If your HealthTech SaaS platform processes patient data through a cloud automation vendor, that vendor's execution log recorded the exact timestamp when protected health information first passed through their infrastructure. Under HIPAA 45 CFR §164.408(b), the 60-day HHS breach notification clock starts at discovery — and discovery is defined as when any employee or system first detected the unauthorized access or acquisition of PHI.
That timestamp is in your vendor's log, not yours.
This architectural fact drives four distinct compliance obligations across HIPAA, ONC TEFCA, FDA SaMD, and FTC Health Breach Notification — all of which start clocks at the earliest point of system interaction, not at human review.
The Five Compliance Clocks
1. HIPAA Breach Notification — 60 Days from Discovery
Under 45 CFR §164.408(b), covered entities must notify HHS and affected individuals within 60 days of discovery of a breach. The HIPAA definition of discovery is the date a covered entity or its business associate first knows or, by exercising reasonable diligence, would have known of the breach.
Key architectural consequence: every cloud automation vendor that processes PHI on your behalf is a Business Associate under 45 CFR §164.504(e). If Zapier, Make, or any cloud iPaaS platform executes a workflow containing PHI fields, that vendor must have a signed BAA. If that vendor's infrastructure is breached, the discovery timestamp in their platform's logs is HIPAA evidence — and the 60-day clock starts from that date, not from when your team learns about it.
A second consequence: cloud iPaaS execution logs that contain PHI field values constitute unauthorized disclosure to the vendor. This is one of the most common sources of HIPAA violations in automation-heavy HealthTech platforms — a workflow logs the patient name, DOB, or diagnosis in a debug field, and that data sits in a cloud vendor's log infrastructure outside your HIPAA security boundary.
2. ONC Information Blocking — $1M/Violation
The 21st Century Cures Act §4004 and ONC implementing regulations at 45 CFR §171.103 define "information blocking" as any practice by a health IT developer, health information network, or health information exchange that is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.
The OIG can impose civil monetary penalties of up to $1 million per violation on health IT developers. There are eight regulatory exceptions (preventing harm, privacy, security, infeasibility, health IT performance, content and manner, fees, licensing) — but each exception has specific conditions that must be affirmatively documented.
The clock consequence: when a patient or their authorized representative submits a request for their EHI through your platform, the information blocking obligation is immediate at receipt. Batch processing queues that delay EHI access create a window where the platform may be engaging in information blocking without a valid documented exception.
3. FDA Software as a Medical Device — Before Distribution
The FDA's IMDRF N23 SaMD framework (adopted by FDA in its 2019 Software Policy) defines Software as a Medical Device as software intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device.
For HealthTech SaaS vendors, the critical question is whether your platform's algorithms generate clinical recommendations that inform treatment, diagnosis, or monitoring decisions. Common examples that have drawn FDA attention: triage scoring algorithms, RPM threshold alert systems that recommend clinical intervention, diagnostic support tools, and chronic disease management recommendations.
Distribution of SaMD without FDA clearance (510(k)) or approval (PMA) is a prohibited act under 21 USC §331. The FDA has issued warning letters and consent decrees to SaaS vendors. The SaMD classification is based on function and intended use, not technical architecture.
4. FTC Health Breach Notification Rule — 60 Days from Discovery
The FTC Health Breach Notification Rule (16 CFR Part 318) applies to vendors of personal health records and related entities that are not HIPAA covered entities or business associates. This includes consumer health apps, wearable device platforms, wellness apps, and other digital health tools that collect health data directly from consumers.
The FTC rule requires notification within 60 days of discovery of a breach. The FTC's definition of "breach" includes unauthorized acquisition of unsecured PHR identifiable health information — and the FTC has made clear that discovery means the point at which the vendor's system first detected unauthorized access, not when the leadership team reviewed the incident report.
The FTC has taken enforcement action under this rule: in 2023 the FTC settled with several health app operators for data sharing practices that triggered breach notification obligations.
5. CMS Interoperability and Prior Authorization API — January 2027
The CMS Interoperability and Prior Authorization Final Rule (2024) requires payers regulated under CMS (MA plans, Medicaid, CHIP, QHP issuers) to implement FHIR R4 Prior Authorization APIs by January 1, 2027. HealthTech SaaS vendors that serve these payers or build prior authorization workflows must have FHIR-compliant API infrastructure in place by that date.
Additionally, 45 CFR §170.315(g)(10) requires certified EHR technology to support a FHIR R4 patient-facing API — HealthTech vendors whose products require EHR integration must be compatible with this API.
The 7 HealthTech SaaS Vendor Tiers
These automations are built for the engineering and compliance teams at HealthTech software companies — not the clinical staff using the platforms.
