Who’s Actually Responsible for HIPAA Security at Your Company?

Written By L Trotter II

And are they qualified, or just the only one left standing?

Most growing health tech teams don’t have a real answer.

When a breach happens or an audit comes, they scramble.

Why?

Because nobody "owns" HIPAA Security.

It gets pushed to the Devs.

Or the CTO.

Or whoever was volunteered in the last meeting.

And that’s a problem.

HIPAA doesn’t care who you meant to put in charge.

Regulators want a name.

Buyers want accountability.

And your reputation?

It doesn't get a second chance.

Here's the uncomfortable truth

HIPAA requires you to designate someone to lead your security program.

It’s written into federal law (45 CFR §164.308(a)(2)), if you like citations.

That person needs to know what they’re doing.

They need POWER, not just a title.

And if you don’t have that?

You’re not secure, you’re just a ticking time bomb.

But we’re a startup, not a hospital

Doesn’t matter.

Ransomware doesn’t care about headcount.

The Office for Civil Rights doesn’t care that you’re “still growing.”

And your enterprise partners?

They especially don’t care.

They want to know you’re handling PHI like a grown-up company.

That means clear leadership, UNIQUE policies, and clear proof.

Your dev team isn’t trained in compliance. Your CTO doesn’t have time for security strategy. This guide is built for growing health tech teams who need leadership, not just another checklist.

👉 Get the Guide

So who’s your CISO?

If you're not sure, you're overdue for a conversation.

You don’t need a full-time hire today.

But you do need someone accountable.

Someone who understands HIPAA and how startups scale.

That’s where a Fractional CISO makes sense.

They slot into your team.

They build your roadmap.

They make sure compliance isn’t just a line in your pitch deck.

Because at some point, that next buyer, investor, or regulator will ask the question:

"Who’s responsible for HIPAA Security here?"

The question is, will you have a good answer?

Want to see what most scaling health tech companies miss?

Your competitors are reading this.

Your future clients are expecting it.

And this guide breaks down the gaps most growing health tech teams don’t even know exist.

👉 Get the Guide

L Trotter II

As Founder and CEO of Inherent Security, Larry Trotter II is responsible for defining the mission and vision of the company, ensuring execution aligns with the business purpose. Larry has transformed Inherent Security from a consultancy to a cybersecurity company through partnerships and expert acquisitions. Today the company leverages its healthcare and government expertise to accelerate compliance operation for clients.

Larry has provided services for 12 years across the private industry developing security strategies and managing security operations for Fortune 500 companies and healthcare organizations. He is influential business leader who can demonstrate the value proposition of security and its direct link to customers.

Larry graduated from Old Dominion University with a bachelor’s degree in Business Administration with a focus on IT and Networking. Larry has accumulated certifications such as the CISM, ISO27001 Lead Implementer, GCIA and others. He serves on the Board of Directors for the MIT Enterprise Forum DC and Baltimore.

https://www.inherentsecurity.com
Previous

The Gap Between a HIPAA Breach and the Real World
Next

The Breach That Took 10 YEARS to Detect And What It Means for You