I have worked in the RTP for more than 5 years now, and the evolution of this space and the healthcare ecosystem has been tremendous.
But so has been the expansion of the attack landscape.
Whenever I start any of my talks on the healthcare ecosystem in the NC, I always start with this:
A 2024 report states North Carolina is home to 186 hospitals across 23 integrated delivery networks (IDNs), serving nearly 10.7 million residents.
And then there is the life sciences sector.
According to the NC Biotechnology Center, the state is home to 860 life sciences companies employing over 76,000 people directly.
Even without showing stats, you can feel how immense RTP is. As the largest research park in North America, it hosts pharma companies like Biogen, Merck, GSK, and Nordisk, alongside hundreds of clinical stage biotechs, medical device manufacturers, CROs, and healthtech startups.
And they all have the same problem: data breach.
In September 2025 alone, North Carolina ranked among the two worst-affected states in the country for healthcare data breaches. It affected 469,158 individuals in a single month, across five separate incidents.
With healthcare being the most expensive industry for data breaches in 2025, averaging $10.93 million per incident, the question for NC healthcare and life sciences organizations is not whether an attack will be attempted.
It is whether your controls are strong enough to detect it early, contain it fast, and satisfy your documentation requirements when OCR comes asking.
Now, you may know about HIPAA, but do you know about NC’s state laws that have their own regulations and timeframes?
Let me give you a tour of the compliances you will need to meet, if you’re setting up your healthcare SMB in NC.
How Should You Get Yourself Ready for HIPAA Compliance?
Before we get into HIPAA enforcement, let me take a moment to talk about the basics.
Because I have had conversations with IT directors at NC healthcare organizations who were operating on partial understanding of what HIPAA actually requires.
And the key to preparing for any compliance is to first understand it.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that establishes national standards for protecting patients’ PHI, applying both to covered entities and business associates.
HIPAA is structured around three core rules: The Privacy Rule, the Security Rule, and the Breach Notification Rule. Additionally, the HITECH Act of 2009 and Business Associate Agreements (BAAs) further strengthen HIPAA’s enforcement.
Let me give you a clean breakdown of HIPAA’s structure for reference:
On January 6, 2025, OCR made significant updates to the HIPAA Security Rule for the first time since the addition of the Omnibus Rule of 2013. In 2026, this is the rule you should watch out for.
Here is what it proposes to change.
Encryption both at rest and in transit will be a requirement. Compulsory implementation of MFA, network segmentation, and real-time monitoring on all ePHI systems.
And most importantly, pentesting could become an annual affair.
For NC healthcare organizations, the practical implication is this: if your last formal HIPAA risk analysis is more than 12 months old, or if you do not have a documented remediation plan, you are behind the current enforcement standard.
What Are the NC Laws Running Parallel to HIPPA?
There is something which I have seen with cybersecurity awareness overall, and in the RTP as well. Most organizations consistently underestimate their exposure and their compliance obligations.
HIPAA is not the only law governing your obligations when a breach occurs in North Carolina. NC state law creates independent requirements, and in several scenarios, those requirements are more stringent than HIPAA.
Let me give you a rundown of NC’s laws that are relevant to your healthcare and life sciences organization:
1. The Identity Theft Protection Act (ITPA)
The North Carolina Identity Theft Protection Act, codified at N.C. Gen. Stat. Chapter 75, Article 2A, is the state’s primary framework for breach notification and personal information protection.
Here is what the ITPA actually requires:
- Breach notification: If a data breach occurs involving the personal information of NC residents, the affected individuals must be notified.
- AG reporting: For breaches that meet a specified threshold, the NC Attorney General’s office must also be notified. The 2025 SB 711 amendment tightened the AG notification timeline and expanded what counts as personal information.
- Third-party vendor liability: The 2025 amendment extended ITPA liability to third-party vendors, meaning a breach at your managed service provider or cloud vendor can trigger ITPA obligations for you.
- Proper disposal: Organizations must implement policies for secure destruction of records containing personal information, be it electronic or physical.
- Social Security number protections: The ITPA prohibits displaying, printing, or transmitting SSNs in ways that could expose them publicly.
The scope of personal information under the ITPA is broader than PHI under HIPAA.
It includes names combined with financial account numbers, Social Security numbers, driver’s license numbers, biometric identifiers, and other data elements.
This means employee data, vendor records, and website visitor data can all fall under the ITPA, even if they are outside HIPAA’s scope entirely.
2. Medical Record Retention Goes Beyond HIPAA
Federal HIPAA requires retention of compliance documentation for six years. North Carolina sets a materially higher floor.
Under 21 NCAC 32, adult medical records must be retained for at least 11 years from the date of last encounter. For minors, the retention period extends to the age of majority.
Your retention schedule should default to the longer of the two rules. An organization retaining medical records for six years may be compliant with HIPAA but noncompliant under NC state law.
3. DHSR Licensure Requirements
If you’re a hospital, nursing home, ambulatory surgery center, home-health agency or any other healthcare facility, then need to be licensed with NC’s Division of Health Service Regulation.
DHSR rules impose facility-level privacy and records expectations that operate alongside HIPAA.
