Digital health, RCM, health-tech & HIPAA business associates
Health-tech vendors who handle PHI and need to walk into a BAA conversation with documented readiness.
"Run a 45 CFR Part 164 risk analysis and document Security + Privacy Rule posture — the way OCR expects."
See the self-service journey this ICP walks through (PDF) →
~700,000 covered entities and business associates fall under HIPAA. Enforcement and breach scrutiny are both increasing.
HIPAA is enforced by HHS Office for Civil Rights (OCR). The two operative rule sets are the Privacy Rule (45 CFR Part 160 + Subparts A and E of Part 164) and the Security Rule (45 CFR Subpart C of Part 164, §§164.302–318). The Breach Notification Rule (Subpart D) sets the 60-day notification clock and the famous 'Wall of Shame' public posting threshold of 500 affected individuals.
In December 2024, OCR published a Notice of Proposed Rulemaking (NPRM) proposing the first major Security Rule update since 2013 — adding required (no longer 'addressable') controls like encryption, MFA, network segmentation, vulnerability scanning, and 72-hour data-restoration capability. The healthcare market is now planning to a moving target.
Enforcement activity is rising: 2023 saw a record-setting count of large-breach reports to OCR (700+ involving ≥500 individuals), and 2024 carried the trend forward, driven by ransomware against hospitals, payers, and Business Associates (Change Healthcare being the canonical example). OCR resolution agreements increasingly require risk-analysis remediation as the first ordered corrective action.
On the buyer-side, hospital and payer procurement now require a documented risk analysis and a current Security Rule attestation as a precondition to signing a Business Associate Agreement (BAA). Vendor-risk teams use HITRUST, SOC 2 + HIPAA mapping, and OCR's own audit protocol to ask the questions. Vendors who can produce a tidy, current risk analysis sign BAAs faster.
How to filter your list.
- Employee count
- 10–1,000 (sweet spot 25–300)
- Role under HIPAA
- Business Associate; some covered entities (telehealth, clinics)
- Industry
- Digital health, telehealth, RCM, mental-health platforms, payer-tech, clinical SaaS, lab software, AI scribes, RPM
- Geography
- US (HIPAA jurisdiction); some UK/EU vendors selling US health
- Funding stage
- Seed to Series C; bootstrapped RCM and clinic-tech vendors also fit
- Buyer signals
- Sells to hospitals, IDNs, health systems, payers, ACOs, FQHCs, or other BAs
- Tech stack signals
- AWS HIPAA-eligible services, Twilio HIPAA, Mongo + KMS, Snowflake HCLS
Who's actually in the room.
Security Officer / CISO
- Owns
- The HIPAA Security Rule — risk analysis, technical safeguards, incident response.
- Fears
- OCR resolution agreement on their watch. Failure to produce a current risk analysis when asked.
- Measured on
- Risk analysis recency; BAA close rate; audit findings.
- Where to find them
- HIMSS, AEHIS, HIPAA Journal newsletter, healthtech security Slacks.
Privacy Officer / Compliance Lead
- Owns
- The HIPAA Privacy Rule, Notice of Privacy Practices, BAAs, breach notification workflow.
- Fears
- A breach that crosses the 500-individual threshold and lands on the Wall of Shame.
- Measured on
- Time-to-BAA; complaints logged & resolved; training completion.
- Where to find them
- AHIMA, IAPP (privacy-side), HCCA conferences.
CTO / Founding Engineer
- Owns
- Production environment, AWS/GCP HIPAA-eligible services, encryption posture, vendor selection.
- Fears
- A subprocessor breach attribution. Production access misconfiguration.
- Measured on
- Uptime, security review velocity, engineering velocity.
- Where to find them
- Health-tech founder Slacks, a16z bio+health, Rock Health newsletter.
When the buying window opens.
For each trigger, here's how to detect it for free. Set Google Alerts, RSS, or LinkedIn Sales Navigator job-change alerts and you'll see them before competitors do.
What they're losing sleep over.
- !Hospital procurement won't sign a BAA without a current risk analysis
- !Last risk analysis was done by a consultant 2 years ago and is stale
- !Engineering set up AWS HIPAA-eligible services but no one documented it
- !Founders signed BAAs early without understanding the obligations
- !A subprocessor (analytics, support, chat) is processing PHI without a BAA
- !Audit logs exist but no one is reviewing them — explicit Security Rule failure
- !Breach contingency plan is a doc that no one has tested
- !Sales team is racing the upcoming NPRM clock without a remediation plan
What converts.
"Walk into your next BAA conversation with documented readiness."
A 45 CFR 164.308(a)(1)(ii)(A) risk analysis, written the way OCR auditors expect to see it — current, defensible, exportable.
"Get ahead of the HIPAA Security Rule NPRM before it lands."
Map your current safeguards to both the existing 2013 Rule and the proposed updates — encryption, MFA, segmentation, 72-hour restoration — and see your real exposure.
"Stop trusting your last consultant's PDF."
