If your HealthTech SaaS routes, stores, or processes Protected Health Information (PHI), you're a HIPAA Business Associate. That's not optional — it's automatic the moment PHI touches your system.
The painful truth: most HealthTech teams don't realize their cloud automation platform is also a Business Associate, with its own HIPAA BAA obligation and breach notification exposure. Routing PHI through Zapier, Make, or any cloud iPaaS without a signed BAA creates a presumed breach under HITECH §13402.
The fastest clocks in HealthTech compliance:
- HHS OCR Complaint: IMMEDIATE — no grace period once complaint is filed
- HIPAA Breach Notification (500+ individuals): 60 days to HHS + affected individuals + media
- Ransomware on PHI system: IMMEDIATE — HHS OCR guidance presumes breach
- HIPAA Risk Analysis: Annual (§164.308(a)(1))
This article walks through 5 production-ready n8n workflows for HealthTech and Digital Health SaaS vendors — with full importable JSON for each.
Workflow 1: HealthTech Customer Onboarding Drip (Tier-Segmented, Compliance-Injected)
Seven customer tiers. Seven different compliance starting points. One workflow.
Customer segmentation in HealthTech is compliance segmentation. An EHR vendor's Day 0 onboarding email must address §164 PHI pipeline architecture. A telehealth platform needs §164.312(e) transmission security context. A digital therapeutics company needs FDA SaMD classification clarity.
This workflow segments across 7 tiers — EHR_SAAS_VENDOR, TELEHEALTH_PLATFORM, DIGITAL_THERAPEUTICS_SAAS, PHARMACY_TECH_SAAS, HEALTH_ANALYTICS_SAAS, REMOTE_PATIENT_MONITORING, HEALTHTECH_STARTUP — and injects HIPAA BAA action items for customers with the HIPAA_BAA_REQUIRED flag.
{
"name": "HealthTech Customer Onboarding Drip",
"nodes": [
{
"parameters": {
"httpMethod": "POST",
"path": "healthtech-onboarding",
"options": {}
},
"id": "webhook-001",
"name": "Customer Created Webhook",
"type": "n8n-nodes-base.webhook",
"typeVersion": 2,
"position": [
240,
300
]
},
{
"parameters": {
"jsCode": "const customer = $input.first().json;\nconst tier = customer.tier || 'HEALTHTECH_STARTUP';\nconst flags = customer.compliance_flags || [];\n\nconst tierMessages = {\n EHR_SAAS_VENDOR: 'As an EHR SaaS vendor, your platform handles PHI under HIPAA \u00a7164 \u2014 your n8n instance must be deployed within your HIPAA-covered environment.',\n TELEHEALTH_PLATFORM: 'Telehealth platforms face HIPAA \u00a7164.312 transmission security requirements \u2014 ensure video and messaging data stays within your BAA boundary.',\n DIGITAL_THERAPEUTICS_SAAS: 'FDA Software as a Medical Device (SaMD) classification under 21 CFR Part 820 applies if your DT product makes clinical decisions.',\n PHARMACY_TECH_SAAS: 'Pharmacy platforms handle both PHI (HIPAA) and controlled substance data (DEA 21 CFR Part 1304) \u2014 dual compliance boundary.',\n HEALTH_ANALYTICS_SAAS: 'De-identification under HIPAA \u00a7164.514 \u2014 ensure your analytics pipeline satisfies Safe Harbor or Expert Determination before data flows.',\n REMOTE_PATIENT_MONITORING: 'RPM platforms generate continuous PHI streams \u2014 HIPAA \u00a7164.308(a)(1) risk analysis must account for real-time data ingestion.',\n HEALTHTECH_STARTUP: 'Early-stage HealthTech: HIPAA BAA required before any PHI processing \u2014 self-hosted n8n keeps your PHI pipeline in-scope.'\n};\n\nconst baaNote = flags.includes('HIPAA_BAA_REQUIRED')\n ? '\\n\\nACTION REQUIRED: Execute HIPAA Business Associate Agreement before any PHI processing begins.'\n : '';\n\nreturn [{\n json: {\n ...customer,\n tier_message: tierMessages[tier] || tierMessages['HEALTHTECH_STARTUP'],\n baa_required: flags.includes('HIPAA_BAA_REQUIRED'),\n baa_note: baaNote,\n phi_processor: flags.includes('PHI_PROCESSOR'),\n fda_device: flags.includes('FDA_SOFTWARE_MEDICAL_DEVICE'),\n cms_certified: flags.includes('CMS_CERTIFIED')\n }\n}];"