| Tier | Profile | Key Flags |
|---|---|---|
| RPM_PLATFORM_SAAS | Remote patient monitoring platforms, >100K patient accounts | HIPAA BAA + ONC TEFCA + SaMD |
| TELEHEALTH_SAAS | Telehealth and virtual care platforms | HIPAA BAA + CMS Prior Auth API |
| DIGITAL_THERAPEUTICS | DTx platforms (FDA cleared or pursuing clearance) | FDA SaMD + FTC HBN Rule |
| CHRONIC_CARE_MANAGEMENT | Chronic disease management platforms | HIPAA + CMS Prior Auth + TEFCA |
| CLINICAL_DECISION_SUPPORT | CDS tools, diagnostic support, triage algorithms | FDA SaMD (highest risk) |
| POPULATION_HEALTH_SAAS | Population health management, ACO platforms | ONC TEFCA + HIPAA + GDPR Art.9 |
| HEALTHTECH_STARTUP | Pre-revenue or early-stage health tech | HIPAA basics + FTC HBN if non-CE |
The 5 Automations
Workflow 1: Tier-Segmented HealthTech Customer Onboarding Drip
A webhook-triggered onboarding sequence that classifies new accounts into the 7-tier structure, assigns compliance flags (HIPAA BAA, ONC TEFCA, FDA SaMD, CMS Prior Auth, FTC HBN Rule, GDPR Art.9, CCPA sensitive PI), and triggers a 3-part email drip covering HIPAA BAA risk, ONC information blocking architecture, and FDA SaMD classification.
{
"name": "HealthTech Tier-Segmented Onboarding Drip",
"nodes": [
{
"id": "1",
"name": "New HealthTech Account Webhook",
"type": "n8n-nodes-base.webhook",
"parameters": {
"path": "healthtech-onboarding",
"httpMethod": "POST"
}
},
{
"id": "2",
"name": "Classify Tier & Flags",
"type": "n8n-nodes-base.code",
"parameters": {
"jsCode": "const d = $input.first().json;\nconst arr = parseFloat(d.arr_usd || 0);\nconst accounts = parseInt(d.patient_accounts || 0);\nlet tier = 'HEALTHTECH_STARTUP';\nif (arr >= 5e6 || accounts >= 100000) tier = 'RPM_PLATFORM_SAAS';\nelse if (d.account_type === 'telehealth') tier = 'TELEHEALTH_SAAS';\nelse if (d.account_type === 'digital_therapeutics') tier = 'DIGITAL_THERAPEUTICS';\nelse if (d.account_type === 'chronic_care') tier = 'CHRONIC_CARE_MANAGEMENT';\nelse if (d.account_type === 'clinical_decision') tier = 'CLINICAL_DECISION_SUPPORT';\nelse if (d.account_type === 'population_health') tier = 'POPULATION_HEALTH_SAAS';\nconst flags = {\n hipaa_covered_entity_or_ba: true,\n onc_tefca_qhin_participant: ['RPM_PLATFORM_SAAS','POPULATION_HEALTH_SAAS','CHRONIC_CARE_MANAGEMENT'].includes(tier),\n fda_samd_cleared_or_pending: ['CLINICAL_DECISION_SUPPORT','DIGITAL_THERAPEUTICS','RPM_PLATFORM_SAAS'].includes(tier),\n cms_prior_auth_api_subject: ['TELEHEALTH_SAAS','CHRONIC_CARE_MANAGEMENT','POPULATION_HEALTH_SAAS'].includes(tier),\n ftc_hbn_rule_subject: !d.is_covered_entity && ['DIGITAL_THERAPEUTICS','HEALTHTECH_STARTUP'].includes(tier),\n gdpr_art9_health_data: d.eu_customers === 'true',\n ccpa_sensitive_pi_health: d.ca_customers === 'true'\n};\nreturn [{json: {...d, tier, flags, onboarding_ts: new Date().toISOString()}}];"
}
},
{
"id": "3",
"name": "Day 0 Welcome Email",
"type": "n8n-nodes-base.gmail",
"parameters": {
"toList": "={{ $json.contact_email }}",
"subject": "=Welcome to FlowKit \u2014 your {{ $json.tier }} HIPAA compliance automation kit",
"message": "=Welcome to FlowKit.\n\nYour HealthTech compliance stack is ready. Based on your profile ({{ $json.tier }}):\n\n{{ $json.flags.hipaa_covered_entity_or_ba ? '\u2713 HIPAA BAA workflow audit enabled (cloud iPaaS vendor = business associate)\\n' : '' }}{{ $json.flags.onc_tefca_qhin_participant ? '\u2713 ONC TEFCA information blocking monitor active (\u00a7171.103 complaint pipeline)\\n' : '' }}{{ $json.flags.fda_samd_cleared_or_pending ? '\u2713 FDA SaMD IMDRF N23 classification tracker configured (510(k) deadline monitor)\\n' : '' }}{{ $json.flags.cms_prior_auth_api_subject ? '\u2713 CMS Prior Authorization API deadline tracker active (Jan 2027 FHIR R4 mandate)\\n' : '' }}{{ $json.flags.ftc_hbn_rule_subject ? '\u2713 FTC Health Breach Notification Rule 60-day clock configured (16 CFR Part 318)\\n' : '' }}\u2713 HIPAA breach incident pipeline ready (60-day HHS/patient notification tracker)\n\nOnboarding call: {{ $json.csm_calendly_link }}\n\n\u2014 FlowKit Team"
}
},
{
"id": "4",
"name": "Slack CSM Alert",
"type": "n8n-nodes-base.slack",
"parameters": {
"channel": "#healthtech-onboarding",
