Recently on Lessons from the Leap, our Founder, Ghazenfer Mansoor spoke with Larry Trotter II, Founder of Inherent Security, about HIPAA compliance for HealthTech.
HIPAA Compliance for HealthTech and AI Security: Why AI Governance Isn’t Enough
Larry draws a clear distinction: AI governance is widely discussed, but AI security needs its own focus. The practices he calls out are:
- De-identify data and use as little as possible to get the job done
- Keep humans in the loop when using AI
- Treat AI/LLM providers like vendors, including evaluating their risk and understanding what changes on paid vs enterprise plans
Larry frames AI security as an area he is “leaning into” and wants his brand recognized for in healthcare.
HIPAA Compliance for HealthTech and Vendor Risk: Why Third Parties Drive Breach Exposure
Larry highlights a reality shift: breaches aren’t just “your fault.” They often happen through vendors.
“Vendors were accounted for 42% of breaches within healthcare.” — Larry Trotter II
Practical implication for health tech founders: You can be doing “everything right” internally, but if your vendors aren’t secure (cloud configs, AI providers, integrations, subcontractors), you inherit their risk.
So you need a repeatable vendor security process:
- BAAs where applicable
- Paid plans that protect data usage rights
- Clear documentation of security controls
- Due diligence on “extra security features” hidden behind enterprise tiers
HIPAA Compliance for HealthTech and the Meaning of “HIPAA Compliant”: The Three Rules
Too many teams treat HIPAA like a single rule. In reality, it includes:
- Security Rule: Technical and administrative safeguards
- Privacy Rule: PHI handling and access governance
- Breach Notification Rule: Reporting obligations
If you are building a healthtech software, you are evaluated against all three.
“HIPAA has a Security Rule, Privacy Rule, and a Breach Notification Rule.” — Larry Trotter II
HIPAA Compliance for HealthTech and Monitoring: Compliance Monitoring vs Threat Monitoring
Larry breaks monitoring into two categories:
Compliance monitoring (ongoing activities):
- User access reviews (remove stale accounts)
- Ensuring logs are enabled
- Ensuring logs are monitored/reviewed
Threat monitoring (proactive detection):
- Actively looking for threats in the network/app
- Using software/tools to detect attacks
- Treating security as 24/7 because attackers don’t take time off
He says organizations often miss threat monitoring, and that manual monitoring is not sustainable at scale.
HIPAA Compliance for HealthTech and Security Policies: Why Templates (and AI-Generated Docs) Backfire
One of the sharpest moments in the episode: Larry calls out “canned” policies as a trust-killer, especially as vendor due diligence gets stricter.
Health systems and security assessors can spot copy-paste compliance from a mile away. And when everything looks “perfect,” it triggers scrutiny, not confidence.
“Don’t rely on canned policies… tailor them to your company.” — Larry Trotter II
Larry makes the point that weak policies can cost you deals. If a buyer doesn’t trust your documentation, they’ll dig deeper, and your sales cycle slows or dies.
HIPAA Compliance for HealthTech: Best Time to Start
Larry gives a clear “best time” answer: early. Not after you’ve shipped three versions, hired 30 people, and built a culture that treats security as an interruption.
Because the truth is: retrofitting security later is harder, slower, and more expensive. Moreover, it creates friction precisely when you’re trying to scale.
His simple operational recommendation was to bring security into the weekly rhythm:
- Devote time in dev/ops meetings
- Budget for security before the buyer forces the conversation
- Include your security posture in your go-to-market narrative
Stay ahead of compliance, download our HIPAA Compliance Checklist now and make security a core part of your HealthTech journey.
“HIPAA compliant” is something you prove, continuously
This episode with Larry Trotter from Inherent Security is a reminder that compliance and security aren’t static. They mature as your company grows. Watch the full episode here.
If you’re building healthcare software, especially with AI features, your strongest move is to treat security as part of product strategy, not an afterthought.
And if you’re a founder building a health tech product and want to bake in security from day one (without slowing delivery), connect with Ghazenfer Mansoor and the team at Technology Rivers. We build secure, scalable healthcare software and help teams avoid expensive rework later. See our portfolio of HIPAA-compliant solutions to explore how we’ve helped other HealthTech teams succeed.
FAQs
What does HIPAA compliance for HealthTech mean?
HIPAA compliance for HealthTech means aligning to the HIPAA Security Rule, Privacy Rule, and Breach Notification Rule, and operating a cybersecurity program that includes tailored policies, risk assessments, technical controls, and monitoring.
What is the difference between a HIPAA gap assessment and a HIPAA risk assessment for HealthTech?
Larry explains that companies often mistake a gap assessment for a risk assessment. In his experience, missing risk assessments are a common issue in HealthTech companies.
What monitoring is required for HIPAA compliance for HealthTech?
Larry distinguishes between compliance monitoring (access reviews, stale accounts, logs enabled and reviewed) and threat monitoring (proactive detection). He emphasizes threat monitoring is often missed and security is a 24/7 reality.
Why are template policies risky for HIPAA compliance for HealthTech?
Larry says canned/template (including AI-generated) policies reduce trust because reviewers can spot them. He advises tailoring policies to your company.
How should AI be handled under HIPAA compliance for HealthTech?
Larry recommends de-identifying data, using as little data as possible, keeping humans in the loop, and treating AI vendors like vendors by assessing their risk and controls.
