What is the HIPAA Security Rule?

The HIPAA Security Rule establishes national standards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI) through administrative, physical, and technical safeguards.

What is considered a HIPAA violation in cybersecurity?

A HIPAA violation occurs when PHI or ePHI is impermissibly used or disclosed or insufficiently safeguarded. Common causes include weak access controls, missing risk analyses, unencrypted devices, improper workforce training, and delayed breach reporting.

What are administrative, physical, and technical safeguards?

Administrative safeguards are policies, procedures, and training. Physical safeguards protect facilities and devices. Technical safeguards include access controls, audit logging, transmission security, and encryption.

Is a HIPAA risk assessment required annually?

HIPAA requires a regular and thorough risk analysis but does not mandate a specific frequency. Many organizations perform it annually and whenever significant changes occur, such as new systems, vendors, or workflows.

What should a HIPAA risk assessment include?

It should identify where ePHI resides, evaluate threats and vulnerabilities, assess likelihood and impact, review current controls, document risk levels, and define prioritized remediation steps and timelines.

What is the role of encryption in HIPAA compliance?

Encryption is an addressable implementation specification. If reasonable and appropriate, it should be implemented for data at rest and in transit. If not implemented, the decision must be documented and an equivalent alternative safeguard applied.

What is a Business Associate under HIPAA?

A Business Associate is any person or organization, other than a workforce member of a covered entity, that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Examples include cloud providers, IT support, billing services, and certain consultants. A Business Associate Agreement (BAA) is required before PHI access.

Do business associates need to be HIPAA compliant?

Yes. Business associates must implement appropriate safeguards for PHI, comply with applicable HIPAA requirements, enter into a BAA, report incidents and breaches, and ensure their subcontractors that handle PHI also comply.

What happens if a business associate causes a breach?

Both the covered entity and the business associate have obligations. The business associate must investigate, mitigate, and notify the covered entity. Breach notifications to individuals, HHS, and in some cases the media may be required based on the incident size and circumstances.

How do I secure remote access to ePHI?

Use VPN or zero-trust access, require multi-factor authentication, enforce least-privilege access, encrypt devices, manage endpoints and patches, disable local data storage when possible, and monitor logs for suspicious activity.

Can employees use personal devices under HIPAA?

Yes, if governed by a BYOD policy that enforces device encryption, screen locks, remote wipe, mobile device management, separation of work data, and prohibits storing ePHI in unsecured apps or locations.

What is considered a HIPAA data breach?

A breach is an impermissible use or disclosure of unsecured PHI that compromises its security or privacy, such as ransomware, lost or stolen devices, misdirected emails, or unauthorized access, unless a documented risk assessment shows a low probability of compromise.

How soon must a HIPAA breach be reported?

Affected individuals must be notified without unreasonable delay and no later than 60 days after discovery. Reporting to HHS depends on the number of affected individuals; large breaches (500 or more) require more immediate reporting and, in some cases, media notice.

What are the penalties for HIPAA violations?

HIPAA penalties vary by tier based on level of culpability, with per-violation amounts and annual caps per violation type. Enforcement may include corrective action plans, settlement amounts, and monitoring. Actual amounts depend on the facts and current HHS guidance.

Can my practice be audited for HIPAA compliance?

Yes. HHS’s Office for Civil Rights conducts audits and investigations, particularly after breaches or complaints. Maintaining documentation, training records, and current risk analyses helps demonstrate compliance readiness.

What documentation is required to prove HIPAA compliance?

Keep current risk analyses, remediation plans, security and privacy policies, workforce training logs, incident response procedures, business associate agreements, access audit logs, and evidence of ongoing monitoring and evaluations.

Security Questionnaires Are the New Gatekeepers And Most Health Tech Companies Fail Them

Apr 23

Written By L Trotter II

The Deal-Killer No One Warns You About

You’ve made it through the demo.

The buyer is excited.

Workflow validation looks promising.

Then everything slows down.

Not because your product isn’t good.

Not because you didn't follow-up soon enough.

Not because buyer adoption didn't get the green light.

But because your answers didn't meet their expectations on the security questionnaire.

For most 20–40 person health tech companies, this is where deals stall or disappear.

What Is a Security Questionnaire (And Why It Matters Now More Than Ever)

A security questionnaire is a formal set of questions used by enterprise healthcare buyers to evaluate how a vendor handles HIPAA security and privacy.

In health tech, it typically includes questions about:

HIPAA compliance
Data encryption standards
Access controls and authentication
Incident response procedures
Infrastructure and hosting security
Business Continuity

Simply put:

It’s how enterprise healthcare buyers decide if you’re safe enough to work with PHI.

And in healthcare, “safe enough” is mandatory.

These questionnaires are now a standard part of procurement, legal review, and vendor onboarding across the industry.

Why Security Questionnaires Are the New Gatekeepers in Health Tech

Security questionnaires have become the first line of defense in enterprise healthcare sales.