"text": "=\ud83c\udfe5 New {{ $json.tier }}: {{ $json.company_name }} ({{ $json.patient_accounts }} patient accounts)\nFlags: HIPAA={{ $json.flags.hipaa_covered_entity_or_ba }} | TEFCA={{ $json.flags.onc_tefca_qhin_participant }} | SaMD={{ $json.flags.fda_samd_cleared_or_pending }} | CMS={{ $json.flags.cms_prior_auth_api_subject }} | FTC={{ $json.flags.ftc_hbn_rule_subject }}\nCSM: {{ $json.csm_name }}"
}
},
{
"id": "5",
"name": "Audit Log",
"type": "n8n-nodes-base.postgres",
"parameters": {
"operation": "insert",
"table": "healthtech_onboarding_audit",
"columns": "company_name,tier,arr_usd,flags_json,onboarding_ts",
"values": "={{ $json.company_name }},={{ $json.tier }},={{ $json.arr_usd }},={{ JSON.stringify($json.flags) }},={{ $json.onboarding_ts }}"
}
},
{
"id": "6",
"name": "Wait 3 Days",
"type": "n8n-nodes-base.wait",
"parameters": {
"amount": 3,
"unit": "days"
}
},
{
"id": "7",
"name": "Day 3 HIPAA BAA Tips",
"type": "n8n-nodes-base.gmail",
"parameters": {
"toList": "={{ $json.contact_email }}",
"subject": "=HIPAA BAA and cloud automation \u2014 the business associate problem your Zapier vendor won't mention",
"message": "=Day 3 check-in.\n\nEvery cloud automation platform that processes PHI on your behalf is a Business Associate under HIPAA 45 CFR \u00a7164.504(e). This means:\n\n\u2022 Zapier, Make, or any cloud iPaaS vendor that touches PHI must have a signed BAA\n\u2022 If that vendor suffers a breach, YOUR 60-day HHS notification clock starts at the date you 'discovered' the breach \u2014 discovery = when any employee OR system first detected unauthorized access\n\u2022 Cloud iPaaS logs are in the vendor's infrastructure \u2014 those logs are HHS discovery evidence\n\nWith self-hosted n8n, there is no third-party business associate to sign a BAA with. The automation runs inside your HIPAA security boundary.\n\nFlowKit's HIPAA breach pipeline (Workflow 4) captures the discovery timestamp the moment a PHI incident hits your webhook endpoint.\n\nQuestions: {{ $json.csm_email }}"
}
},
{
"id": "8",
"name": "Wait 4 Days",
"type": "n8n-nodes-base.wait",
"parameters": {
"amount": 4,
"unit": "days"
}
},
{
"id": "9",
"name": "Day 7 ONC TEFCA & FDA SaMD",
"type": "n8n-nodes-base.gmail",
"parameters": {
"toList": "={{ $json.contact_email }}",
"subject": "=ONC information blocking $1M/violation + FDA SaMD \u2014 what your HealthTech platform must know",
"message": "=Day 7 update.\n\nTwo compliance areas with high penalty density for HealthTech SaaS vendors:\n\n1. ONC Information Blocking (45 CFR \u00a7171): If your platform interferes with patient access to their electronic health information without a valid exception, that is 'information blocking' \u2014 $1M/violation civil penalty per OIG. The clock starts when the patient request hits your system, not when your operations team reviews the queue.\n\n2. FDA SaMD (IMDRF N23): If your platform's algorithms generate clinical recommendations that inform treatment decisions (dosing alerts, diagnostic suggestions, triage scores), you may be manufacturing a Software as a Medical Device. Distribution without 510(k) clearance is FDA enforcement risk.\n\nFlowKit's FDA SaMD deadline tracker (Workflow 2) monitors your 510(k) submission status and flags approaching deadlines before OIG or FDA acts.\n\nCompliance review: {{ $json.compliance_email }}"
}
}
],
"connections": {
"New HealthTech Account Webhook": {
"main": [
[
{
"node": "Classify Tier & Flags",
"type": "main",
"index": 0
}
]
]
},
"Classify Tier & Flags": {
"main": [
[
{
"node": "Day 0 Welcome Email",
"type": "main",
"index": 0
},
{
"node": "Slack CSM Alert",
"type": "main",
"index": 0
},
{
"node": "Audit Log",
"type": "main",
"index": 0
}
]
]
},
"Day 0 Welcome Email": {
"main": [
[
{
"node": "Wait 3 Days",
"type": "main",
"index": 0
}
]
]
},
"Wait 3 Days": {
"main": [
[
{
"node": "Day 3 HIPAA BAA Tips",
"type": "main",
"index": 0
}
]
]
},
"Day 3 HIPAA BAA Tips": {
"main": [
[
{
"node": "Wait 4 Days",
"type": "main",
"index": 0
}
]
]
},
"Wait 4 Days": {
"main": [
[
{
"node": "Day 7 ONC TEFCA & FDA SaMD",
"type": "main",
"index": 0
}
]
]
}
}
}
Workflow 2: HIPAA / ONC / FDA SaMD / FTC HBN Compliance Deadline Tracker
A daily 7AM scheduler that reads compliance deadlines from a Google Sheet, classifies each by urgency (OVERDUE / CRITICAL / URGENT / WARNING / NOTICE), and routes alerts to Gmail and Slack. Covers 12 deadline types including HIPAA_BREACH_HHS_60DAY, FTC_HBN_RULE_60DAY, ONC_INFO_BLOCKING_RESPONSE, FDA_SAMD_510K_SUBMISSION, FDA_MDR_30DAY, and CMS_PRIOR_AUTH_API_JAN2027.