},
"id": "code-001",
"name": "Tier & Compliance Enrichment",
"type": "n8n-nodes-base.code",
"typeVersion": 2,
"position": [
460,
300
]
},
{
"parameters": {
"sendTo": "={{ $json.email }}",
"subject": "Welcome to FlowKit \u2014 Your HealthTech Compliance Setup Guide",
"emailType": "html",
"message": "<h2>Welcome, {{ $json.company_name }}!</h2><p>{{ $json.tier_message }}</p>{{ $json.baa_note }}<p>Your account is active. Here's what to set up in the first 48 hours:</p><ul><li>Self-host n8n in your HIPAA-covered cloud environment (AWS, Azure, GCP with BAA)</li><li>Review your PHI data flow diagram</li><li>Schedule a compliance architecture review</li></ul><p>Questions? Reply to this email.</p>",
"options": {}
},
"id": "email-001",
"name": "Day 0 Welcome Email",
"type": "n8n-nodes-base.gmail",
"typeVersion": 2.1,
"position": [
680,
300
]
},
{
"parameters": {
"amount": 3,
"unit": "days"
},
"id": "wait-001",
"name": "Wait 3 Days",
"type": "n8n-nodes-base.wait",
"typeVersion": 1.1,
"position": [
900,
300
]
},
{
"parameters": {
"sendTo": "={{ $json.email }}",
"subject": "Your HealthTech compliance checklist (Day 3)",
"emailType": "html",
"message": "<h2>Day 3 Check-In</h2><p>Here are the 3 most common HIPAA compliance gaps we see in {{ $json.tier }} deployments:</p><ol><li>Unsigned BAA with cloud vendors processing PHI</li><li>Missing workforce training documentation (\u00a7164.308(a)(5))</li><li>No automated breach detection on PHI storage endpoints</li></ol><p>The FlowKit compliance templates handle all three automatically.</p>",
"options": {}
},
"id": "email-002",
"name": "Day 3 Compliance Checklist",
"type": "n8n-nodes-base.gmail",
"typeVersion": 2.1,
"position": [
1120,
300
]
},
{
"parameters": {
"amount": 4,
"unit": "days"
},
"id": "wait-002",
"name": "Wait 4 Days",
"type": "n8n-nodes-base.wait",
"typeVersion": 1.1,
"position": [
1340,
300
]
},
{
"parameters": {
"sendTo": "={{ $json.email }}",
"subject": "Week 1 complete \u2014 your PHI compliance dashboard",
"emailType": "html",
"message": "<h2>Your compliance automation is live</h2><p>By now your n8n instance should be running inside your covered environment. Here's what to activate next:</p><ul><li>HIPAA Risk Analysis deadline tracker</li><li>PHI endpoint health monitor</li><li>HITECH breach notification pipeline</li></ul>",
"options": {}
},
"id": "email-003",
"name": "Day 7 Feature Email",
"type": "n8n-nodes-base.gmail",
"typeVersion": 2.1,
"position": [
1560,
300
]
},
{
"parameters": {
"operation": "append",
"documentId": {
"__rl": true,
"value": "YOUR_SHEET_ID",
"mode": "id"
},
"sheetName": {
"__rl": true,
"value": "onboarding_log",
"mode": "name"
},
"columns": {
"mappingMode": "defineBelow",
"value": {
"customer_id": "={{ $json.customer_id }}",
"company": "={{ $json.company_name }}",
"tier": "={{ $json.tier }}",
"baa_required": "={{ $json.baa_required }}",
"enrolled_at": "={{ $now.toISO() }}"
}
},
"options": {}
},
"id": "sheets-001",
"name": "Log to Google Sheets",
"type": "n8n-nodes-base.googleSheets",
"typeVersion": 4.5,
"position": [
1780,
300
]
}
],
"connections": {
"Customer Created Webhook": {
"main": [
[
{
"node": "Tier & Compliance Enrichment",
"type": "main",
"index": 0
}
]
]
},
"Tier & Compliance Enrichment": {
"main": [
[
{
"node": "Day 0 Welcome Email",
"type": "main",
"index": 0
}
]
]
},
"Day 0 Welcome Email": {
"main": [
[
{
"node": "Wait 3 Days",
"type": "main",
"index": 0
}