Not cyber insurance.

Not BAAs.

Not AI.

Before procurement gets serious, buyers are asking:

“Are you HIPAA compliant?”
“How do you protect PHI?”
“Can you prove it?”

See this is the shift...

Buyers went from evaluating what your product does first to evaluating how risky it is to buy from you.

This means:

If you fail the security questionnaire, the deal doesn’t move forward regardless of how good your product is.

Where Most Health Tech Companies Fail

Growth-stage health tech companies fail because they lack HIPAA compliance.

They're questioned because their documents have inconsistencies.

They fail because they aren't able to prove compliance.

Here’s how it breaks down:

1. They Think “We’re HIPAA Compliant” Is Enough

Many teams assume compliance is a status.

But enterprise healthcare buyers don’t accept assumptions.

They want:

Policies
Documentation
Evidence
Consistency

If you can’t prove it, it doesn’t exist.

2. Compliance Lives in People’s Heads

In 20–40 person companies, HIPAA knowledge is often:

Owned by the CTO
Stored in Notion, Slack, or “tribal knowledge”
Not standardized across operations

So when a questionnaire arrives, answers vary depending on who responds.

That inconsistency is a red flag.

3. They Can’t Answer Standard Questions Clearly

Security questionnaires are predictable.

But most growth-stage health tech companies struggle with questions like:

“What vendors does your technology integrate with”
“What is your incident response process?”
“What does your data lifecycle management process look like?”

Vague answers don’t pass healthcare reviews.

4. They Underestimate Buyer Scrutiny

Enterprise healthcare buyers are trained to look for risk.

They’ve seen breaches.

They’ve rejected vendors before.

They know what weak compliance looks like.

The Cost of Failing a Security Questionnaire

Failing a security questionnaire doesn’t always look like a “no.”

It looks like:

“We need more time to review internally…”
“Can you clarify this section?”
“We’ll circle back after legal review…”

Translation: the deal is stuck.

And the cost compounds:

Sales cycles extend by months
Deals slowly die in procurement
Trust erodes before contracts are signed
Revenue forecasts become unreliable

For growth-stage health tech vendors, this is one of the common hidden revenue blockers.

Why This Gets Worse as You Scale

Early-stage health tech companies can sometimes bypass formal review.

But once you reach enterprise buyers, everything changes.

At scale:

Every vendor goes through a security review
Every answer is documented and audited
Every gap is scrutinized

This is the point where many 20–40 person companies get stuck.

They built a great product but not a scalable compliance program.

Security Questionnaires = A Hidden HIPAA Compliance Test

A security questionnaire is a real-time audit of your HIPAA maturity.

Every section maps back to HIPAA requirements:

Administrative safeguards → policies, training, governance
Technical safeguards → AI, access control, monitoring
Physical safeguards → infrastructure and hosting controls

So when you fail a questionnaire.

You fail to win new enterprise business.

What “Good” Looks Like

Companies that consistently pass security questionnaires share one trait:

They don’t “figure it out” per deal.

They already have:

Documented HIPAA policies
Centralized compliance documentation
Clear technical security architecture
Standardized answers ready for enterprise review
Dedicated expertise to manage their vendor security process

In other words, they're questionnaire-ready before the question is asked.

The Shift: From Reactive to Proactive Compliance

Reactive health tech companies operate like this:

A deal gets blocked
The team scrambles for answers
Documents are created under pressure
The process repeats next deal

Proactive health tech companies flip this model.

They invest in compliance upfront so that security questionnaires easily integrates into the security review process.

This is where HIPAA compliance becomes your growth enabler.

If You’re Failing Here, It’s Not Random

If security questionnaires are slowing your deals, it’s a signal.

A signal that your compliance maturity hasn’t caught up with your growth stage.

And in health tech, that gap is expensive.

Because enterprise buyers don’t wait.

They move on to the next vendor who can prove they’re ready.

If this resonates…

It usually means your organization is entering the stage where HIPAA compliance can no longer be treated as ad-hoc. And the companies that fix it early are the ones that consistently close enterprise deals faster.

L Trotter II

As Founder and CEO of Inherent Security, Larry Trotter II is responsible for defining the mission and vision of the company, ensuring execution aligns with the business purpose. Larry has transformed Inherent Security from a consultancy to a cybersecurity company through partnerships and expert acquisitions. Today the company leverages its healthcare and government expertise to accelerate compliance operation for clients.

Larry has provided services for 12 years across the private industry developing security strategies and managing security operations for Fortune 500 companies and healthcare organizations. He is influential business leader who can demonstrate the value proposition of security and its direct link to customers.

Larry graduated from Old Dominion University with a bachelor’s degree in Business Administration with a focus on IT and Networking. Larry has accumulated certifications such as the CISM, ISO27001 Lead Implementer, GCIA and others. He serves on the Board of Directors for the MIT Enterprise Forum DC and Baltimore.

https://www.inherentsecurity.com