{
"name": "HIPAA / ONC / FDA SaMD / FTC HBN Compliance Deadline Tracker",
"nodes": [
{
"id": "1",
"name": "Daily 7AM UTC",
"type": "n8n-nodes-base.scheduleTrigger",
"parameters": {
"rule": {
"interval": [
{
"field": "cronExpression",
"expression": "0 7 * * *"
}
]
}
}
},
{
"id": "2",
"name": "Fetch Deadlines",
"type": "n8n-nodes-base.googleSheets",
"parameters": {
"operation": "read",
"sheetId": "YOUR_SHEET_ID",
"range": "HealthTech_Deadlines!A:J"
}
},
{
"id": "3",
"name": "Classify Urgency",
"type": "n8n-nodes-base.code",
"parameters": {
"jsCode": "const items = $input.all();\nconst now = new Date();\nconst DEADLINE_MAP = {\n 'HIPAA_RISK_ASSESSMENT_ANNUAL': 'HIPAA 45 CFR \u00a7164.308(a)(1) \u2014 annual security risk assessment required',\n 'HIPAA_BAA_REVIEW_ANNUAL': 'HIPAA 45 CFR \u00a7164.504(e) \u2014 annual BAA review for all cloud vendors handling PHI',\n 'HIPAA_BREACH_HHS_60DAY': 'HIPAA 45 CFR \u00a7164.408(b) \u2014 HHS breach notification within 60 days of discovery',\n 'HIPAA_BREACH_ANNUAL_REPORT': 'HIPAA 45 CFR \u00a7164.408(c) \u2014 annual report of small breaches (<500 individuals)',\n 'FTC_HBN_RULE_60DAY': 'FTC 16 CFR Part 318 \u2014 health breach notification within 60 days of discovery (non-HIPAA health apps)',\n 'ONC_INFO_BLOCKING_RESPONSE': 'ONC 45 CFR \u00a7171.103 \u2014 actor must respond to information blocking complaint (IMMEDIATE + documentation)',\n 'FDA_SAMD_510K_SUBMISSION': 'FDA SaMD IMDRF N23 \u2014 510(k) premarket notification before commercial distribution',\n 'FDA_SAMD_ANNUAL_REPORT': 'FDA 21 CFR \u00a7814.84 \u2014 annual PMA report (if PMA approved)',\n 'FDA_MDR_30DAY': 'FDA 21 CFR \u00a7803.50 \u2014 Medical Device Report within 30 days of becoming aware of adverse event',\n 'CMS_PRIOR_AUTH_API_JAN2027': 'CMS Interoperability Final Rule 2024 \u2014 prior authorization FHIR API compliance deadline January 1, 2027',\n 'GDPR_ART9_DPIA_ANNUAL': 'GDPR Art.35 \u2014 DPIA review for health data processing (annual recommended)',\n 'SOC2_TYPE2_ANNUAL': 'SOC2 Type II annual audit \u2014 required for enterprise HealthTech buyers'\n};\nconst alerts = [];\nfor (const item of items) {\n const d = item.json;\n if (!d.deadline_date || !d.deadline_type) continue;\n const deadline = new Date(d.deadline_date);\n const days = Math.ceil((deadline - now) / 86400000);\n let urgency = null;\n if (days < 0) urgency = 'OVERDUE';\n else if (days <= 3) urgency = 'CRITICAL';\n else if (days <= 7) urgency = 'URGENT';\n else if (days <= 14) urgency = 'WARNING';\n else if (days <= 30) urgency = 'NOTICE';\n if (urgency) {\n alerts.push({json: {\n ...d, urgency, days_remaining: days,\n regulation_citation: DEADLINE_MAP[d.deadline_type] || d.deadline_type,\n subject: urgency + ': ' + d.deadline_type + ' \u2014 ' + days + 'd remaining'\n }});\n }\n}\nreturn alerts.length ? alerts : [{json: {skip: true, message: 'No deadlines requiring alert today'}}];"
}
},
{
"id": "4",
"name": "Skip if No Alerts",
"type": "n8n-nodes-base.if",
"parameters": {
"conditions": {
"boolean": [
{
"value1": "={{ $json.skip }}",
"value2": true
}
]
}
}
},
{
"id": "5",
"name": "Gmail Compliance Alert",
"type": "n8n-nodes-base.gmail",
"parameters": {
"toList": "={{ $json.compliance_email }}",
"subject": "={{ $json.subject }}",
"message": "=HealthTech Compliance Alert: {{ $json.urgency }}\n\nDeadline: {{ $json.deadline_type }}\nDue: {{ $json.deadline_date }} ({{ $json.days_remaining }} days)\nRegulation: {{ $json.regulation_citation }}\n\nAccount: {{ $json.company_name }} ({{ $json.tier }})\nOwner: {{ $json.owner_name }}\n\nAction required: {{ $json.action_required }}\n\n\u2014 FlowKit HealthTech Compliance Tracker"
}
},
{
"id": "6",
"name": "Slack Compliance Channel",
"type": "n8n-nodes-base.slack",
"parameters": {
"channel": "#healthtech-compliance-alerts",
"text": "={{ $json.urgency }}: {{ $json.deadline_type }} \u2014 {{ $json.company_name }} \u2014 {{ $json.days_remaining }}d remaining\n{{ $json.regulation_citation }}"
}
}
],
"connections": {
"Daily 7AM UTC": {
"main": [
[
{
"node": "Fetch Deadlines",
"type": "main",
"index": 0
}
]
]
},
"Fetch Deadlines": {
"main": [
[
{
"node": "Classify Urgency",
"type": "main",
"index": 0
}
]
]
},
"Classify Urgency": {
"main": [
[
{
"node": "Skip if No Alerts",
"type": "main",
"index": 0
}
]
]
},
"Skip if No Alerts": {
"main": [
[],
[
{
"node": "Gmail Compliance Alert",
"type": "main",
"index": 0
}
]
]
},
"Gmail Compliance Alert": {
"main": [
[
{
"node": "Slack Compliance Channel",
"type": "main",
"index": 0
}
]
]
}
}
}
Workflow 3: HealthTech API Health Monitor (FHIR / PHI Pipeline / TEFCA / SaMD)
A 5-minute polling monitor across 5 endpoints — EHR FHIR API, RPM device ingestion, ONC TEFCA QHIN API, FDA SaMD validation engine, and HIPAA audit log API — using $getWorkflowStaticData for state change deduplication. Each endpoint carries a compliance annotation: for example, a TEFCA QHIN outage is flagged as a potential ONC information blocking event ($1M/violation).
