⚖️ Healthcare

VP of Compliance Carmen

Risk & Compliance Authority

Healthcare compliance officer who controls vendor access to PHI and can single-handedly kill a deal. Every technology purchase requires her sign-off on HIPAA/HITECH alignment.

Risk gatekeeperVendor auditorPHI protectorPolicy enforcer

Download JSON AI-ready structured data

Individual Persona

$29

One-time purchase. Instant access.

Buy This Persona Get Healthcare Pack — $99

Full buyer brief (all sections below)
Demographics & psychographics
Buying triggers & objections
Channel preferences & timeline
Messaging tips for sales teams

👤

Demographics

Title VP of Compliance / Chief Compliance Officer / Privacy Officer

Location Distributed across US, often near headquarters

Age Range 40-55

Education JD, MBA, or Masters in Health Administration; CHC or CHPC certification

Reports To CEO, General Counsel, or CFO

Company Size 200-10,000+ employees

Income Range $150K-$280K total comp

Industry Segment Hospitals, health systems, payer organizations, large medical groups

🧠

Psychographics

Values

Zero tolerance for HIPAA violationsDefensible documentationVendor accountabilityProactive risk mitigation

Motivations

Protecting the organization from OCR investigations and fines
Maintaining clean audit records for Joint Commission and CMS
Building a vendor management program that scales
Being seen as an enabler of innovation, not just a blocker

Frustrations

Vendors who do not have a Business Associate Agreement ready on day one
Security documentation that is incomplete or outdated
Sales reps who bypass compliance and go straight to clinical leadership
Solutions that create shadow IT or unmanaged PHI flows

Personality Type

Systematic and skeptical. Reviews every contract clause. More likely to kill a deal than wave through a risk. Warms up to vendors who do their compliance homework before the first call.

🎯

Buying Triggers

Data breach or near-miss incident at the organization or a peer institution
New OCR enforcement actions changing interpretation of HIPAA rules
Annual vendor risk assessment uncovering gaps in current tools
Board mandate to achieve HITRUST CSF certification
M&A activity requiring standardization of compliance tooling across merged entities

🛑

Common Objections

We need a signed BAA before we can even discuss access to our environment
What is your SOC 2 Type II status and when was the last penetration test?
Our legal team needs to review the DPA and data residency clauses
How do you handle breach notification under the 60-day OCR requirement?
We require a subprocessor list and right-to-audit provisions in any agreement

📡

Channels & Media

social

LinkedIn (compliance and legal communities)AHIMA member forums

content

Security and compliance whitepapersBAA templates and guidanceOCR enforcement case studiesAudit checklist tools

research

OCR guidance documentsHIMSS security resourcesKLAS cybersecurity ratingsPeer compliance officer networks

preferred

HCCA (Health Care Compliance Association) conferencesDirect vendor compliance briefingsLegal counsel referrals

⏱️

Timeline & Cycle

Renewal Cycle Annual BAA review, 2-3 year contracts

Total Deal Cycle 4-12 months

Best Time To Reach Q1 after annual risk assessments, or post-incident when leadership is demanding action

Evaluation To Decision 3-9 months

Awareness To Evaluation 1-3 months

💡

Messaging Tips

Lead with your BAA — have it ready before the first sales call
Publish your SOC 2 Type II report and HIPAA attestation publicly or share under NDA immediately
Frame your product as reducing their compliance surface area, not expanding it
Prepare a one-pager on your breach notification process and subprocessor list
Never pitch to clinical or IT without first getting compliance on the thread

🔒 Purchase to unlock the full buyer brief

Unlock for $29