What is the HIPAA Security Rule?

The HIPAA Security Rule establishes national standards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI) through administrative, physical, and technical safeguards.

What is considered a HIPAA violation in cybersecurity?

A HIPAA violation occurs when PHI or ePHI is impermissibly used or disclosed or insufficiently safeguarded. Common causes include weak access controls, missing risk analyses, unencrypted devices, improper workforce training, and delayed breach reporting.

What are administrative, physical, and technical safeguards?

Administrative safeguards are policies, procedures, and training. Physical safeguards protect facilities and devices. Technical safeguards include access controls, audit logging, transmission security, and encryption.

Is a HIPAA risk assessment required annually?

HIPAA requires a regular and thorough risk analysis but does not mandate a specific frequency. Many organizations perform it annually and whenever significant changes occur, such as new systems, vendors, or workflows.

What should a HIPAA risk assessment include?

It should identify where ePHI resides, evaluate threats and vulnerabilities, assess likelihood and impact, review current controls, document risk levels, and define prioritized remediation steps and timelines.

What is the role of encryption in HIPAA compliance?

Encryption is an addressable implementation specification. If reasonable and appropriate, it should be implemented for data at rest and in transit. If not implemented, the decision must be documented and an equivalent alternative safeguard applied.

What is a Business Associate under HIPAA?

A Business Associate is any person or organization, other than a workforce member of a covered entity, that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Examples include cloud providers, IT support, billing services, and certain consultants. A Business Associate Agreement (BAA) is required before PHI access.

Do business associates need to be HIPAA compliant?

Yes. Business associates must implement appropriate safeguards for PHI, comply with applicable HIPAA requirements, enter into a BAA, report incidents and breaches, and ensure their subcontractors that handle PHI also comply.

What happens if a business associate causes a breach?

Both the covered entity and the business associate have obligations. The business associate must investigate, mitigate, and notify the covered entity. Breach notifications to individuals, HHS, and in some cases the media may be required based on the incident size and circumstances.

How do I secure remote access to ePHI?

Use VPN or zero-trust access, require multi-factor authentication, enforce least-privilege access, encrypt devices, manage endpoints and patches, disable local data storage when possible, and monitor logs for suspicious activity.

Can employees use personal devices under HIPAA?

Yes, if governed by a BYOD policy that enforces device encryption, screen locks, remote wipe, mobile device management, separation of work data, and prohibits storing ePHI in unsecured apps or locations.

What is considered a HIPAA data breach?

A breach is an impermissible use or disclosure of unsecured PHI that compromises its security or privacy, such as ransomware, lost or stolen devices, misdirected emails, or unauthorized access, unless a documented risk assessment shows a low probability of compromise.

How soon must a HIPAA breach be reported?

Affected individuals must be notified without unreasonable delay and no later than 60 days after discovery. Reporting to HHS depends on the number of affected individuals; large breaches (500 or more) require more immediate reporting and, in some cases, media notice.

What are the penalties for HIPAA violations?

HIPAA penalties vary by tier based on level of culpability, with per-violation amounts and annual caps per violation type. Enforcement may include corrective action plans, settlement amounts, and monitoring. Actual amounts depend on the facts and current HHS guidance.

Can my practice be audited for HIPAA compliance?

Yes. HHS’s Office for Civil Rights conducts audits and investigations, particularly after breaches or complaints. Maintaining documentation, training records, and current risk analyses helps demonstrate compliance readiness.

What documentation is required to prove HIPAA compliance?

Keep current risk analyses, remediation plans, security and privacy policies, workforce training logs, incident response procedures, business associate agreements, access audit logs, and evidence of ongoing monitoring and evaluations.

When Your Vendor Becomes Your Vulnerability

Dec 4

Written By L Trotter II

TL;DR

Analytics vendor Mixpanel was breached last week and impacted OpenAI, which is a prime example of how your security is only as strong as your third-party stack. No PHI or passwords were stolen. But still consider this a reputational and operational hit...all because of an external vendor.

Health tech vendors selling to health systems need to treat this as a warning: Vendor risk have become the norm. They accounted for 42% of healthcare breaches in 2024, the highest of any industry. This article breaks down what happened, why it matters for health tech, and what you must harden today.

Grab the Vendor Risk Audit Toolkit to evaluate your vendors the same way health systems will.

What Actually Happened in the OpenAI–Mixpanel Incident

According to OpenAI’s public statement, here’s the short version:

Mixpanel, an analytics provider, experienced unauthorized access.
A dataset containing names, email addresses, approximate locations, and event metadata was exported.
No passwords, payment info, or OpenAI internal systems were compromised.
OpenAI immediately removed Mixpanel from production, notified users, and began reevaluating its vendor ecosystem.