]
]
},
"Wait 3 Days": {
"main": [
[
{
"node": "Day 3 Compliance Checklist",
"type": "main",
"index": 0
}
]
]
},
"Day 3 Compliance Checklist": {
"main": [
[
{
"node": "Wait 4 Days",
"type": "main",
"index": 0
}
]
]
},
"Wait 4 Days": {
"main": [
[
{
"node": "Day 7 Feature Email",
"type": "main",
"index": 0
}
]
]
},
"Day 7 Feature Email": {
"main": [
[
{
"node": "Log to Google Sheets",
"type": "main",
"index": 0
}
]
]
}
}
}
Workflow 2: HIPAA/HITECH/FDA/CMS Deadline Tracker (12 Compliance Types)
HealthTech compliance deadlines span four agencies with different cadences. This tracker monitors 12 types and escalates at OVERDUE/CRITICAL/URGENT/WARNING/NOTICE tiers:
| Deadline Type | Regulatory Reference | Consequence |
|---|---|---|
| HIPAA_RISK_ANALYSIS_ANNUAL | §164.308(a)(1)(ii)(A) | OCR investigation trigger |
| HIPAA_BREACH_NOTIFICATION_60_DAY | HITECH §13402 | Civil penalty $100–$50K/violation |
| HITECH_BAA_REVIEW_ANNUAL | §164.308(b) | Unauthorized disclosure = presumed breach |
| HIPAA_WORKFORCE_TRAINING | §164.308(a)(5) | OCR audit finding |
| FDA_QSR_DESIGN_VALIDATION | 21 CFR §820.30 | Warning letter / consent decree |
| FDA_SAMD_PREMARKET_SUBMISSION | 21 CFR Part 820 | Unlawful device distribution |
| CMS_CONDITIONS_PARTICIPATION_SURVEY | CMS §482 | Termination from Medicare/Medicaid |
| ONC_CERTIFICATION_RENEWAL | 21st Century Cures | Certification revocation |
| PHI_DISPOSAL_DOCUMENTATION | §164.310(d)(2) | OCR audit finding |
| SOC2_TYPE2_RENEWAL | AICPA | Enterprise contract loss |
| ANNUAL_PENTEST | §164.308(a)(1) | Security risk analysis gap |
| CMS_MEANINGFUL_USE_ATTESTATION | CMS PI program | Incentive payment forfeiture |
{
"name": "HIPAA/HITECH/FDA/CMS Deadline Tracker",
"nodes": [
{
"parameters": {
"rule": {
"interval": [
{
"field": "cronExpression",
"expression": "0 8 * * *"
}
]
}
},
"id": "cron-002",
"name": "Daily 8AM Schedule",
"type": "n8n-nodes-base.scheduleTrigger",
"typeVersion": 1.2,
"position": [
240,
300
]
},
{
"parameters": {
"documentId": {
"__rl": true,
"value": "YOUR_SHEET_ID",
"mode": "id"
},
"sheetName": {
"__rl": true,
"value": "compliance_deadlines",
"mode": "name"
},
"options": {}
},
"id": "sheets-002",
"name": "Read Deadlines Sheet",
"type": "n8n-nodes-base.googleSheets",
"typeVersion": 4.5,
"position": [
460,
300
]
},
{
"parameters": {
"jsCode": "const today = new Date();\nconst results = [];\n\nfor (const item of $input.all()) {\n const d = item.json;\n const due = new Date(d.due_date);\n const daysUntil = Math.floor((due - today) / 86400000);\n\n const deadlineRefs = {\n HIPAA_RISK_ANALYSIS_ANNUAL: 'HIPAA \u00a7164.308(a)(1)(ii)(A) \u2014 annual risk analysis required',\n HIPAA_BREACH_NOTIFICATION_60_DAY: 'HITECH \u00a713402 \u2014 60 days from discovery to HHS + individuals + media (500+)',\n HITECH_BAA_REVIEW_ANNUAL: 'HIPAA \u00a7164.308(b) \u2014 Business Associate Agreement annual review',\n HIPAA_WORKFORCE_TRAINING: 'HIPAA \u00a7164.308(a)(5) \u2014 annual workforce security training',\n FDA_QSR_DESIGN_VALIDATION: 'FDA 21 CFR \u00a7820.30 \u2014 software design validation for SaMD',\n FDA_SAMD_PREMARKET_SUBMISSION: 'FDA 21 CFR Part 820 \u2014 SaMD premarket notification or 510(k)',\n CMS_CONDITIONS_PARTICIPATION_SURVEY: 'CMS Conditions of Participation \u2014 \u00a7482 annual survey',\n ONC_CERTIFICATION_RENEWAL: 'ONC 21st Century Cures \u2014 certified HIT annual attestation',\n CMS_MEANINGFUL_USE_ATTESTATION: 'CMS Promoting Interoperability \u2014 annual attestation deadline',\n PHI_DISPOSAL_DOCUMENTATION: 'HIPAA \u00a7164.310(d)(2) \u2014 PHI disposal documentation',\n SOC2_TYPE2_RENEWAL: 'SOC 2 Type II \u2014 annual audit renewal',\n