HIPAA Compliance Checklist for Cardiology & RPM Providers

Last updated: July 14, 2026

Key Takeaways

  • HIPAA compliance is now a strategic priority for cardiology practices. The 2025 NPRM overhaul of the Security Rule and increased OCR enforcement since fall 2024 have raised the stakes.
  • Multi-OEM CIED and RPM programs create unique compliance challenges. Patient data moves through multiple vendor portals, cloud services, and mobile access points before reaching the EHR.
  • Five core HIPAA rules govern cardiology workflows involving device telemetry and remote monitoring: Privacy, Security, Breach Notification, Enforcement, and Omnibus.
  • A 7-step compliance checklist covers risk analysis, BAAs, technical safeguards, workforce training, breach protocols, documentation retention, and annual audits for 2026.
  • Get the compliance checklist as a downloadable PDF. Schedule a demo with Rhythm360 to see how consolidating multi-OEM data streams into one platform simplifies your compliance program.

Which HIPAA Rule Creates the Most Risk for Multi-OEM Programs

The five main HIPAA rules govern every aspect of how cardiology practices handle protected health information (PHI). For multi-OEM CIED programs, the Omnibus and Security Rules create the most exposure. They extend liability to every vendor that touches device data. The table below breaks down the safeguard each rule requires and where compliance gaps typically emerge.

HIPAA RuleCardiology Workflow ImpactRequired SafeguardRhythm360 Capability
Privacy RuleGoverns minimum-necessary access to CIED telemetry, CPT documentation, and patient records shared across OEM portalsRole-based access controls; minimum-necessary policies for billing and clinical staffGranular role-based access across all ingested OEM data streams; unified audit trail
Security RuleApplies to all ePHI transmitted from home monitors through vendor platforms to the practice EHR; proposed 2026 updates mandate MFA, encryption, and asset inventoriesEncryption (TLS 1.2+ in transit, AES-256 at rest), MFA, network segmentation, biannual vulnerability scansHIPAA-compliant cloud infrastructure; encrypted data ingestion from all OEM feeds; secure mobile app with MFA
Breach Notification RuleA missed critical alert or unauthorized access to CIED data triggers 60-day individual and HHS notification requirements; business associates must notify covered entities within 60 days of discoveryDocumented 4-factor risk assessment; breach response protocol; encryption safe harborFull audit logging of all data access events; documented transmission encryption qualifying for safe harbor
Enforcement RuleSets civil penalty tiers; Tier 4 willful neglect penalties reach $73,011–$2,190,294 per violationAnnual compliance audits; documented corrective action plansAutomated report generation supporting audit-ready documentation
Omnibus RuleMakes device manufacturers and RPM platform vendors directly liable as Business Associates; the 2013 Omnibus Rule established direct BA liability and the current tiered penalty structureExecuted BAAs with all OEMs, cloud relay services, and RPM vendors; subcontractor flow-down obligationsVendor-neutral platform operating under executed BAAs; supports practice BAA management across all connected OEMs

7-Step HIPAA Compliance Checklist for Cardiology Practices

This checklist incorporates the proposed 2026 Security Rule requirements. Treat each step as an ongoing obligation, not a one-time task.

