What is the HIPAA Security Rule?

The HIPAA Security Rule establishes national standards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI) through administrative, physical, and technical safeguards.

What is considered a HIPAA violation in cybersecurity?

A HIPAA violation occurs when PHI or ePHI is impermissibly used or disclosed or insufficiently safeguarded. Common causes include weak access controls, missing risk analyses, unencrypted devices, improper workforce training, and delayed breach reporting.

What are administrative, physical, and technical safeguards?

Administrative safeguards are policies, procedures, and training. Physical safeguards protect facilities and devices. Technical safeguards include access controls, audit logging, transmission security, and encryption.

Is a HIPAA risk assessment required annually?

HIPAA requires a regular and thorough risk analysis but does not mandate a specific frequency. Many organizations perform it annually and whenever significant changes occur, such as new systems, vendors, or workflows.

What should a HIPAA risk assessment include?

It should identify where ePHI resides, evaluate threats and vulnerabilities, assess likelihood and impact, review current controls, document risk levels, and define prioritized remediation steps and timelines.

What is the role of encryption in HIPAA compliance?

Encryption is an addressable implementation specification. If reasonable and appropriate, it should be implemented for data at rest and in transit. If not implemented, the decision must be documented and an equivalent alternative safeguard applied.

What is a Business Associate under HIPAA?

A Business Associate is any person or organization, other than a workforce member of a covered entity, that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Examples include cloud providers, IT support, billing services, and certain consultants. A Business Associate Agreement (BAA) is required before PHI access.

Do business associates need to be HIPAA compliant?

Yes. Business associates must implement appropriate safeguards for PHI, comply with applicable HIPAA requirements, enter into a BAA, report incidents and breaches, and ensure their subcontractors that handle PHI also comply.

What happens if a business associate causes a breach?

Both the covered entity and the business associate have obligations. The business associate must investigate, mitigate, and notify the covered entity. Breach notifications to individuals, HHS, and in some cases the media may be required based on the incident size and circumstances.

How do I secure remote access to ePHI?

Use VPN or zero-trust access, require multi-factor authentication, enforce least-privilege access, encrypt devices, manage endpoints and patches, disable local data storage when possible, and monitor logs for suspicious activity.

Can employees use personal devices under HIPAA?

Yes, if governed by a BYOD policy that enforces device encryption, screen locks, remote wipe, mobile device management, separation of work data, and prohibits storing ePHI in unsecured apps or locations.

What is considered a HIPAA data breach?

A breach is an impermissible use or disclosure of unsecured PHI that compromises its security or privacy, such as ransomware, lost or stolen devices, misdirected emails, or unauthorized access, unless a documented risk assessment shows a low probability of compromise.

How soon must a HIPAA breach be reported?

Affected individuals must be notified without unreasonable delay and no later than 60 days after discovery. Reporting to HHS depends on the number of affected individuals; large breaches (500 or more) require more immediate reporting and, in some cases, media notice.

What are the penalties for HIPAA violations?

HIPAA penalties vary by tier based on level of culpability, with per-violation amounts and annual caps per violation type. Enforcement may include corrective action plans, settlement amounts, and monitoring. Actual amounts depend on the facts and current HHS guidance.

Can my practice be audited for HIPAA compliance?

Yes. HHS’s Office for Civil Rights conducts audits and investigations, particularly after breaches or complaints. Maintaining documentation, training records, and current risk analyses helps demonstrate compliance readiness.

What documentation is required to prove HIPAA compliance?

Keep current risk analyses, remediation plans, security and privacy policies, workforce training logs, incident response procedures, business associate agreements, access audit logs, and evidence of ongoing monitoring and evaluations.

HIPAAMistakesQuietly Killing Health Tech Deals With Hospitals

Dec 18

Written By L Trotter II

TL;DR

Health tech vendors don’t lose hospital deals because their product is weak. They lose them because their HIPAA posture isn’t credible at scale.

Hospitals no longer accept “we’re HIPAA compliant” as an answer. They want proof, process, and maturity. Breaches like Mixpanel and TriZetto aren't making it any better.

This article breaks down the seven HIPAA mistakes that quietly block deals, slow procurement, and raise red flags during hospital security reviews; and how to fix them before you sell.

For a clearer path forward, download the Strategic Guide for Health Tech Leaders. It breaks down how hospital buyers evaluate HIPAA readiness, security maturity and more!

Mistake 1: Treating HIPAA as a One-Time Project

Many vendors approach HIPAA like a launch task.

Policies written.

Let's check these other boxes.... done!

Hospitals see right through this.

HIPAA is an ONGOING risk management strategy, not a milestone.

Your product changes.

The infrastructure evolves.

Your vendor numbers grow.