ANNUAL_PENTEST: 'HIPAA \u00a7164.308(a)(1) \u2014 annual penetration test for covered systems'\n };\n\n let status, emoji;\n if (daysUntil < 0) { status = 'OVERDUE'; emoji = '\ud83d\udea8'; }\n else if (daysUntil <= 14) { status = 'CRITICAL'; emoji = '\ud83d\udd34'; }\n else if (daysUntil <= 45) { status = 'URGENT'; emoji = '\ud83d\udfe0'; }\n else if (daysUntil <= 90) { status = 'WARNING'; emoji = '\ud83d\udfe1'; }\n else { status = 'NOTICE'; emoji = '\ud83d\udfe2'; }\n\n if (daysUntil <= 90) {\n results.push({\n json: {\n ...d,\n days_until: daysUntil,\n status,\n emoji,\n regulatory_ref: deadlineRefs[d.deadline_type] || d.deadline_type,\n owner_email: d.owner_email\n }\n });\n }\n}\nreturn results;"
},
"id": "code-002",
"name": "Classify Deadlines",
"type": "n8n-nodes-base.code",
"typeVersion": 2,
"position": [
680,
300
]
},
{
"parameters": {
"conditions": {
"options": {
"caseSensitive": true,
"leftValue": "",
"typeValidation": "strict"
},
"conditions": [
{
"leftValue": "={{ $json.status }}",
"rightValue": "OVERDUE",
"operator": {
"type": "string",
"operation": "equals"
}
},
{
"leftValue": "={{ $json.status }}",
"rightValue": "CRITICAL",
"operator": {
"type": "string",
"operation": "equals"
}
}
],
"combinator": "or"
}
},
"id": "if-002",
"name": "Critical or Overdue?",
"type": "n8n-nodes-base.if",
"typeVersion": 2.2,
"position": [
900,
300
]
},
{
"parameters": {
"select": "channel",
"channelId": {
"__rl": true,
"value": "#hipaa-compliance",
"mode": "name"
},
"text": "={{ $json.emoji }} *{{ $json.status }}: {{ $json.deadline_name }}*\n>Deadline: {{ $json.due_date }} ({{ $json.days_until >= 0 ? $json.days_until + ' days' : 'OVERDUE ' + Math.abs($json.days_until) + ' days' }})\n>Ref: {{ $json.regulatory_ref }}\n>Owner: {{ $json.owner_email }}",
"options": {}
},
"id": "slack-002",
"name": "Slack #hipaa-compliance",
"type": "n8n-nodes-base.slack",
"typeVersion": 2.3,
"position": [
1120,
200
]
},
{
"parameters": {
"sendTo": "={{ $json.owner_email }}",
"subject": "={{ $json.emoji }} COMPLIANCE DEADLINE: {{ $json.deadline_name }} \u2014 {{ $json.days_until >= 0 ? $json.days_until + ' days remaining' : 'OVERDUE' }}",
"emailType": "html",
"message": "<h3>{{ $json.emoji }} {{ $json.status }}: {{ $json.deadline_name }}</h3><p><strong>Due:</strong> {{ $json.due_date }}</p><p><strong>Regulatory Reference:</strong> {{ $json.regulatory_ref }}</p><p><strong>Days Remaining:</strong> {{ $json.days_until }}</p>",
"options": {}
},
"id": "email-004",
"name": "Email Owner",
"type": "n8n-nodes-base.gmail",
"typeVersion": 2.1,
"position": [
1120,
400
]
}
],
"connections": {
"Daily 8AM Schedule": {
"main": [
[
{
"node": "Read Deadlines Sheet",
"type": "main",
"index": 0
}
]
]
},
"Read Deadlines Sheet": {
"main": [
[
{
"node": "Classify Deadlines",
"type": "main",
"index": 0
}
]
]
},
"Classify Deadlines": {
"main": [
[
{
"node": "Critical or Overdue?",
"type": "main",
"index": 0
}
]
]
},
"Critical or Overdue?": {
"main": [
[
{
"node": "Slack #hipaa-compliance",
"type": "main",
"index": 0
},
{
"node": "Email Owner",
"type": "main",
"index": 0
}
],
[]
]
}
}
}
Workflow 3: HealthTech PHI API Health Monitor
Five PHI-processing endpoints. Each with its own regulatory annotation so your ops team understands the compliance implication of every outage — not just the technical one.
The critical insight: PHI endpoint downtime is a compliance event, not just an ops event. A phi_storage_api outage starts the HITECH §13402 breach discovery clock. A telehealth_api outage during a session may be a §164.312 transmission security gap. Annotating each endpoint with its regulatory context transforms your ops playbook.
