System of Record for Vendor Approval
Brendan Keeler, Senior PM at Zus Health, on building infrastructure for digital health
The bottleneck is not clinical demand, it is hospital procurement plumbing. In healthcare, a doctor can want a tool, but before anyone uses it the vendor often has to be classified, security reviewed, and put under a business associate agreement if it touches patient data. That turns a simple software trial into a cross functional workflow across legal, compliance, IT, and procurement, which is why spreadsheets and email chains can kill adoption even when the product is clearly useful.
-
Under HIPAA, a software vendor becomes a business associate when it creates, receives, maintains, or transmits protected health information on behalf of a covered entity. That is why contracts and security review sit in front of product usage, not after it.
-
The missing product is a system of record for vendor approval. Instead of each request starting as a custom questionnaire and legal redline, the hospital would keep a live inventory of apps, standard answers on hosting and data access, reusable security evidence, and status tracking for each requested deployment.
-
This is the same friction that pushes many health tech startups away from selling to large provider systems and toward digital health companies or small practices first. Once EHR integration and business associate review enter the picture, the sale behaves like enterprise software, not normal SaaS.
The next wave of healthcare infrastructure is likely to target approval speed as much as interoperability. Companies that make vendor intake, security review, and business associate contracting programmable will shorten time to launch, help hospitals adopt better tools faster, and become core middleware between clinical demand and actual software deployment.