Nothing catastrophic but still a breach, still user data exposed, and still a vendor issue that OpenAI had to clean up publicly.

This should sound very familiar to anyone in health tech.

Why This Matters to Health Tech Vendors Selling to Health Systems

Health systems already struggle with third-party and supply-chain risk. They expect vendors to have airtight processes, documentation, and vendor oversight.

The Mixpanel breach highlights several truths:

You can have great security, and still get hit when a vendor fails.
A vendor breach becomes your incident in the eyes of your customers.
Analytics, CRMs, logging platforms…they all count as an attack surface.
This scenario would trigger a HIPAA breach notification if PHI were involved.

Vendor security is not background noise.

It’s a front-page, revenue-impacting, and deal-killing risk.

Lesson 1: Every Vendor Is Part of Your Attack Surface

Most health tech platforms use:

Analytics tools
AI
CI/CD tools
Helpdesk systems
Integrations with other SaaS
Infrastructure vendors

Every one of these should be treated as a potential breach path.

👉 Use the Vendor Security Checklist to audit your vendor ecosystem.

Lesson 2: BAAs Must Be Air-Tight

If PHI touches a vendor, you need:

A signed BAA
Documentation of their controls
Annual verifications
Incident reporting pathways

This is where many growth-stage health tech companies fall short.

A vendor touching PHI without a BAA is a regulatory landmine.

Lesson 3: Demand Proof From Your Vendors (Not Promises)

Mixpanel is a well-known platform with mature security and still had an incident.

So ask for:

SOC 2 Type II reports
Penetration Testing Reports
Documentation of controls (i.e. encryption, IAM, and development practices)
Data retention and deletion policies

If your vendor can’t give you documentation, they can’t handle your data.

Lesson 4: Map Your Data Flows Like Your Deals Depend On It (They Do)

Health systems love diagrams.

They want to know exactly where PHI or PII flows.

If you don’t know:

What data you’re managing
Where it’s stored
What’s logged
What’s transmitted
What vendors have access to it

…then you can’t prove compliance.

Lesson 5: Build Vendor Breach Scenarios Into Your IR Plan

OpenAI responded quickly because they had a plan.

Would you?

Your incident response program should explicitly cover:

Vendor communication channels
Security Breaches
PHI leaks
Downstream vendor outages
API misuse

If a vendor goes down, misconfigures a bucket, or leaks PHI, you need a rehearsed playbook.

Lesson 6: Vendor Risk Must Be a Sales Asset, Not a Liability

One reason health tech vendors can lose deals is for poor vendor security.

This is how you flip the script.

Put your vendor security program in your sales deck:

Inventory
Risk scoring
BAAs
Monitoring Strategy
IR scenarios

Make risk management a competitive advantage.

Quick Vendor Audit Checklist (Do This This Week)

Inventory all active vendors
Classify by risk: critical / high / medium / low
Verify BAAs
Request or refresh compliance reports
Run a vendor tabletop with engineering + leadership

👉 Download the Vendor Security Toolkit (Checklist + Scoring Rubric) to guide your audit.

FAQ

Do vendor breaches count as our breaches under HIPAA?

Yes. If PHI is involved, the covered entity sees it as your breach, not your vendor’s.

What if a vendor only handles analytics metadata?

Still risky. Metadata leaks fuel phishing, credential stuffing, and impersonation.

What’s the fastest way for a growing startup to improve vendor risk?

Begin with a vendor inventory + scoring rubric, then prioritize security reviews for your top 5 highest-risk vendors.

Conclusion

The Mixpanel incident is a blueprint for how a single vendor can create affect an entire ecosystem (e.g., Change Healthcare.)

If OpenAI can be impacted through a vendor, your growth stage health tech startup definitely can.

Health systems trust partners who secure their own code and their entire ecosystem.

Lock down today, scale tomorrow.

Resources

👉 Download the Vendor Security Checklist

👉 Download the AI Readiness Guide

L Trotter II

As Founder and CEO of Inherent Security, Larry Trotter II is responsible for defining the mission and vision of the company, ensuring execution aligns with the business purpose. Larry has transformed Inherent Security from a consultancy to a cybersecurity company through partnerships and expert acquisitions. Today the company leverages its healthcare and government expertise to accelerate compliance operation for clients.

Larry has provided services for 12 years across the private industry developing security strategies and managing security operations for Fortune 500 companies and healthcare organizations. He is influential business leader who can demonstrate the value proposition of security and its direct link to customers.

Larry graduated from Old Dominion University with a bachelor’s degree in Business Administration with a focus on IT and Networking. Larry has accumulated certifications such as the CISM, ISO27001 Lead Implementer, GCIA and others. He serves on the Board of Directors for the MIT Enterprise Forum DC and Baltimore.

https://www.inherentsecurity.com