{
"name": "HealthTech PHI API Health Monitor",
"nodes": [
{
"parameters": {
"rule": {
"interval": [
{
"field": "minutes",
"value": 30
}
]
}
},
"id": "cron-003",
"name": "Every 30 Minutes",
"type": "n8n-nodes-base.scheduleTrigger",
"typeVersion": 1.2,
"position": [
240,
300
]
},
{
"parameters": {
"jsCode": "return [\n { json: { endpoint: 'ehr_api', url: 'https://your-ehr-api/health', regulatory_note: 'HIPAA \u00a7164 PHI pipeline \u2014 downtime triggers \u00a7164.312 access control gap audit' } },\n { json: { endpoint: 'telehealth_api', url: 'https://your-telehealth-api/health', regulatory_note: 'HIPAA \u00a7164.312(e) transmission security \u2014 unencrypted PHI in transit = breach presumption' } },\n { json: { endpoint: 'phi_storage_api', url: 'https://your-phi-storage/health', regulatory_note: 'HITECH \u00a713402 \u2014 breach discovery clock starts at time of detection, not time of notification' } },\n { json: { endpoint: 'cms_interface_api', url: 'https://your-cms-interface/health', regulatory_note: 'CMS Conditions of Participation \u00a7482 \u2014 interface failure may trigger survey deficiency' } },\n { json: { endpoint: 'fda_device_api', url: 'https://your-fda-device-api/health', regulatory_note: 'FDA 21 CFR \u00a7820.70 production controls \u2014 SaMD API failure is a quality system event' } }\n];"
},
"id": "code-003",
"name": "PHI Endpoint List",
"type": "n8n-nodes-base.code",
"typeVersion": 2,
"position": [
460,
300
]
},
{
"parameters": {
"url": "={{ $json.url }}",
"options": {
"timeout": 10000,
"response": {
"response": {
"neverError": true
}
}
}
},
"id": "http-003",
"name": "HTTP Health Check",
"type": "n8n-nodes-base.httpRequest",
"typeVersion": 4.2,
"position": [
680,
300
]
},
{
"parameters": {
"conditions": {
"options": {
"caseSensitive": true,
"leftValue": "",
"typeValidation": "strict"
},
"conditions": [
{
"leftValue": "={{ $json.statusCode }}",
"rightValue": 200,
"operator": {
"type": "number",
"operation": "notEquals"
}
}
],
"combinator": "and"
}
},
"id": "if-003",
"name": "Non-200 Response?",
"type": "n8n-nodes-base.if",
"typeVersion": 2.2,
"position": [
900,
300
]
},
{
"parameters": {
"select": "channel",
"channelId": {
"__rl": true,
"value": "#phi-ops-critical",
"mode": "name"
},
"text": "\ud83d\udea8 *PHI ENDPOINT DOWN: {{ $json.endpoint }}*\n>URL: {{ $json.url }}\n>Status: {{ $json.statusCode || 'timeout' }}\n>Regulatory: {{ $json.regulatory_note }}\n>Time: {{ $now.toISO() }}",
"options": {}
},
"id": "slack-003",
"name": "Slack #phi-ops-critical",
"type": "n8n-nodes-base.slack",
"typeVersion": 2.3,
"position": [
1120,
200
]
},
{
"parameters": {
"operation": "append",
"documentId": {
"__rl": true,
"value": "YOUR_SHEET_ID",
"mode": "id"
},
"sheetName": {
"__rl": true,
"value": "phi_incidents",
"mode": "name"
},
"columns": {
"mappingMode": "defineBelow",
"value": {
"endpoint": "={{ $json.endpoint }}",
"status_code": "={{ $json.statusCode }}",
"regulatory_note": "={{ $json.regulatory_note }}",
"detected_at": "={{ $now.toISO() }}"
}
},
"options": {}
},
"id": "sheets-003",
"name": "Log PHI Incident",
"type": "n8n-nodes-base.googleSheets",
"typeVersion": 4.5,
"position": [
1120,
400
]
}
],
"connections": {
"Every 30 Minutes": {
"main": [
[
{
"node": "PHI Endpoint List",
"type": "main",
"index": 0
}
]
]
},
"PHI Endpoint List": {
"main": [
[
{
"node": "HTTP Health Check",
"type": "main",
"index": 0
}
]
]
},
"HTTP Health Check": {
"main": [
[
{
"node": "Non-200 Response?",
"type": "main",
"index": 0
}
]
]
},
"Non-200 Response?": {
"main": [
[
{
"node": "Slack #phi-ops-critical",
"type": "main",
"index": 0
},
{
"node": "Log PHI Incident",
"type": "main",
"index": 0
}
],
[]
]
}
}
}
Workflow 4: HIPAA/HITECH Incident Pipeline (8 Types)
Eight incident types. The two fastest clocks:
- HHS_OCR_COMPLAINT: IMMEDIATE — no grace period
- HIPAA_PHI_BREACH_DISCOVERED: IMMEDIATE discovery clock + 60-day notification window
The pipeline routes each incident type to the correct Slack channel and compliance owner with the exact regulatory requirement attached — no one has to look it up under pressure.
