Consider this scenario; you are a Chief Information Security Officer (CISO) for a major university hospital system, with over 10 years of experience working with protected health information (PHI) under the following:

HIPAA Privacy Rule (“protecting the type of data while communicated”)
HIPAA Security Rule (“protecting the security of the data”)

The research department is bidding on a multi-million-dollar, multi-year contract with the Department of Defense (DoD) to research an advanced medical technology. The project requires clinical trials with patients to determine the effects of the technology on humans.

The vice president of research comes to the Chief Compliance Officer (CCO) and you with a request to review the compliance requirements within the request for proposal (RFP) and to determine compliance readiness.

You may be thinking that the hospital must meet both CMMC and HIPAA compliance requirements. And if you are thinking that way, then you are correct. But why should you care, and how do you link the two?