And your risks change with it.

What hospitals expect

Evidence of recurring risk assessments
Policies that match your operations and not just templates.
Proof HIPAA treated as part of the business vs. a regulatory hurdle.

Do this: Run HIPAA risk assessments whenever your environment changes (hint: AI add-ons) and gap assessments annually.

Mistake 2: Assuming SOC 2 Covers HIPAA

SOC 2 helps.

It does not replace HIPAA.

Hospitals know the difference.

SOC 2 focuses on trust principles.

HIPAA focuses on PHI protection, privacy, anonymization, and regulatory accountability.

Hospitals look for this:

HIPAA Administrative, Technical, and Physical safeguards
PHI data-flow documentation
HIPAA aligned breach response timelines

Do this: Map SOC 2 controls to HIPAA requirements and document the gaps explicitly. I use a framework to make it more efficient for my clients. Frameworks is language hospital security teams love and speak fluently.

Mistake 3: Not Knowing Exactly Where PHI Lives and Moves

If you can’t clearly explain:

How PHI is collected
How it’s stored
How it's de-identified
Who can access it
How long its stored

You have some work to do.

Hospitals expect clear, defensible data-flow diagrams, not outdated and unclear ones.

Do this: Map PHI end-to-end across your applications, integrations, analytics tools, vendors logs, and support workflows.

Mistake 4: Missing or Business Associate Agreements

If a vendor touches PHI on your behalf, you need a BAA, period..

This includes cloud providers, support tools, analytics platforms, data processors, and subcontractors.

Hospitals will ask for assurance, not explanations.

Do this: Maintain a BAA inventory tied directly to your vendor list, review it annually, and dig deeper. Don't rely on their word, rely on evidence.

Mistake 5: Ignoring Tracking Technologies and Marketing Tools

Tracking pixels, form analytics, CRMs, etc. can easily cross into PHI territory.

Intent doesn’t matter...

Data exposure does.

Do this: Audit tracking technologies, minimize data collection, and validate configurations and agreements. OpenAI and PornHub suffered breaches to mutual vendor Mixpanel last week. This is yet another signal that vendors remain at the top of the list for organizational breaches.

🟥 FYI, Vendors accounted for 42% of breaches in healthcare in 2024. The highest across all industries.

Mistake 6: Weak Incident Response Beyond IT

Many vendors have an incident response plan that lives solely with IT.

Hospitals expect more and patients deserve more.

HIPAA incidents involve legal, security, leadership, PR, and vendors...not just engineers.

Do this: Build and test an incident response plan that includes vendor breaches, how and when you communicate to hospitals, and how decisions will be made.

Mistake 7: Treating HIPAA as Compliance Instead of Trust

Hospitals don’t buy compliance.

They buy confidence.

Your HIPAA program signals you know how to react when somethings wrong.

Do this: Turn HIPAA into part of your GTM strategy. Bring it up in sales pitches and pilots. And lastly train your sales teams to speak confidently enough about security that the hospital wants to adopt.

For a clearer path forward, download the Strategic Guide for Health Tech Leaders. It breaks down how hospital buyers evaluate HIPAA readiness, security maturity and more!

What Health Tech Vendors Should Do Next

Before your next hospital deal, be able to confidently answer:

Can we show a current HIPAA risk assessment?
Do we know every vendor touching PHI?
Can we explain our data flows clearly?
Are our BAAs complete and current?
Have we tested incident response beyond IT?

Hospitals don’t expect perfection from growth-stage health tech vendors.

They expect discipline, transparency, and maturity.

Let’s Talk Health Tech

Let’s make this a real conversation.

If you sell into hospitals, you’ve probably felt this already: deals slowing down, security questionnaires getting longer, and HIPAA becoming a gating factor.

P.S. Which part of HIPAA do you think health tech vendors underestimate the most when selling to hospitals? 👈

L Trotter II

As Founder and CEO of Inherent Security, Larry Trotter II is responsible for defining the mission and vision of the company, ensuring execution aligns with the business purpose. Larry has transformed Inherent Security from a consultancy to a cybersecurity company through partnerships and expert acquisitions. Today the company leverages its healthcare and government expertise to accelerate compliance operation for clients.

Larry has provided services for 12 years across the private industry developing security strategies and managing security operations for Fortune 500 companies and healthcare organizations. He is influential business leader who can demonstrate the value proposition of security and its direct link to customers.

Larry graduated from Old Dominion University with a bachelor’s degree in Business Administration with a focus on IT and Networking. Larry has accumulated certifications such as the CISM, ISO27001 Lead Implementer, GCIA and others. He serves on the Board of Directors for the MIT Enterprise Forum DC and Baltimore.

https://www.inherentsecurity.com