{
"name": "HIPAA/HITECH Incident Pipeline",
"nodes": [
{
"parameters": {
"httpMethod": "POST",
"path": "healthtech-incident",
"options": {}
},
"id": "webhook-004",
"name": "Incident Webhook",
"type": "n8n-nodes-base.webhook",
"typeVersion": 2,
"position": [
240,
300
]
},
{
"parameters": {
"jsCode": "const incident = $input.first().json;\nconst incidentType = incident.incident_type;\n\nconst incidentMap = {\n HIPAA_PHI_BREACH_DISCOVERED: {\n severity: 'CRITICAL',\n sla: 'IMMEDIATE',\n regulatory: 'HIPAA \u00a7164.308(a)(6) \u2014 breach discovery clock starts NOW. HITECH \u00a713402 \u2014 60-day window to HHS + individuals + media (500+ individuals). Document: date of discovery, nature of PHI, who accessed, what was done.',\n channel: '#phi-security-critical'\n },\n HITECH_BREACH_NOTIFICATION_TRIGGER: {\n severity: 'CRITICAL',\n sla: '60 days (\u00a713402)',\n regulatory: 'HITECH \u00a713402(a) \u2014 notify affected individuals without unreasonable delay. \u00a713402(b) \u2014 notify HHS. \u00a713402(e) \u2014 notify prominent media if 500+ in same state/jurisdiction.',\n channel: '#hipaa-breach-response'\n },\n HHS_OCR_COMPLAINT: {\n severity: 'CRITICAL',\n sla: 'IMMEDIATE (fastest clock)',\n regulatory: 'HHS OCR complaint initiates investigation immediately. No grace period. Preserve all PHI access logs, BAA documentation, risk analysis records. Legal counsel engagement required.',\n channel: '#legal-escalation'\n },\n FDA_ADVERSE_EVENT_REPORT: {\n severity: 'HIGH',\n sla: '30 days (21 CFR \u00a7803.50)',\n regulatory: 'FDA MDR \u2014 medical device malfunction or serious injury. 30-day reporting window. If death involved: 5 days (\u00a7803.53).',\n channel: '#fda-regulatory'\n },\n CMS_SURVEY_DEFICIENCY: {\n severity: 'HIGH',\n sla: '10 days (\u00a7488.28)',\n regulatory: 'CMS Conditions of Participation \u2014 10-day correction plan required for condition-level deficiency. Immediate jeopardy = 23 days.',\n channel: '#cms-compliance'\n },\n UNAUTHORIZED_PHI_DISCLOSURE: {\n severity: 'HIGH',\n sla: 'IMMEDIATE risk assessment',\n regulatory: 'HIPAA \u00a7164.402 \u2014 impermissible PHI use/disclosure is presumed a breach unless risk assessment demonstrates low probability of compromise.',\n channel: '#hipaa-breach-response'\n },\n RANSOMWARE_PHI_SYSTEM: {\n severity: 'CRITICAL',\n sla: 'IMMEDIATE',\n regulatory: 'HHS OCR June 2016 guidance \u2014 ransomware on PHI system = presumed breach. Notification required unless risk assessment demonstrates low probability PHI compromised.',\n channel: '#phi-security-critical'\n },\n DATA_BREACH_HEALTH_DATA: {\n severity: 'CRITICAL',\n sla: '72h GDPR + 60d HITECH',\n regulatory: 'HIPAA HITECH \u00a713402 \u2014 60-day window. GDPR Art.33 \u2014 72-hour window to supervisory authority if EU health data involved. Run parallel notification tracks.',\n channel: '#phi-security-critical'\n }\n};\n\nconst config = incidentMap[incidentType] || {\n severity: 'HIGH',\n sla: '24h',\n regulatory: 'Document incident, assess PHI impact, notify compliance team.',\n channel: '#compliance-general'\n};\n\nreturn [{ json: { ...incident, ...config, detected_at: new Date().toISOString() } }];"
},
"id": "code-004",
"name": "Classify Incident",
"type": "n8n-nodes-base.code",
"typeVersion": 2,
"position": [
460,
300
]
},
{
"parameters": {
"select": "channel",
"channelId": {
"__rl": true,
"value": "={{ $json.channel }}",
"mode": "name"
},
"text": "\ud83d\udea8 *{{ $json.severity }}: {{ $json.incident_type }}*\n>SLA: {{ $json.sla }}\n>Regulatory: {{ $json.regulatory }}\n>Customer: {{ $json.customer_id }}\n>Detected: {{ $json.detected_at }}",
"options": {}
},
"id": "slack-004",
"name": "Slack Incident Channel",
"type": "n8n-nodes-base.slack",
"typeVersion": 2.3,
"position": [
680,
200
]
},
{
"parameters": {
"sendTo": "compliance@yourcompany.com",