{
"name": "HealthTech API Health Monitor (FHIR / PHI / TEFCA / FTC / SaMD)",
"nodes": [
{
"id": "1",
"name": "Every 5 Minutes",
"type": "n8n-nodes-base.scheduleTrigger",
"parameters": {
"rule": {
"interval": [
{
"field": "minutes",
"minutesInterval": 5
}
]
}
}
},
{
"id": "2",
"name": "Check All Endpoints",
"type": "n8n-nodes-base.code",
"parameters": {
"jsCode": "const state = $getWorkflowStaticData('global');\nstate.prev = state.prev || {};\nconst endpoints = [\n { key: 'ehr_fhir_api', url: process.env.EHR_FHIR_API_URL || 'https://fhir.your-ehr.com/health', annotation: 'HIPAA PHI transmission \u2014 down means FHIR R4 data exchange interrupted (CMS \u00a7170.315(g)(10) obligation)' },\n { key: 'rpm_device_ingestion', url: process.env.RPM_DEVICE_URL || 'https://rpm.yourplatform.com/ingest/health', annotation: 'RPM vital sign stream \u2014 down means patient alert pipeline broken (potential patient safety event)' },\n { key: 'tefca_qhin_api', url: process.env.TEFCA_QHIN_URL || 'https://qhin.yourplatform.com/health', annotation: 'ONC TEFCA QHIN \u2014 down means information blocking risk (45 CFR \u00a7171.103 \u2014 $1M/violation)' },\n { key: 'fda_samd_validation', url: process.env.FDA_SAMD_URL || 'https://samd.yourplatform.com/validation/health', annotation: 'FDA SaMD clinical decision engine \u2014 down means clinical recommendations unavailable (SaMD malfunction event)' },\n { key: 'hipaa_audit_log', url: process.env.HIPAA_AUDIT_URL || 'https://audit.yourplatform.com/health', annotation: 'HIPAA \u00a7164.312(b) audit log \u2014 down means PHI access events not being recorded (audit trail gap)' }\n];\nconst results = [];\nfor (const ep of endpoints) {\n try {\n const r = await $helpers.httpRequest({ method: 'GET', url: ep.url, timeout: 10000 });\n const status = (r.status === 'ok' || r.healthy === true) ? 'UP' : 'DEGRADED';\n const prev = state.prev[ep.key] || 'UP';\n const changed = status !== prev;\n state.prev[ep.key] = status;\n results.push({ json: { ...ep, status, prev_status: prev, changed, ts: new Date().toISOString() } });\n } catch (e) {\n const prev = state.prev[ep.key] || 'UP';\n state.prev[ep.key] = 'DOWN';\n results.push({ json: { ...ep, status: 'DOWN', prev_status: prev, changed: prev !== 'DOWN', error: e.message, ts: new Date().toISOString() } });\n }\n}\nreturn results;"
}
},
{
"id": "3",
"name": "State Changed?",
"type": "n8n-nodes-base.if",
"parameters": {
"conditions": {
"boolean": [
{
"value1": "={{ $json.changed }}",
"value2": true
}
]
}
}
},
{
"id": "4",
"name": "Slack Health Alert",
"type": "n8n-nodes-base.slack",
"parameters": {
"channel": "#healthtech-ops-alerts",
"text": "={{ $json.status === 'DOWN' ? '\ud83d\udd34' : $json.status === 'DEGRADED' ? '\ud83d\udfe1' : '\ud83d\udfe2' }} {{ $json.key }} \u2192 {{ $json.status }} (was {{ $json.prev_status }})\n{{ $json.annotation }}\nError: {{ $json.error || 'none' }}"
}
}
],
"connections": {
"Every 5 Minutes": {
"main": [
[
{
"node": "Check All Endpoints",
"type": "main",
"index": 0
}
]
]
},
"Check All Endpoints": {
"main": [
[
{
"node": "State Changed?",
"type": "main",
"index": 0
}
]
]
},
"State Changed?": {
"main": [
[
{
"node": "Slack Health Alert",
"type": "main",
"index": 0
}
],
[]
]
}
}
}
Workflow 4: HIPAA Breach / FTC HBN / ONC Information Blocking Incident Pipeline
A webhook-triggered incident pipeline handling 8 incident types with pre-computed compliance deadlines, required action lists, and regulatory citations. Key incident types:
- HIPAA_PHI_UNAUTHORIZED_ACCESS → 60-day HHS + patient notification clock from discovery timestamp
- FTC_HBN_HEALTH_DATA_BREACH → 60-day FTC notification from discovery (applies to non-HIPAA health apps)
- ONC_INFO_BLOCKING_COMPLAINT → IMMEDIATE acknowledgment required ($1M/violation)
- FDA_SAMD_ADVERSE_EVENT → 30-day MDR (21 CFR §803.50) from awareness of malfunction
- PHI_IN_CLOUD_AUTOMATION_LOG → 4-hour IMMEDIATE — PHI in cloud iPaaS log = unauthorized disclosure
- GDPR_ART9_HEALTH_DATA_BREACH → 72-hour supervisory authority notification (Art.33)
The pipeline writes the discovery_ts to Postgres at the moment of webhook receipt — before any human reviews the incident.
