Originally published at theculprit.ai/blog/hipaa-checklist-for-alert-pipelines . The compliance review for a healthtech SaaS usually treats the alert pipeline as a footnote. The product is HIPAA-ready, the database is encrypted, the BAAs are signed, the access controls are documented. Then someone runs grep on a week of monitoring logs and finds patient IDs, member emails, and the occasional plaintext SSN sitting in alert payloads — copies of which were forwarded to a third-party log aggregator (without a BAA), surfaced to an LLM-based incident-analysis tool (also without a BAA), and rendered in plaintext inside a Slack channel that a contractor was a member of last month. The product wasn't the leak. The alert pipeline was. And alert pipelines are a near-universal blind spot because the engineering team that built the application isn't the same team that wired up the alerting, and the alerting tools don't advertise themselves as PHI-handling systems.…