Healthcare security — HIPAA, BAAs, and AI in clinical context
Any product that touches PHI needs HIPAA compliance, BAAs with sub-processors, and strong audit logging. AI-clinical-decision products add model-governance requirements.
Top security risks
PHI in logs / analytics
The most common HIPAA violation — PHI accidentally written to logs or sent to non-BAA analytics.
Sub-processor without BAA
Every vendor that touches PHI needs a signed BAA. Missing even one is a breach.
Email PHI
Unencrypted email of PHI is a reportable breach in most cases. Use encrypted channels.
AI model trained on PHI
Training or fine-tuning on PHI has strict de-identification and consent requirements.
Regulatory context
HIPAA (US), HITRUST (voluntary but expected for enterprise health buyers), FDA SaMD guidance for clinical decision tools, GDPR (EU), state health-data laws.
Checklist
- BAA signed with every vendor touching PHI
- PHI scrubbing in logs and analytics pipelines
- Encryption at rest + in transit (AES-256 / TLS 1.2+)
- Access logging with 6-year retention
- Annual risk assessment documented
- Incident response with breach-notification in 60 days
- HITRUST certification if selling to large health systems
Health enterprise buyers ask for HITRUST before SOC 2 in 2026. Plan accordingly.