What Is FDA’s Medical Device Regulation?
NC healthcare compliance does not end with the state laws.
I think medical device manufacturers underestimate the regulation pressure they are in.
I have seen life sciences tech companies and digital health platforms assume they don’t fall under the purview of this compliance framework, but it cannot be farther from the truth.
If you create or sell cyber devices, you fall under this regulation.
The FDA defines a cyber device as any medical device that includes software and can connect to the internet.
And under the updated Quality Management System Regulation (QMSR) that took effect on February 2, 2026, under 21 CFR Part 820, cybersecurity must be embedded into risk management, design controls, and post-market surveillance of all medical devices.
The QMSR explicitly requires four types of security testing for cyber devices:
- Security requirements testing
- Threat mitigation testing
- Proactive vulnerability hunting
- Independent penetration testing by external parties
For NC medical device companies preparing FDA submissions or undergoing inspections, independent penetration testing is now a requirement.
Having worked with SaMDs, I know that the FDA considers medical devices a risk.
What you have to remember is that all cyber devices must address five security objectives throughout their lifecycle: authenticity, authorization, availability, confidentiality, and secure and timely updatability and patchability.
Why Do NC Health-Tech Platforms and Life Sciences SaaS Need SOC 2?
As an SMB, you will always strive to get enterprise clients.
But do you know what you need to get the deal past the finish line?
Often, it is a SOC 2 report.
SOC 2 Type II evaluates controls across five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
It is done over a sustained observation period, typically 6 to 12 months. Critically SOC 2 Type I is like a snapshot taken at a point in time.
Meanwhile, Type II evaluates whether those controls operate effectively over the full observation period, which is usually a year.
For healthtech platforms handling PHI, SOC 2 and HIPAA are complementary.
HIPAA defines what must be protected. SOC 2 provides audited third-party evidence that the controls protecting it are actually functioning.
Mapping HIPAA Security Rule technical safeguards directly to SOC 2 Security criteria during readiness reduces duplication of audit efforts significantly.
The mistake I see repeatedly is that organizations delay SOC 2 until a large enterprise customer requires it. At that point, the observation period has not started, and the sales cycle stalls for six to twelve months.
If you want your business to grow, start your SOC 2 readiness now.
How to Build a Practical Cybersecurity Model in 2026?
I get it that managing compliances in 2026 may feel overwhelming.
Organizations have to look after multiple compliances, enforcement bodies, and a threat environment that is relentless.
And I also know from working with healthcare and life sciences organizations across the Research Triangle that the organizations which get this right are not necessarily the ones with the largest compliance teams.
Some of them are SMBs with a two-person IT team.
This is how you can build a defensible program too:
- Conduct or Update Your HIPAA Risk Analysis:
OCR’s Risk Analysis Initiative is active, and penalties are being imposed. A risk analysis more than 12 months old, or one without a documented remediation plan tied to specific findings, does not meet the current standard.
The analysis must cover all systems handling ePHI and produce a risk management plan with documented timelines.
2. Map Your Notification Obligations Under Both HIPAA and NC ITPA:
Your incident response plan should explicitly address both HIPAA’s 60-day notification requirement and the NC ITPA’s AG reporting obligation.
Plan incident response around the shorter window. The 2025 SB 711 amendment extended ITPA liability to third-party vendors, and you must now ensure your vendor management process accounts for this.
3. Validate Your Record Retention Schedule Against NC’s 11-Year Floor:
Retention policies that default to HIPAA’s 6-year documentation floor are out of compliance with NC state law for medical records. You have to update your schedule to reflect the 11-year floor required under 21 NCAC 32.
This is a healthcare compliance NC organizations often overlook.
4. Audit Your QMS Against QMSR Requirements:
If you manufacture or sell a cyber device, you have to adhere to the QMSR, which has been in effect since February 2, 2026.
Verify that your risk files, design controls, validation activities, and CAPA processes address cybersecurity events. Commission an independent penetration test if one is not already documented in your quality system because FDA inspections will look for it.
5. Start SOC 2 Readiness Before Enterprise Demand Forces the Timeline:
If SOC 2 Type II is not complete and enterprise health system accounts are in your pipeline, the observation period needs to start now.
A readiness assessment mapping your current controls against SOC 2 criteria will identify gaps and give you a realistic timeline before a prospective customer requires the report.
How Can KLEAP Cybersecurity Help?
Managing NC healthcare compliance across HIPAA, the NC ITPA, the proposed Security Rule overhaul, and FDA QMSR, and SOC 2 simultaneously is not a one-person job.
KLEAP Cybersecurity is a boutique cybersecurity firm based in Raleigh, NC, working exclusively with healthcare and life sciences SMBs.
In healthcare, we handle the compliance work that keeps getting pushed down the priority list, be it HIPAA risk analysis and remediation planning or NC ITPA-aligned incident response.
Every engagement has a named expert lead, who will stay with your team from the start to the finish of the engagement. We neither leave you with a rotating team nor do we give you generic templates. The advice is specific to healthcare and life sciences because that is all we do.
If you are an NC healthcare or life sciences organization and want to understand where your program stands against the current enforcement environment, we are happy to spend some time on that conversation.