Re-run the risk analysis with current asset inventory, current vendors, current PHI flows. If nothing changed, great — now you can prove it.
What you'll hear, and what to say.
"We're SOC 2 — that covers HIPAA."
→ SOC 2 and HIPAA overlap on technical safeguards but HIPAA's Privacy Rule, Breach Notification Rule, and risk-analysis requirement (45 CFR 164.308(a)(1)) have no SOC 2 equivalent. Buyers know this; that's why hospital procurement asks for both.
"We have a BAA template — we're set."
→ A BAA is a contract obligation; a documented risk analysis is the Security Rule obligation that demonstrates you can actually meet the contract. OCR's first request in an investigation is the risk analysis, not the BAA.
"AWS HIPAA-eligible services handle it."
→ The AWS BAA covers the platform; the Security Rule applies to your application, your access model, your incident response, and your subprocessors. Eligibility is a precondition, not a control set.
"We're waiting for the NPRM to finalize."
→ The current Security Rule is still in force and enforcement is active. Use the assessment to score against today's rule AND the proposed updates so the remediation backlog is already prioritized when the final rule lands.
"We've never had a breach so we must be fine."
→ OCR enforcement increasingly stems from complaints and proactive audits, not just breaches. The first finding in most resolution agreements is 'failure to conduct an accurate and thorough risk analysis.'
Copy. Paste. Replace the placeholders.
Six prompts tuned for this ICP. Replace {{placeholders}} with your real inputs. Each prompt names the AI engines it works best with.
Research {{company}}, a US health-tech vendor, and produce a HIPAA readiness brief.
Inputs:
- Website: {{website}}
- Known customer segment: {{buyer_segment}} (e.g. hospitals, payers, FQHCs, telehealth direct-to-consumer + B2B2C)
Find from public sources:
1. HIPAA scope
- Are they a Business Associate, a Covered Entity, both, or neither? Justify.
- Do they process, store, or transmit PHI?
- Subprocessors that touch PHI (analytics, comms, support, AI vendors).
2. Existing trust posture
- /trust, /security, /legal pages. Do they list HIPAA, SOC 2 Type II, HITRUST?
- Public BAA availability statement?
- Any breach disclosures in HHS OCR Breach Portal (search by company name).
3. Customer signals
- Hospital / health-system / payer logos on the site.
- Case studies in regulated health verticals.
4. Security org
- Privacy Officer, Security Officer, CISO present?
- Recent hires in compliance / privacy / security in last 6 months.
5. NPRM readiness
- Public mention of MFA enforcement, encryption-at-rest, network segmentation, 72-hour restoration drills.
6. Trigger surface
- Funding rounds, new health-system contracts, exec hires.
- Adjacent breach disclosures in their segment.
7. Outreach hook
- One sentence connecting a specific trigger to a 45 CFR 164.308 risk analysis.
Return as markdown with section headers and source URLs.
Rules:
- Be concrete and specific to {{company}}; no generic compliance fluff.
- Cite the regulation by section number where relevant.
- If you don't know, say so — do not invent contract numbers, names, or dates.Build a list of 25 US digital health, RCM, or health-tech B2B vendors that are likely overdue for a HIPAA risk analysis.
Filters:
- US HQ
- Sells to hospitals, payers, IDNs, ACOs, FQHCs, or other BAs
- Headcount 20–500
- Funding: Seed-extended through Series C in the last 36 months
- Public /trust or /security page does NOT mention HITRUST r2 / Validated
- AT LEAST one trigger:
- Posted Privacy Officer, Security Officer, or HIPAA Compliance role in last 6 months
- Announced a new hospital / payer customer in last 12 months
- Mentioned in HHS OCR Breach Portal in last 36 months (theirs OR a top-5 subprocessor)
- Funding round in last 12 months
Return as a table:
| Company | Customer type | Headcount | Funding stage | Existing public HIPAA posture | Recent privacy/security hire? | Breach signal? | Likely buyer (CTO/CISO/Privacy Officer) LinkedIn | Best opening hook |
Rules:
- Be concrete and specific to {{company}}; no generic compliance fluff.
- Cite the regulation by section number where relevant.
- If you don't know, say so — do not invent contract numbers, names, or dates.Write a 3-touch outbound sequence to {{first_name}} ({{title}} at {{company}}).
Context:
- {{company}} is a health-tech BA selling into {{buyer_segment}}.
- Trigger: {{trigger_event}} (e.g. "won a 5-hospital pilot," "competitor breach disclosed last week," "hired first Privacy Officer").
- They likely have an outdated risk analysis.
- Sender: {{partner_name}}, {{partner_company}}.
Constraints:
- Touch 1: ≤110 words. Lead with the trigger. Bridge to "the BAA conversation that asks for the risk analysis." Soft CTA = reply or {{affiliate_link}}.
- Touch 2 (day 4): ≤80 words. Reference the OCR pattern (first request in every investigation is the risk analysis under 45 CFR 164.308(a)(1)).
- Touch 3 (day 9): ≤45 words. Break-up.
