Cardiology moves more patient data, to more places, than almost any other specialty. Echocardiograms and tracings, stress tests, and a steady stream from pacemakers and defibrillators reporting into device-maker portals. All of it is protected health information (PHI), and every system and vendor in that chain is part of your HIPAA obligation. I help cardiology practices in the Springfield area see the whole picture before a breach or a regulator does.
30 minutes·No sales pitch·Red, yellow, green summary you keep
Cardiology's data does not sit still. It streams out to device portals, hospitals, and labs, and each path is a vendor relationship HIPAA expects you to manage.
Echocardiograms, electrocardiograms (ECGs), stress tests, and Holter or event monitor data. The studies and the reports are patient records, often held in a cardiology reporting system.
Pacemakers and implantable cardioverter defibrillators (ICDs) report into manufacturer cloud portals around the clock. That is patient data leaving your walls continuously, through someone else's system.
Your EHR holds histories, medications, and insurance details. Whoever hosts and supports it has standing access to all of it.
Records move to and from hospitals for catheterizations and procedures, and in from referring primary care offices. Every handoff is part of your risk picture.
Outside laboratories and over-read services receive patient data on your behalf. Under HIPAA, they are business associates.
An outside billing service, a claims clearinghouse, your IT contractor, and the backup of everything above all touch PHI every day.
The more places your data travels, the harder these get. That is exactly why they matter in cardiology.
A Business Associate Agreement (BAA) is the signed contract that holds a vendor to HIPAA. Between device-monitoring portals, labs, your EHR host, and billing, cardiology practices often have the longest vendor list in the building and the least visibility into it.
A Security Risk Assessment (SRA) is supposed to reflect how the practice handles PHI right now, including every device data feed. One done years ago, or never done at all, reads the same way in an investigation.
If the Office for Civil Rights (OCR) opens a review, the first request is almost always your risk analysis. What you can put on the table that day shapes everything that follows.
OCR is currently focused on one thing above all: whether you ever did a real risk analysis. A 2025 case shows what the bill actually looks like.
A small imaging provider, Vision Upright MRI, left a server of patient images exposed. The records of 21,778 people were involved. The provider had never conducted a risk analysis and was late notifying people of the breach. The settlement was $5,000. The real cost was a corrective action plan monitored by OCR for two years, plus formal breach notice to every affected patient, to HHS, and to the media. For a practice that moves imaging and device data the way cardiology does, a current risk assessment is the cheap side of that equation.
Source: U.S. Department of Health and Human Services, Office for Civil Rights press release, May 15, 2025. Figures verified against the primary source. This is a radiology case cited as an enforcement pattern, not a cardiology matter.
A 30-minute call across the six areas OCR cares about most, including your device data feeds. You leave with a red, yellow, green summary you can keep. No pitch.
An OCR-defensible SRA. A PHI flow inventory that maps every device and vendor feed, a BAA inventory, the full risk register, a policy gap analysis, and a 30, 60, 90 day roadmap. Signed and dated.
A fractional security lead on call for new device vendors, hospital data agreements, and next year's assessment. Optional, never required.
If any of the three questions above gave you pause, that is reason enough for a conversation. No cost, no pressure, and you keep the summary either way.
Book your risk snapshotOr email tony@seqorasecurity.com