{
"name": "HIPAA Breach / FTC HBN / ONC Information Blocking Incident Pipeline",
"nodes": [
{
"id": "1",
"name": "Incident Webhook",
"type": "n8n-nodes-base.webhook",
"parameters": {
"path": "healthtech-incident",
"httpMethod": "POST"
}
},
{
"id": "2",
"name": "Classify Incident",
"type": "n8n-nodes-base.code",
"parameters": {
"jsCode": "const d = $input.first().json;\nconst now = new Date();\nconst INCIDENT_MAP = {\n 'HIPAA_PHI_UNAUTHORIZED_ACCESS': {\n sla_hours: null, sla_days: 60, clock: '60-day HHS + patient notification from discovery (45 CFR \u00a7164.408(b))',\n actions: ['quarantine_phi_record', 'notify_privacy_officer', 'begin_breach_risk_assessment', 'log_discovery_timestamp'],\n note: 'Discovery = when any employee OR system first detected unauthorized access. Platform webhook receipt timestamp IS the discovery evidence.'\n },\n 'FTC_HBN_HEALTH_DATA_BREACH': {\n sla_hours: null, sla_days: 60, clock: '60-day FTC notification from discovery (16 CFR Part 318) \u2014 applies to non-HIPAA health apps and wearables',\n actions: ['notify_ftc_web_form', 'notify_affected_individuals', 'log_discovery_timestamp'],\n note: 'FTC Health Breach Notification Rule applies to PHR vendors and health app developers NOT covered by HIPAA. Clock starts at discovery.'\n },\n 'ONC_INFO_BLOCKING_COMPLAINT': {\n sla_hours: 72, sla_days: null, clock: 'IMMEDIATE acknowledgment required \u2014 $1M/violation civil penalty per OIG (21st Century Cures Act \u00a74004)',\n actions: ['acknowledge_request', 'document_exception_applicability', 'begin_response_workflow'],\n note: 'Information blocking = any practice that interferes with access/exchange/use of EI without valid exception. 8 regulatory exceptions exist.'\n },\n 'FDA_SAMD_ADVERSE_EVENT': {\n sla_hours: null, sla_days: 30, clock: '30-day MDR submission (FDA 21 CFR \u00a7803.50) \u2014 from date of awareness of device malfunction',\n actions: ['quarantine_affected_algorithm_version', 'notify_fda_medwatch', 'begin_capa'],\n note: 'If SaMD clinical recommendation contributed to patient harm or malfunction, MDR required within 30 days.'\n },\n 'HIPAA_BAA_VENDOR_BREACH': {\n sla_hours: null, sla_days: 60, clock: '60-day notification to covered entity from BA discovery (45 CFR \u00a7164.410)',\n actions: ['notify_covered_entity_contacts', 'produce_breach_risk_assessment', 'update_baa_incident_log'],\n note: 'Business associate must notify covered entity without unreasonable delay and no later than 60 days of discovery.'\n },\n 'PHI_IN_CLOUD_AUTOMATION_LOG': {\n sla_hours: 4, sla_days: null, clock: 'IMMEDIATE \u2014 PHI appearing in cloud iPaaS execution log is unauthorized disclosure (45 CFR \u00a7164.502)',\n actions: ['purge_phi_from_log', 'quarantine_workflow_run', 'notify_privacy_officer', 'assess_breach_risk'],\n note: 'Cloud iPaaS execution logs that contain PHI field values are unauthorized disclosures to the vendor. This is a common source of HIPAA violations in automation platforms.'\n },\n 'GDPR_ART9_HEALTH_DATA_BREACH': {\n sla_hours: 72, sla_days: null, clock: '72-hour supervisory authority notification (GDPR Art.33) \u2014 for EU health data breaches',\n actions: ['notify_lead_sa', 'assess_risk_to_data_subjects', 'document_breach_register'],\n note: 'Art.9 health data breaches carry higher risk assessment threshold. 72h clock from awareness, not from discovery of full scope.'\n },\n 'CMS_PRIOR_AUTH_FHIR_OUTAGE': {\n sla_hours: 4, sla_days: null, clock: 'IMMEDIATE \u2014 CMS Interoperability Rule \u00a7170.315(g)(10) API downtime must be logged with reason and duration',\n actions: ['document_outage_start_ts', 'notify_affected_payer_partners', 'escalate_to_oncall'],\n note: 'CMS requires documentation of API availability. Extended outages affecting prior authorization determinations must be logged for CMS audit.'\n }\n};\nconst type = d.incident_type || 'UNKNOWN';\nconst config = INCIDENT_MAP[type] || { sla_hours: 24, clock: 'Unknown incident type \u2014 treat as 24h default', actions: ['investigate'], note: '' };\nconst deadline_ts = config.sla_hours\n ? new Date(now.getTime() + config.sla_hours * 3600000).toISOString()\n : new Date(now.getTime() + config.sla_days * 86400000).toISOString();\nreturn [{json: {\n ...d, incident_config: config, type, discovery_ts: now.toISOString(),\n deadline_ts, deadline_label: config.clock, incident_note: config.note\n}}];"