- No "I hope this finds you well." No "circling back."
- CTA: {{affiliate_link}} — self-service readiness, not a sales call.
Return three labeled blocks with SUBJECT + BODY.
Rules:
- Be concrete and specific to {{company}}; no generic compliance fluff.
- Cite the regulation by section number where relevant.
- If you don't know, say so — do not invent contract numbers, names, or dates.Draft a 4-step LinkedIn cadence to {{first_name}} ({{title}} at {{company}}).
1. Connection note (≤300 chars). Reference a specific public artifact (a post, a hospital customer announcement, a panel they spoke on). No pitch.
2. Day-2 DM (≤500 chars): one specific observation about the NPRM or a recent OCR settlement in their segment + one open question.
3. Day-6 DM (≤300 chars): share {{affiliate_link}} framed as "a 90-minute readiness pass against the current Security Rule + NPRM proposed updates."
4. Day-13 DM (≤200 chars): polite break-up.
Voice: peer privacy/security leader. Cite 45 CFR Part 164 sections naturally. Avoid jargon like "synergies" or "leverage."
Rules:
- Be concrete and specific to {{company}}; no generic compliance fluff.
- Cite the regulation by section number where relevant.
- If you don't know, say so — do not invent contract numbers, names, or dates.Build a 25-minute discovery call script for {{first_name}} ({{title}} at {{company}}).
Sections:
1. Open (90 sec): confirm time, restate hypothesis ("you're being asked for a current risk analysis in BAA reviews and your last one is stale"), get permission for 6 questions.
2. Six qualifying questions:
- When was your last documented HIPAA risk analysis and who performed it?
- How many open BAAs are sitting in your sales pipeline today?
- Have any of your hospital or payer customers asked for HITRUST in the last 12 months?
- Which subprocessors handle PHI today, and do you have current BAAs with all of them?
- Are you tracking the Security Rule NPRM (encryption, MFA, segmentation, 72-hour restoration)?
- What's your incident-response posture — when was the last tabletop?
3. Bridge (3 min): map answers to the self-service HIPAA readiness assessment.
4. Close: working session OR {{affiliate_link}}.
Branching: if they're a Covered Entity, not a BA, adjust language toward Privacy Rule + Notice of Privacy Practices.
Rules:
- Be concrete and specific to {{company}}; no generic compliance fluff.
- Cite the regulation by section number where relevant.
- If you don't know, say so — do not invent contract numbers, names, or dates.You are a HIPAA privacy + security consultant responding to {{first_name}} ({{title}} at {{company}}).
They said:
"{{objection}}"
Reply in 3–5 sentences. Rules:
- Mirror their language first.
- Cite 45 CFR Part 160 or Part 164 by section when relevant (e.g. 164.308(a)(1) risk analysis, 164.312(a)(1) access control, 164.404 breach notification).
- Reference the December 2024 HIPAA Security Rule NPRM where it applies.
- End with a forward-moving question, not a pitch.
- Never sound defensive. Never say "actually."
Rules:
- Be concrete and specific to {{company}}; no generic compliance fluff.
- Cite the regulation by section number where relevant.
- If you don't know, say so — do not invent contract numbers, names, or dates.Go deeper.
Authoritative public sources. Bookmark these — they're the source of truth your prospects' own teams are reading.
45 CFR Part 164 — HIPAA Security & Breach Notification Rules
The binding regulatory text. Bookmark §164.308 (risk analysis) and §164.312 (technical safeguards).
HHS OCR — HIPAA for Professionals
Official guidance, FAQs, sample BAAs, and enforcement summaries.
HHS OCR Breach Portal ('Wall of Shame')
Public list of breaches affecting ≥500 individuals. Best free trigger-event source.
HIPAA Security Rule NPRM (Jan 2025) — Federal Register
The proposed update — required encryption, MFA, segmentation, 72-hour restoration. Drives the next 24 months of demand.
NIST SP 800-66 Rev. 2 — Implementing the HIPAA Security Rule
NIST's practical guide. Use it to bridge HIPAA + 800-53 / CSF for technical buyers.
HHS OCR — Sample Business Associate Agreement provisions
The reference BAA. Know what your prospect's customers are pasting into theirs.
HHS / ONC — Security Risk Assessment (SRA) Tool
The free government tool many small clinics use. Know what your prospect already tried.
HHS OCR Audit Protocol
The exact controls OCR auditors check. The closest thing to a Security + Privacy Rule answer key.
HIPAA Journal
Daily news + breach roundups. The trade press for this market.
HITRUST Alliance
Many hospital buyers prefer HITRUST. Know when to position vs. handoff.
When NOT to pursue
These prospects won't convert through the self-service flow.
- ×Has a current HITRUST CSF Validated or r2 certification
- ×Pure consumer wellness app outside HIPAA's covered-entity / BA scope
- ×Already mid-OCR investigation (they need a law firm, not an assessment)
- ×Health system / IDN itself — they buy from vendors, they don't fit this ICP