and their data.

Without enforcement, policies become suggestions.

HIPAA Maturity Comes From Governance

HIPAA maturity comes from operational governance.

Clear asset visibility
Robust logging and monitoring
Consistent vulnerability remediation
Structured vendor oversight
Educated employees
Enforced security policies

None of this work is glamorous.

But it is the difference between a HIPAA Security program that functions and one that simply exists.

For growth-stage health tech vendors, your goal is readiness.

We compiled our enterprise governance framework into a Strategic Compliance Guide.

Access it here: https://lnkd.in/eDzziDwd

One Question for You

Which area of HIPAA Security do you believe will become most strategically important for health tech in 2026?

Asset visibility
Logging and monitoring
Vendor risk oversight
Workforce security training
Vulnerability management

FAQ: Common HIPAA Security Questions

What HIPAA security work do growth-stage health tech vendors often overlook?

Growth-stage health tech vendors often overlook foundational HIPAA security work such as maintaining an accurate asset inventory, retaining sufficient historical logs, closing vulnerability remediation loops, conducting vendor due diligence, training workforce members on security responsibilities, and enforcing sanctions for policy violations.

Why is asset inventory important for HIPAA security?

HIPAA security programs depend on accurate asset visibility. Without knowing which systems store, process, or transmit protected health information (PHI), organizations cannot effectively apply administrative, technical, or physical safeguards required by the HIPAA Security Rule.

How long should logs be retained for HIPAA security investigations?

While HIPAA does not prescribe an exact retention period for logs, effective HIPAA security programs retain sufficient historical logging to investigate incidents discovered months to years after compromise and to support breach analysis and regulatory reporting.

Why does vendor due diligence matter for HIPAA compliance?

Health tech vendors frequently rely on cloud providers, analytics platforms, APIs, and AI tools that interact with PHI. Proper vendor due diligence ensures these third parties implement safeguards that align with HIPAA security expectations and contractual obligations. Vendors also accounted for 42% of breaches in healthcare in 2024, the highest across all industries.

Why are workforce training and sanctions required under HIPAA?

The HIPAA Security Rule requires workforce members to receive security awareness training and requires organizations to apply sanctions for violations of security policies. Together, these controls reinforce accountability and help prevent preventable security incidents.

L Trotter II

As Founder and CEO of Inherent Security, Larry Trotter II is responsible for defining the mission and vision of the company, ensuring execution aligns with the business purpose. Larry has transformed Inherent Security from a consultancy to a cybersecurity company through partnerships and expert acquisitions. Today the company leverages its healthcare and government expertise to accelerate compliance operation for clients.

Larry has provided services for 12 years across the private industry developing security strategies and managing security operations for Fortune 500 companies and healthcare organizations. He is influential business leader who can demonstrate the value proposition of security and its direct link to customers.

Larry graduated from Old Dominion University with a bachelor’s degree in Business Administration with a focus on IT and Networking. Larry has accumulated certifications such as the CISM, ISO27001 Lead Implementer, GCIA and others. He serves on the Board of Directors for the MIT Enterprise Forum DC and Baltimore.

https://www.inherentsecurity.com