HIPAA
HIPAA (Health Insurance Portability and Accountability Act)
Covered entities (providers, payers, clearinghouses) and their business associates. Anyone touching protected health information.
Breach notification obligation triggers, OCR audit notice arrives, or a covered-entity customer pushes the BAA review forward.
Administrative, physical, and technical safeguards plus a risk analysis. Documentation is the audit; technical controls are the floor.
Brings in the privacy officer, compliance officer, and legal. In delivery organisations, the CIO/CMIO often outranks the CISO on the buying decision.
A risk-and-fines conversation more than a feature conversation. The buyer is operating with a deficit of resources versus risk; sold on operational continuity and audit-survivability, not innovation.