"subject": "={{ $json.severity }}: HEALTHTECH INCIDENT \u2014 {{ $json.incident_type }} (Customer: {{ $json.customer_id }})",
"emailType": "html",
"message": "<h3>{{ $json.severity }}: {{ $json.incident_type }}</h3><p><strong>SLA:</strong> {{ $json.sla }}</p><p><strong>Regulatory Requirement:</strong> {{ $json.regulatory }}</p><p><strong>Customer:</strong> {{ $json.customer_id }}</p><p><strong>Detected:</strong> {{ $json.detected_at }}</p>",
"options": {}
},
"id": "email-005",
"name": "Email Compliance Team",
"type": "n8n-nodes-base.gmail",
"typeVersion": 2.1,
"position": [
680,
400
]
},
{
"parameters": {
"operation": "append",
"documentId": {
"__rl": true,
"value": "YOUR_SHEET_ID",
"mode": "id"
},
"sheetName": {
"__rl": true,
"value": "incident_log",
"mode": "name"
},
"columns": {
"mappingMode": "defineBelow",
"value": {
"incident_type": "={{ $json.incident_type }}",
"severity": "={{ $json.severity }}",
"sla": "={{ $json.sla }}",
"customer_id": "={{ $json.customer_id }}",
"detected_at": "={{ $json.detected_at }}"
}
},
"options": {}
},
"id": "sheets-004",
"name": "Log Incident",
"type": "n8n-nodes-base.googleSheets",
"typeVersion": 4.5,
"position": [
900,
300
]
}
],
"connections": {
"Incident Webhook": {
"main": [
[
{
"node": "Classify Incident",
"type": "main",
"index": 0
}
]
]
},
"Classify Incident": {
"main": [
[
{
"node": "Slack Incident Channel",
"type": "main",
"index": 0
},
{
"node": "Email Compliance Team",
"type": "main",
"index": 0
}
]
]
},
"Slack Incident Channel": {
"main": [
[
{
"node": "Log Incident",
"type": "main",
"index": 0
}
]
]
},
"Email Compliance Team": {
"main": [
[
{
"node": "Log Incident",
"type": "main",
"index": 0
}
]
]
}
}
}
Workflow 5: Weekly HealthTech Compliance KPI Dashboard
Monday morning. CEO + CISO + CCO. One email. Every open compliance item surfaced.
The dashboard pulls platform metrics and compliance events from separate Sheets, merges them, and sends a unified HTML report tracking: active customers, MRR, PHI systems monitored, HIPAA BAA executions, and open incidents by regulatory category.
{
"name": "Weekly HealthTech Compliance KPI Dashboard",
"nodes": [
{
"parameters": {
"rule": {
"interval": [
{
"field": "cronExpression",
"expression": "0 8 * * 1"
}
]
}
},
"id": "cron-005",
"name": "Monday 8AM",
"type": "n8n-nodes-base.scheduleTrigger",
"typeVersion": 1.2,
"position": [
240,
300
]
},
{
"parameters": {
"documentId": {
"__rl": true,
"value": "YOUR_SHEET_ID",
"mode": "id"
},
"sheetName": {
"__rl": true,
"value": "platform_metrics",
"mode": "name"
},
"options": {}
},
"id": "sheets-005a",
"name": "Read Platform Metrics",
"type": "n8n-nodes-base.googleSheets",
"typeVersion": 4.5,
"position": [
460,
200
]
},
{
"parameters": {
"documentId": {
"__rl": true,
"value": "YOUR_SHEET_ID",
"mode": "id"
},
"sheetName": {
"__rl": true,
"value": "compliance_events",
"mode": "name"
},
"options": {}
},
"id": "sheets-005b",
"name": "Read Compliance Events",
"type": "n8n-nodes-base.googleSheets",
"typeVersion": 4.5,
"position": [
460,
400
]
},
{
"parameters": {
"mode": "combine",
"combinationMode": "mergeByPosition",
"options": {}
},
"id": "merge-005",
"name": "Merge Metrics",
"type": "n8n-nodes-base.merge",
"typeVersion": 3.1,
"position": [
680,
300
]
},
{
"parameters": {
"jsCode": "const metrics = $input.first().json;\nconst wowPct = (curr, prev) => prev > 0 ? ((curr - prev) / prev * 100).toFixed(1) + '%' : 'N/A';\n\nconst activeCustomers = parseInt(metrics.active_customers) || 0;\nconst prevActiveCustomers = parseInt(metrics.prev_active_customers) || 0;\nconst mrr = parseFloat(metrics.mrr) || 0;\nconst prevMrr = parseFloat(metrics.prev_mrr) || 0;\n\nreturn [{\n json: {\n active_customers: activeCustomers,\n mrr: mrr,\n customers_wow: wowPct(activeCustomers, prevActiveCustomers),\n mrr_wow: wowPct(mrr, prevMrr),\n phi_systems_monitored: metrics.phi_systems_monitored || 0,\n hipaa_baa_executed: metrics.hipaa_baa_executed || 0,\n hipaa_open_incidents: metrics.hipaa_open_incidents || 0,\n hitech_breach_open: metrics.hitech_breach_open || 0,\n hhs_ocr_complaints_open: metrics.hhs_ocr_complaints_open || 0,\n fda_qsr_open: metrics.fda_qsr_open || 0,\n cms_deficiencies_open: metrics.cms_deficiencies_open || 0\n }\n}];"