  1. Conduct a Security Risk Analysis (SRA). The SRA must be conducted annually and whenever major system changes occur, mapping every ePHI asset including CIED monitoring platforms, cardiovascular information systems, EHR, PACS, billing platforms, and mobile devices. Assign specific risk levels to identified threats and vulnerabilities. The January 2026 OCR Cybersecurity Newsletter identified inadequate risk analysis as the most frequently cited deficiency in OCR investigations.
  2. Execute and maintain Business Associate Agreements. Every OEM whose cloud relay service receives, stores, or transmits identifiable cardiac telemetry on your behalf requires a signed BAA. The most common BAA gap in RPM programs occurs when the RPM platform vendor has a BAA but the device manufacturer's cloud relay service does not, leaving an intermediate data hop uncovered.
  3. Implement required technical safeguards. The proposed 2026 HIPAA Security Rule mandates encryption, MFA, and network segmentation, with roughly 240 days to comply after finalization. Required controls include TLS 1.2+ in transit, AES-256 at rest, MFA for all ePHI access including remote sessions, and network segmentation isolating CIED monitoring systems from general office networks.
  4. Train the workforce. A recent survey found employee error caused nearly half of all HIPAA incidents. The proposed rule requires security awareness training within 30 days of hire and annual refresher training for all staff.
  5. Establish and test breach response protocols. Start by documenting a 4-factor risk assessment process, since this determines whether notification is even required. If notification is triggered, current rules give you 60 days to notify individuals and HHS. That timeline is about to tighten upstream: proposed 2026 rules require business associates to alert covered entities within 24 hours of activating a contingency plan, and restore critical systems within 72 hours, so the clock effectively starts much sooner.
  6. Retain documentation for the required period. RPM audit logs documenting access to PHI must be retained for at least 6 years. Executed BAAs must also be retained for six years following termination under 45 CFR 164.530(j). CPT billing documentation supporting remote monitoring codes (93298, 93299, 99454) must be retained per payer and state requirements.
  7. Conduct annual compliance audits. OCR has proposed requiring compliance audits at least annually, including vulnerability scanning every six months and annual penetration testing. Keep a technology asset inventory and network map reviewed at least annually and after any operational changes.

Download the printable 7-step checklist PDF, a formatted version built for compliance officer review and staff distribution. Schedule a demo to get the checklist PDF and see how Rhythm360 maps to each step.

Where Multi-OEM Programs Break Down: The Five Most Common Violations

Even practices that follow this checklist can still fall into predictable traps. The violations below show where multi-OEM CIED programs most often break down in practice.

  1. Unencrypted data transmission. Cardiology practices must encrypt CIED data during transmission from home monitors to vendor platforms and onward. Alert notifications containing patient vitals sent via standard SMS or unencrypted email are a direct violation. Notifications must route through a secure platform or encrypted messaging channel.
  2. Missing or incomplete Business Associate Agreements. Each device manufacturer or remote-monitoring vendor that handles identifiable cardiac data is a business associate requiring a signed BAA. An un-papered vendor handling cardiac telemetry is a compliance gap regardless of the technical security measures in place.
  3. Inadequate access controls on monitoring portals. Common vulnerabilities include weak authentication on monitoring portals and overexposure of raw diagnostic data to billing teams. Role-based access controls must limit each staff member to only the data required for their function.
  4. Unlogged mobile access to ePHI. Clinicians reviewing CIED transmissions on mobile devices outside the clinic create access events that must be logged with a full audit trail. Practices must monitor remote sessions with detailed logging and alerts and enforce MFA for all remote access.
  5. Incomplete audit trails across multi-OEM data streams. Many breaches stem from forgotten API keys or unused vendor accounts that retain access to PHI systems. When a practice logs into five separate OEM portals, each represents an independent audit trail that must be maintained, reviewed, and reconciled, a process that breaks down without a unified platform.

Building a Defensible Risk Analysis for Multi-OEM Programs

The checklist above requires an annual SRA. Here is what a defensible one actually includes for a cardiology practice running multi-OEM CIED and RPM programs.

  1. ePHI Asset Inventory. Inventory all systems that create, receive, maintain, or transmit ePHI, including EHR, PACS, ECG management systems, telemetry platforms, ambulatory monitors, remote CIED platforms, cloud faxing, billing systems, patient portals, and mobile devices. Proposed 2026 rules also require including AI tools that create or transmit ePHI.
  2. Data Flow Mapping. Map RPM data flows from device to app to cloud to EHR to identify every point where ePHI exists, including intermediate consumer app stops that may lack BAA coverage.
  3. Threat and Vulnerability Assessment. For each ePHI asset, document threats such as ransomware, unauthorized vendor access, or unencrypted transmission, then assign likelihood and impact ratings. The proposed 2026 rule requires written risk levels for each identified threat.
  4. Control Documentation. For each risk, document existing controls (encryption, MFA, network segmentation, BAAs), assess residual risk, and assign remediation ownership with target dates.
  5. Review and Update Cycle. Reassess after major changes and at planned intervals, using automated configuration drift detection and patch management. The proposed 2026 rule requires the asset inventory and network map to be reviewed at least annually.

