Back to Insights

Why Your US Hospital Deal Went Silent

Corina Kwok De Los Santos

Corina Kwok De Los Santos · US Attorney

December 15, 2025 · 8 min read

HealthtechHealthcareHipaa+3
... views

Uploaded image

The clinical team loved your demo.


The physician champion was ready to push it through. They had seen too many clunky legacy systems, and your product was faster, cleaner, more intuitive, and genuinely better. They talked about a pilot. They introduced you to their department head. Everyone was excited.


Then procurement got involved.They sent over a security questionnaire. Thirty questions, maybe fifty. You answered them the way you thought made sense.  Your CTO handled the technical parts, you pulled together some policy language, and you sent it back feeling pretty good about the whole thing.


And then... nothing.


A follow-up email. No response. Another one. "We are still reviewing." Then silence. The physician champion stops responding too. The deal just drifts into the void. And you start wondering: What happened?


The trust gate nobody warned you about


Here is what most healthtech companies don't understand about selling into U.S. hospitals. Clinical gets you in the door. Procurement decides if you stay. And procurement is not evaluating your product. They are evaluating your risk profile. When patient data touches your system, you become an extension of the hospital's compliance perimeter. Your security gaps become their audit findings. Your breach becomes their breach. Your vendor management failures become their vendor management failures. So before procurement approves anything, they need to answer one question about you:


If Protected Health Information ("PHI") enters this vendor's world, will it be controlled, traceable, and supportable?

Your demo didn't answer that question. Your questionnaire responses did. And something in there made them nervous enough to let the deal quietly die rather than take the risk.


What "nervous" looks like in practice

I have reviewed tons of these questionnaires over the years, both as the one sending them and as an advisor helping vendors respond. Here's what makes procurement pause:

  1. Vague answers about data flows. "We don't really store PHI" followed by technical architecture that clearly does. Or worse, "I will need to check with engineering." If you don't know exactly where patient data goes in your system, that is a red flag.

  2. No documentation. "Yes, we have policies" but you cannot produce them. "Yes, our team is trained" but there is no record of it. In US healthcare, if it is not documented, it didn't happen.  

  3. Template policies that don't match reality. Procurement can tell when you downloaded a HIPAA policy template and just replaced it with your company name. If your policy describes quarterly access reviews and you have never done one, that is not compliance, that is a liability.

  4. Hesitation on the BAA. If you cannot confidently say "yes, we can sign your BAA and meet its requirements," that is a signal you have not operationalized HIPAA. You might not even know what you would be signing up for.

  5. Missing subprocessor information. "What vendors touch PHI?" should not require a week of research. If you do not have a clean list with sub-BAAs for each, you have not done the work.

  6. No incident response plan. "What happens if there is a breach?" is not a trick question. If your answer is "we would figure it out," procurement hears "we would panic and you would be exposed."

Any one of these might not kill a deal. But stack a few together, and procurement has all the justification they need to ghost you.


This isn't personal (but it is predictable)

Hospital procurement teams are not trying to block innovation. Most of them genuinely want better technology in their systems. They have seen how painful the legacy tools are. But they have also been burned.


They have seen vendors who checked "yes" on every compliance question and could not produce a single policy when asked. They have dealt with breaches that started with a third-party vendor who "seemed legit." They have sat through OCR audits where the finger pointed at a subcontractor nobody properly vetted. They have had to explain to their board why they approved a vendor that turned into a liability.


So now they ask the same questions every time. And they have gotten very good at reading between the lines. The good news is this means the process is predictable. The questions don’t change much. The bar is knowable. And "ready" doesn't mean "perfect", it means "credible."'


The overseas disadvantage (and how to overcome it)

Here is the hard truth. Overseas healthtech teams start at a disadvantage in this process. Not because the technology is worse. Often it is better. Not because the teams are less capable. They are frequently more hungry and more innovative than incumbent US vendors.


The disadvantage is context.


Different compliance cultures. In many markets, compliance is more relationship-based. You know the right people, you have a good reputation, things move forward. US healthcare is documentation-based. Relationships matter, but paper matters more. "Trust us" is not a compliance strategy.