},
"id": "code-005",
"name": "Build KPI Summary",
"type": "n8n-nodes-base.code",
"typeVersion": 2,
"position": [
900,
300
]
},
{
"parameters": {
"sendTo": "ceo@yourcompany.com",
"subject": "Weekly HealthTech Compliance KPI \u2014 {{ $now.format('YYYY-MM-DD') }}",
"emailType": "html",
"message": "<h2>HealthTech Weekly Compliance Report</h2><table border='1' cellpadding='6'><tr><th>Metric</th><th>Value</th><th>WoW</th></tr><tr><td>Active Customers</td><td>{{ $json.active_customers }}</td><td>{{ $json.customers_wow }}</td></tr><tr><td>MRR</td><td>${{ $json.mrr }}</td><td>{{ $json.mrr_wow }}</td></tr><tr><td>PHI Systems Monitored</td><td>{{ $json.phi_systems_monitored }}</td><td></td></tr><tr><td>HIPAA BAA Executed</td><td>{{ $json.hipaa_baa_executed }}</td><td></td></tr></table><h3>Open Compliance Incidents</h3><ul><li>HIPAA Open: {{ $json.hipaa_open_incidents }}</li><li>HITECH Breach Open: {{ $json.hitech_breach_open }}</li><li>HHS OCR Complaints: {{ $json.hhs_ocr_complaints_open }}</li><li>FDA QSR Open: {{ $json.fda_qsr_open }}</li><li>CMS Deficiencies: {{ $json.cms_deficiencies_open }}</li></ul>",
"options": {
"appendAttribution": false,
"bccList": "ciso@yourcompany.com, cco@yourcompany.com"
}
},
"id": "email-006",
"name": "Email CEO + BCC CISO/CCO",
"type": "n8n-nodes-base.gmail",
"typeVersion": 2.1,
"position": [
1120,
300
]
}
],
"connections": {
"Monday 8AM": {
"main": [
[
{
"node": "Read Platform Metrics",
"type": "main",
"index": 0
},
{
"node": "Read Compliance Events",
"type": "main",
"index": 0
}
]
]
},
"Read Platform Metrics": {
"main": [
[
{
"node": "Merge Metrics",
"type": "main",
"index": 0
}
]
]
},
"Read Compliance Events": {
"main": [
[
{
"node": "Merge Metrics",
"type": "main",
"index": 1
}
]
]
},
"Merge Metrics": {
"main": [
[
{
"node": "Build KPI Summary",
"type": "main",
"index": 0
}
]
]
},
"Build KPI Summary": {
"main": [
[
{
"node": "Email CEO + BCC CISO/CCO",
"type": "main",
"index": 0
}
]
]
}
}
}
Why Self-Hosted n8n Is the HealthTech Compliance Default
The core HIPAA problem with cloud iPaaS: every node in your PHI data flow is a Business Associate.
| Self-Hosting Benefit | Regulatory Driver |
|---|---|
| PHI never leaves your covered environment | HIPAA §164.308(b) BAA obligation — cloud iPaaS requires signed BAA |
| Breach discovery clock in your control | HITECH §13402 — discovery clock starts when you know, not when vendor logs it |
| Audit trail stays in your Postgres/S3 | HIPAA §164.312(b) audit controls — evidence stays under your control for OCR investigation |
| No SaMD scope expansion | FDA 21 CFR Part 820 — cloud automation vendor not in your QMS scope |
| GDPR Article 28 DPA boundary | EU patient data — Art.44-46 transfer restriction applies to cloud iPaaS nodes |
The BAA gap in practice: If you're using Zapier or Make to route PHI (trigger on new patient, send to EHR, log to Sheets), each of those platforms is processing PHI. Zapier's BAA is available on Business plan+. Make's BAA requires Teams+. But the BAA alone doesn't solve the data residency problem — your PHI is still transiting their infrastructure.
Self-hosted n8n on your HIPAA-covered cloud instance (AWS with BAA, Azure with BAA, GCP with BAA) keeps every PHI workflow node inside your covered environment. No third-party TPSP assessment required for your SOC 2 CC9.2 finding. No BAA gap.
Get the Full Template Pack
All 5 workflows above are included in the FlowKit n8n Automation Templates — import-ready JSON for HealthTech, plus 10 other verticals.
Questions on HIPAA architecture or HealthTech compliance automation? Drop them in the comments.
Top comments (0)