HIPAA Risk Analyses for Digital Health: Navigating AI, M&A and Vendor Diligence

HIPAA Security Risk Analyses (SRAs) should be the foundation of every digital health company’s cybersecurity compliance. Far more than a checkbox exercise, a comprehensive SRA helps identify and mitigate risks and vulnerabilities to electronic protected health information (ePHI), reduce the likelihood of costly breaches, and demonstrate good faith in the face of regulatory scrutiny. In today’s rapidly evolving digital health landscape where AI-powered tools, mergers and acquisitions, and an expanding vendor ecosystem amplify cybersecurity complexity, the SRA is your first line of defense. Recent Office for Civil Rights (OCR) enforcement actions make clear that inadequate SRAs carry serious financial and reputational consequences.

Why SRAs Matter for Digital Health Companies

Under the HIPAA Security Rule, HIPAA-regulated entities must “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability” of ePHI. This administrative safeguard informs every subsequent security control — administrative, physical, and technical — and serves as evidence of compliance during an audit or investigation. Conducting a thorough SRA will result in HIPAA-regulated entities:

• Mapping PHI Flows: ePHI will be tracked across platforms, like a telehealth or patient portal, AI analytics engine, cloud storage, and third-party integrations.
• Quantifying Threats: Issues such as ransomware, insider error, and misconfigurations will be ranked by likelihood and impact.
• Prioritizing Remediation: Resources can be allocated where they matter most, whether it is encryption, access controls, vulnerability patching, or otherwise.

OCR’s Enforcement Spotlight

Skipping or skimping on your SRA is, in OCR’s eyes, tantamount to willful blindness. Since launching its “Risk Analysis Initiative” in late 2024, OCR has made SRAs a focal point of enforcement, so far settling nine cases for SRA inadequacies:

Failure to conduct a HIPAA Security Rule risk analysis leaves health care entities vulnerable to cyberattacks, such as ransomware. Knowing where your ePHI is held and the security measures in place to protect that information is essential for compliance with HIPAA. OCR created the Risk Analysis Initiative to increase the number of completed investigations and highlight the need for more attention and better compliance with this Security Rule requirement. (OCR Director, October 31, 2024)

OCR’s Risk Analysis Initiative has yielded significant settlements, ranging between US$10k-350k:

• Northeast Radiology (NERAD): A breach on the Picture Archiving and Communication System (PACS) server for storing, retrieving, managing, and accessing radiology images prompted the investigation resulting in a US$350,000 settlement and a two-year period of monitoring by OCR. OCR’s investigation found that “NERAD had failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI in NERAD’s information systems.”
• Health Fitness Corporation: OCR commenced an investigation after receiving four breach reports over a three-month period for incidents where Health Fitness Corporation functioned as a business associate to a covered entity. The issue was misconfigured web-facing software that exposed ePHI for several years. OCR noted that Health Fitness Corporation failed to conduct a thorough risk analysis until multiple years after the vulnerability was discovered. A US$227,816 settlement, and a two-year period of monitoring by OCR, resulted here.

These actions underscore that outdated or incomplete SRAs can translate into substantial penalties, as well as unwelcome OCR monitoring of a company’s privacy and security practices for a several year period.

AI Integration Raises the Stakes

AI is transforming digital health by streamlining diagnostics, automating patient outreach, and personalizing care. AI systems also introduce unique risks, including attacks that can manipulate inputs or leak training data containing PHI. Consider that your AI platform may ingest data from electronic health records, wearables, and clinical registries, multiplying breach vectors.

A digital health company using AI systems must include those platforms and integrations into the SRA. Companies should map where models are trained, how data is stored or transmitted, and whether third-party AI APIs meet the company’s security standards. 

M&A Due Diligence: Avoid Inheriting Liabilities

Mergers and acquisitions in digital health are surging. However, acquiring a target that has failed to take seriously the requirement to conduct a regular SRA, and mitigate identified risks and vulnerabilities, can saddle you with legacy vulnerabilities and trigger regulatory scrutiny. During due diligence:

• Review the Target’s SRA: Ensure the target has regularly conducted an SRA and that it covered all ePHI platforms, systems, integrations, and vendor relationships.
• Assess Remediation History: Verify that identified risks and vulnerabilities were addressed promptly.
• Uncover Hidden AI Projects: Pilot AI tools may process PHI without proper safeguards if the target failed to include them in the SRA.

After closing, fold the acquired infrastructure into your enterprise-wide SRA cycle to help seal any gaps across your organization.

Vendor Diligence: Extending Your Risk Lens

Your digital health platform relies on a broad vendor ecosystem — but vendors can be your weakest link. Business associate agreements are necessary, but they are not enough. In your SRA:

• Inventory Vendors by PHI Access: From revenue-cycle management to AI decision-support, classify vendors by the sensitivity, and amount, of PHI they process.
• Evaluate Security Postures: Review each vendor’s own SRA, penetration-testing results, and certifications (e.g., HITRUST, ISO 27001, etc.).
• Monitor Continuously: Update your threat model whenever a vendor’s service scope expands, such as adding new AI analytics modules.

Practical Steps to Fortify Your SRA

1. Review and Follow OCR Guidance: OCR has guidance on conducting an SRA, including Basics of Risk Analysis and Risk Management and Guidance on Risk Analysis. 
2. Adopt a Proven Framework: Use NIST SP 800-66 Rev. 2, NIST SP 800-30 or ISO 27005 to structure your assessment.
3. Build in AI Scenarios: Conduct red-team exercises against your models and validate data-handling workflows.
4. Integrate M&A and Vendor Insights: Convene cross-functional teams (legal, IT, security, compliance, etc.) during transactions and vendor reviews.
5. Document Remediation: Keep clear records of SRAs conducted and updated, risk mitigation plans, and implementation dates.
6. Automate Monitoring: Deploy Security Information and Event Management (SIEM) tools, vulnerability scanners, and AI-driven anomaly detection.

结论

For digital health companies, a robust HIPAA Security Risk Analysis is more than a regulatory requirement — it is strategic risk management. By proactively mapping ePHI flows, surfacing AI-driven vulnerabilities, scrutinizing M&A targets, and rigorously vetting vendors, you will be better positioned to stay ahead of threats and minimize exposure to OCR enforcement. Invest in your SRA now because in the digital health arena, prevention is far less costly than remediation.

For more information on AI, telemedicine, telehealth, digital health, and other health innovations, including the team, publications, and representative experience, please contact any of the authors or any of the partners or senior counsel in Foley’s Cybersecurity and Data Privacy Group or Health Care Practice Group.