Closing the BAA Gaps Vendors Leave Behind

The SRA identifies where ePHI flows through vendor systems. Once mapped, every vendor touching that data needs a BAA before it creates, receives, maintains, or transmits PHI on your behalf. For cardiology practices, this obligation extends across a layered vendor chain.

A compliant BAA must contain these provisions:

  • Permitted and required uses and disclosures of PHI defined with specificity; broad language is insufficient
  • Prohibition on unauthorized use or disclosure
  • Minimum necessary standard
  • Administrative, physical, and technical safeguards meeting Security Rule standards
  • Breach notification timeline, currently 60 days, though proposed 2026 updates would reduce BA notification to 24 hours
  • Subcontractor flow-down obligations under HITECH
  • HHS audit cooperation rights
  • Documented PHI return or destruction on contract termination

Inadequate BA due diligence is a standalone basis for OCR enforcement, with penalties reaching up to $1.9 million per violation category per year, independent of whether a breach occurred. Proposed 2026 rules add another layer: covered entities must obtain annual written verification from business associates confirming that MFA, encryption, and other required safeguards are actually deployed, not just contractually promised.

What Happens After a Breach: Response Steps and Timelines

A breach of unsecured ePHI triggers a structured notification sequence under 45 CFR Part 164, Subpart D. Here is the full sequence, stated once.

  1. Conduct the 4-factor risk assessment. The assessment evaluates the nature and extent of the PHI involved, the unauthorized recipient, whether the PHI was actually acquired or viewed, and the extent to which risk has been mitigated. Notification is required only if there is more than a low probability of compromise.
  2. Notify affected individuals without unreasonable delay, no later than 60 calendar days after discovery.
  3. Notify HHS. Breaches affecting 500 or more individuals require HHS notification within 60 days. For breaches affecting fewer than 500, covered entities report to HHS within 60 days of year-end, meaning 2026 breaches must be reported by March 1, 2027.
  4. Notify media where applicable. Breaches involving 500 or more individuals in one state or jurisdiction require notifying prominent local media within 60 days.
  5. Apply the encryption safe harbor. PHI encrypted to NIST standards, with an uncompromised key, qualifies for safe harbor and is exempt from notification requirements.

Proposed 2026 rules add urgency here too: business associates must notify covered entities within 24 hours of activating a contingency plan, and restore critical systems within 72 hours of a disruptive incident.

How Rhythm360 Closes These Gaps in Practice

The breach protocols above only work if a practice can actually see across its vendor chain. Rhythm360 is a vendor-neutral, HIPAA-compliant cloud platform built for cardiology practices managing CIEDs and chronic-condition RPM programs. Other platforms in this space include Paceart, Murj, PaceMate, Implicity, Rhythm Management Group, and Octagos. Rhythm360's design centers on consolidating all OEM data streams and compliance documentation into one auditable environment.

Rhythm360
Rhythm360

Rhythm360 addresses the specific challenges outlined in this guide:

  • Unified ePHI asset management. CIED and RPM data from Medtronic, Boston Scientific, Abbott, Biotronik, and other OEMs is ingested and normalized into one platform, eliminating the fragmented portal access that creates incomplete audit trails and unlogged access events.
  • Encrypted data ingestion with over 99.9% transmissibility. Redundant data feeds, API integrations, HL7, XML, and AI-powered computer vision capture data across all OEM formats, with encrypted transmission throughout.
  • AI-powered alert triage. The platform filters non-actionable alerts and prioritizes clinically significant events, cutting critical response times by up to 80%. This directly reduces the alert fatigue and missed-event risks that drive both clinical and compliance exposure.
  • Automated CPT documentation. Rhythm360 automates report generation and billing documentation for CPT codes 93298, 93299, and 99454, supporting the audit trail required for payer compliance and HIPAA record retention.
  • Bi-directional EHR integration. Native integrations with Epic, Cerner, Athenahealth, eClinicalWorks, Greenway Health, and others via HL7 keep ePHI flowing through documented, BAA-covered channels instead of manual workarounds.
  • Secure HIPAA-compliant mobile app. Clinicians review transmissions, sign reports, and coordinate care from mobile devices with full audit logging of every access event, closing the unlogged mobile access gap flagged in OCR enforcement actions.