Unfamiliarity with HIPAA's scope. Teams assume HIPAA is mostly about encryption and access controls. They are surprised to learn it is equally about policies, training, risk assessments, and organizational processes. The technical controls are maybe 30% of what procurement evaluates.


Distributed teams complicate the picture. If your engineering team is in Singapore, your support team is in the Philippines, and your ops team is in Vietnam, you need to explain how HIPAA compliance works across all of them. That's not a dealbreaker but it requires more documentation, not less.


No US presence feels risky. Fair or not, a company with no US entity, no US employees, and no US legal exposure feels riskier to a hospital procurement team. You can overcome this, but you need to be more buttoned-up than a US-based competitor, not less.


The teams that win are not the ones who complain about these disadvantages. They are the ones who understand the game and play it better than expected.


What "ready" actually looks like

Hospitals don't expect a 10-person startup to have the compliance infrastructure of Epic or Cerner. They know you are smaller.


But they do expect certain fundamentals:

  • You know your data flows. You can draw a diagram showing where PHI enters, where it moves, where it rests, and who can access it at each point.

  • You have written policies. Not perfect policies. Not comprehensive policies. But real policies that reflect how you actually operate.

  • Your team is trained. Everyone with PHI access has received HIPAA training, and you can prove it.

  • You have thought about incidents. You have a plan for what happens when something goes wrong, not just a vague intention to "handle it."

  • You know your vendors. You can list every subprocessor that touches PHI and confirm they are under appropriate agreements.

  • You can sign a BAA with confidence. You understand what it commits you to, and you have built the operational foundation to deliver on those commitments.

That is the bar. It is not insurmountable. But it does require intentional work. Work that many teams postpone until procurement forces the issue.


By then, it’s often too late for that particular deal.


What's coming in this series

Over the next several posts, I am going to walk through exactly what US hospital procurement looks for when evaluating vendors.


Not the theoretical HIPAA stuff you can read on HHS.gov. The practical stuff that determines whether your deal moves forward or quietly dies.


Here is the list what I will cover:


The 30/70 split — Why technical controls are only 30% of what procurement evaluates, and what makes up the other 70%.

The five questions — The same questions every hospital asks, what they're really trying to learn, and how to answer them confidently.

The policies you need — Not a compliance wishlist, but the specific policies procurement expects to see and what they should actually contain.

The training requirement — Yes, your engineers in Singapore need HIPAA training. Here's why, and here's how to do it.

The gap assessment — How to figure out where you actually stand before procurement figures it out for you.

The procurement pack — The specific documents you need ready so you can respond to questionnaires in days, not weeks.

ISO217001  ≠ HIPAA compliant — A strong foundation for your security posture but does not guarantee HIPAA compliant.


If you are 6-12 months from your first US hospital pilot, this is the stuff that separates the teams that close from the teams that drift.


Let's get into it.


Stop letting procurement ghost your best deals. If you’re preparing for a US hospital pilot or staring at a security questionnaire that feels like a foreign language, let’s get you "procurement ready." Contact Me below to book a consultation to audit your compliance posture before the hospital does.

Share this:
Corina Kwok De Los Santos

About the Author

Corina Kwok De Los Santos

US Attorney

Corina is a US licensed attorney specializing in HIPAA compliance, privacy law, and US market entry for international healthtech and SaaS companies. She advises companies from Asia and Europe on regulatory compliance, vendor risk, and commercial contracts. She is fluent in English, Cantonese, and Mandarin.

Contact for Legal Advice

Related Insights

12/22/2025

The 5 Questions Every Hospital Procurement Asks

Hospital security questionnaires don't have to kill your deal. Learn the 5 core questions every procurement team is really asking and how to answer them.

12/10/2025

Rejected by Apple? This Is When a Data Protection Lawyer Makes All the Differences

App rejected by Apple? Learn how a structured legal response turned a Guideline 5.1.1 rejection into approval overnight. A case study for founders.

Subscribe to Our Newsletter

Stay updated with the latest legal insights, blog posts, and news from Arami Law.