}
},
{
"id": "3",
"name": "Postgres Incident Audit",
"type": "n8n-nodes-base.postgres",
"parameters": {
"operation": "insert",
"table": "healthtech_incident_log",
"columns": "incident_type,company_name,discovery_ts,deadline_ts,clock_label,actions_json,raw_payload",
"values": "={{ $json.type }},={{ $json.company_name }},={{ $json.discovery_ts }},={{ $json.deadline_ts }},={{ $json.deadline_label }},={{ JSON.stringify($json.incident_config.actions) }},={{ JSON.stringify($json) }}"
}
},
{
"id": "4",
"name": "Slack Incident Alert",
"type": "n8n-nodes-base.slack",
"parameters": {
"channel": "#healthtech-incidents",
"text": "=\ud83d\udea8 {{ $json.type }}: {{ $json.company_name }}\nClock: {{ $json.deadline_label }}\nDeadline: {{ $json.deadline_ts }}\nActions: {{ $json.incident_config.actions.join(' \u2192 ') }}\nNote: {{ $json.incident_note }}"
}
},
{
"id": "5",
"name": "Privacy Officer Email",
"type": "n8n-nodes-base.gmail",
"parameters": {
"toList": "={{ $json.privacy_officer_email || $json.compliance_email }}",
"subject": "=INCIDENT: {{ $json.type }} \u2014 {{ $json.company_name }} \u2014 clock: {{ $json.deadline_label }}",
"message": "=HealthTech Compliance Incident\n\nType: {{ $json.type }}\nCompany: {{ $json.company_name }}\nDiscovery timestamp: {{ $json.discovery_ts }}\nCompliance deadline: {{ $json.deadline_ts }}\nRegulatory clock: {{ $json.deadline_label }}\n\nRequired actions:\n{{ $json.incident_config.actions.map((a, i) => (i+1) + '. ' + a).join('\\n') }}\n\nCompliance note: {{ $json.incident_note }}\n\nThis incident has been logged with discovery_ts = {{ $json.discovery_ts }}. All subsequent regulatory notifications must reference this timestamp as the discovery date.\n\n\u2014 FlowKit HealthTech Incident Pipeline"
}
}
],
"connections": {
"Incident Webhook": {
"main": [
[
{
"node": "Classify Incident",
"type": "main",
"index": 0
}
]
]
},
"Classify Incident": {
"main": [
[
{
"node": "Postgres Incident Audit",
"type": "main",
"index": 0
}
]
]
},
"Postgres Incident Audit": {
"main": [
[
{
"node": "Slack Incident Alert",
"type": "main",
"index": 0
},
{
"node": "Privacy Officer Email",
"type": "main",
"index": 0
}
]
]
}
}
}
Workflow 5: Weekly HealthTech Platform KPI Dashboard
A Monday 8AM report covering accounts by tier, total ARR, total patient accounts, RPM/SaMD/TEFCA account counts, and compliance events from the previous 7 days. Sends HTML email to CEO with BCC to CISO and Privacy Officer.
{
"name": "Weekly HealthTech Platform KPI Dashboard",
"nodes": [
{
"id": "1",
"name": "Monday 8AM ET",
"type": "n8n-nodes-base.scheduleTrigger",
"parameters": {
"rule": {
"interval": [
{
"field": "cronExpression",
"expression": "0 13 * * 1"
}
]
}
}
},
{
"id": "2",
"name": "Fetch Accounts by Tier",
"type": "n8n-nodes-base.postgres",
"parameters": {
"operation": "executeQuery",
"query": "SELECT tier, COUNT(*) as count, SUM(arr_usd) as arr_total, SUM(patient_accounts) as total_patients FROM healthtech_accounts WHERE status='active' GROUP BY tier ORDER BY arr_total DESC"
}
},
{
"id": "3",
"name": "Fetch Compliance Events",
"type": "n8n-nodes-base.postgres",
"parameters": {
"operation": "executeQuery",
"query": "SELECT incident_type, COUNT(*) as count FROM healthtech_incident_log WHERE created_at >= NOW() - INTERVAL '7 days' GROUP BY incident_type ORDER BY count DESC"
}
},
{
"id": "4",
"name": "Build KPI Report",
"type": "n8n-nodes-base.code",
"parameters": {
"jsCode": "const accounts = $('Fetch Accounts by Tier').all().map(i => i.json);\nconst incidents = $('Fetch Compliance Events').all().map(i => i.json);\nconst totalArr = accounts.reduce((s, a) => s + parseFloat(a.arr_total || 0), 0);\nconst totalPatients = accounts.reduce((s, a) => s + parseInt(a.total_patients || 0), 0);\nconst rpmCount = accounts.filter(a => a.tier === 'RPM_PLATFORM_SAAS').length;\nconst samdCount = accounts.filter(a => ['CLINICAL_DECISION_SUPPORT','DIGITAL_THERAPEUTICS'].includes(a.tier)).length;\nconst tefcaCount = accounts.filter(a => a.tier === 'POPULATION_HEALTH_SAAS').length;\nconst totalIncidents = incidents.reduce((s, i) => s + parseInt(i.count || 0), 0);\nconst hipaaBreaches = incidents.filter(i => i.incident_type.includes('HIPAA')).reduce((s, i) => s + parseInt(i.count || 0), 0);\nconst rows = accounts.map(a =>\n '<tr><td style=\"padding:4px 8px\">' + a.tier + '</td><td style=\"padding:4px 8px;text-align:right\">' + a.count + '</td><td style=\"padding:4px 8px;text-align:right\">$' + (parseInt(a.arr_total || 0)).toLocaleString() + '</td><td style=\"padding:4px 8px;text-align:right\">' + (parseInt(a.total_patients || 0)).toLocaleString() + '</td></tr>'\n).join('');\nconst incidentRows = incidents.map(i =>\n '<tr><td style=\"padding:4px 8px\">' + i.incident_type + '</td><td style=\"padding:4px 8px;text-align:right\">' + i.count + '</td></tr>'\n).join('');\nconst html = '<h2>HealthTech Weekly KPI</h2>' +\n '<p>Period: Last 7 days | Generated: ' + new Date().toISOString() + '</p>' +\n '<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" style=\"border-collapse:collapse\">' +\n '<tr style=\"background:#f0f0f0\"><th style=\"padding:4px 8px\">Tier</th><th style=\"padding:4px 8px\">Accounts</th><th style=\"padding:4px 8px\">ARR</th><th style=\"padding:4px 8px\">Patient Accounts</th></tr>' +\n rows + '</table>' +\n '<p><strong>Total ARR:</strong> $' + totalArr.toLocaleString() + ' | <strong>Total Patients:</strong> ' + totalPatients.toLocaleString() + ' | <strong>RPM Accounts:</strong> ' + rpmCount + ' | <strong>SaMD Accounts:</strong> ' + samdCount + ' | <strong>TEFCA Participants:</strong> ' + tefcaCount + '</p>' +\n '<h3>Compliance Events (last 7 days)</h3>' +\n '<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" style=\"border-collapse:collapse\">' +\n '<tr style=\"background:#f0f0f0\"><th style=\"padding:4px 8px\">Incident Type</th><th style=\"padding:4px 8px\">Count</th></tr>' +\n incidentRows + '</table>' +\n '<p><strong>Total incidents:</strong> ' + totalIncidents + ' | <strong>HIPAA-related:</strong> ' + hipaaBreaches + '</p>';\nreturn [{json: { html, totalArr, totalPatients, totalIncidents, hipaaBreaches }}];"
}
},
{
"id": "5",
"name": "Gmail KPI Report",
"type": "n8n-nodes-base.gmail",
"parameters": {
"toList": "ceo@yourcompany.com",
"bcc": "ciso@yourcompany.com,privacy@yourcompany.com",
"subject": "=HealthTech Weekly KPI \u2014 ARR ${{ $json.totalArr.toLocaleString() }} \u2014 {{ $json.totalIncidents }} compliance events",
"message": "={{ $json.html }}",
"options": {
"ccList": "",
"appendAttribution": false
}
}
}
],
"connections": {
"Monday 8AM ET": {
"main": [
[
{
"node": "Fetch Accounts by Tier",
"type": "main",
"index": 0
},
{
"node": "Fetch Compliance Events",
"type": "main",
"index": 0
}
]
]
},
"Fetch Accounts by Tier": {
"main": [
[
{
"node": "Build KPI Report",
"type": "main",
"index": 0
}
]
]
},
"Fetch Compliance Events": {
"main": [
[
{
"node": "Build KPI Report",
"type": "main",
"index": 0
}
]
]
},
"Build KPI Report": {
"main": [
[
{
"node": "Gmail KPI Report",
"type": "main",
"index": 0
}
]
]
}
}
}
Why Self-Hosted n8n Closes the HIPAA BAA Problem
1. No cloud business associate to sign a BAA with. With self-hosted n8n running inside your HIPAA security boundary, PHI never leaves your infrastructure for automation purposes. There is no cloud vendor to execute a BAA with — because there is no cloud vendor processing the data.
2. Discovery timestamp is under your control. When a HIPAA breach occurs, the 60-day clock starts at discovery. With self-hosted n8n, the workflow execution logs are in your Postgres database, under your retention policy, without a third-party vendor's log infrastructure becoming HHS evidence.
3. ONC information blocking audit trail stays in your boundary. If OIG investigates an information blocking complaint, the audit trail of when your system received the patient request and when you responded is in your infrastructure — not in a cloud vendor's logs outside your security perimeter.
4. FDA SaMD validation evidence stays with you. For FDA SaMD vendors, the clinical algorithm validation audit trail (21 CFR §820.70) must be under the device manufacturer's control. Cloud iPaaS execution logs that contain SaMD decision data are part of the device master record — and they're on vendor infrastructure.
These workflows are available in the FlowKit n8n Template Store. Import-ready JSON — no vendor lock-in, runs on your own infrastructure.
Top comments (0)