Combined with the alert-response gains noted above, practices using Rhythm360 have also seen up to 300% improvement in revenue capture through better CPT code documentation.

Schedule a demo to see how Rhythm360 maps to your practice's 2026 audit readiness requirements.

Frequently Asked Questions

What are the breach notification timelines under HIPAA in 2026?

Covered entities must notify individuals within 60 days of discovering a breach, and notify HHS within 60 days for breaches affecting 500 or more people. As detailed earlier, the required 4-factor risk assessment determines whether notification is triggered at all. Business associates currently have 60 days to notify covered entities; proposed 2026 rules would shrink that to 24 hours for contingency plan activations. The encryption safe harbor still applies: no notification is required if the PHI was encrypted to NIST standards and the key was not compromised.

Do medical device manufacturers require a Business Associate Agreement?

Yes, when the manufacturer creates, receives, maintains, or transmits PHI on a covered entity's behalf, such as running a cloud-based remote monitoring platform. A BAA is not required when a manufacturer receives PHI solely for FDA Adverse Event Reporting, a permitted disclosure under the Privacy Rule. OEMs operating cloud relay services for CIED data qualify as business associates and need executed BAAs covering the provisions outlined earlier in this guide.

How often must a Security Risk Analysis be conducted?

The SRA is an ongoing process, not a one-time event. Update it whenever major system changes occur, such as adding a new OEM portal or integrating a new EHR module, and review it at planned intervals. Proposed 2026 rules formalize this as an annual requirement with documented remediation tracking. OCR's Risk Analysis Initiative, launched in fall 2024, had produced 11 enforcement actions by early 2026, each resulting in settlements and multi-year corrective action plans.

What safeguards are required for mobile access to CIED and RPM data?

Mobile access to ePHI must meet the same Security Rule requirements as workstation access. Required safeguards include MFA for all remote sessions, encrypted transmission using TLS 1.2 or higher, encrypted device storage, role-based access controls, and full audit logging of every access event. Proposed 2026 rules make MFA mandatory for all ePHI access, with no size-based exemptions. Push notifications must never contain PHI in the payload; generic notifications should direct users into the encrypted in-app environment instead. As covered in the checklist, these logs must be retained for six years.

Conclusion

The 2026 HIPAA compliance landscape gives cardiology practices and RPM providers a clear mandate. Fragmented OEM portals, incomplete BAA chains, unlogged mobile access, and infrequent risk analyses are no longer manageable risks. They are active enforcement targets. OCR's Risk Analysis Initiative, the proposed Security Rule overhaul, and tightened breach notification timelines together raise the compliance floor for every practice managing multi-vendor CIED data streams.

The 7-step checklist in this guide gives you an actionable framework for meeting 2026 requirements. Running that framework across five or more separate OEM portals, each with its own audit trail and access controls, creates the administrative overload that drives enforcement exposure. A unified, vendor-neutral platform that consolidates CIED and RPM data into one auditable environment, with automated CPT documentation, encrypted data flows, and a compliant mobile app, addresses that structural risk at its source.

Schedule a demo with Rhythm360 to consolidate your CIED and RPM compliance workflows before the 2026 enforcement window closes.

Advisory Tags
Our automatic tagging and tracking keeps getting better - identify, manage and track multiple advisories more efficiently.
View and Acknowledge Recalls
Staff can document steps taken to resolve the recall for continuity of communication, tracking, and accountability.
Links Straight to FDA
Rhythm360 provides direct access to all the advisory details you need without additional searching and clicks.