When you're a healthcare provider, choosing the right vendor isn't just about features or pricing: it's about protecting your patients' data and staying compliant with HIPAA. Yet many small practices tell me the same thing: “I looked at their website, and I still have no idea if they’re HIPAA compliant.” You're not alone! Most vendor websites aren't built with HIPAA transparency in mind. But here’s how you can cut through the marketing language and get the information you need.

1. Look for HIPAA-specific language

If a vendor handles any electronic protected health information (ePHI)—like patient names, emails, appointment data, or health records—you’ll want to see more than a generic privacy policy. If you don’t see it, assume it’s not covered, and ask directly.

• References to HIPAA compliance

• Mention of Business Associate Agreements (BAAs)

• Specifics about how ePHI is secured or encrypted

  
  

2. Ask for a Business Associate Agreement (BAA)

A HIPAA-compliant vendor must be willing to sign a BAA. This legal document outlines how they’ll safeguard ePHI and what happens if there’s a breach. You can ask: “Can you provide a sample BAA or confirm that you sign BAAs for HIPAA-covered clients?” If they hesitate or say no, that’s a sign to walk away.

3. Ask how they protect data

You don’t need a deep technical answer, but you do need clear, confident responses that show the vendor understands their responsibilities under HIPAA. Ask questions like:

• How is data encrypted? (e.g., AES-256, TLS 1.2+)

• What authentication measures are in place? (unique logins, MFA, role-based access)

• How often are systems updated or patched?

• Who at your company has access to ePHI—and why?

• Do you have audit logging and incident response in place?

You don’t need to know how the encryption works, but you do need to know that it’s being done properly, and that they have policies and practices in place to protect your data at every stage. If a vendor struggles to answer these questions or gives you vague reassurances, that’s a red flag.

4. Check if they’ve been breached

You can check for known breaches by visiting the official HHS OCR Breach Portal: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsfImportant

A big caveat: The portal only lists the covered entity that reported the breach, even if the actual breach occurred at a business associate. It does not name the business associate involved.

This is a significant gap in transparency. It means that even if a vendor has caused multiple ePHI breaches, there’s currently no official government site where you can search by their name to find out.

What you can do: Use the portal to see if the covered entities you work with have reported any major breaches. When reviewing vendors, ask directly: “Have you ever experienced a data breach involving ePHI? If so, how was it handled and disclosed?”

5. Use a vendor screening checklist

Use a formal checklist (you can find a sample checklist below) or ask:

• Do you sign BAAs?

• How do you encrypt ePHI?

• Do you have an incident response plan?

• Where is data stored? Who has access to it?

• How do you train your team on HIPAA?

Even a short conversation like this helps you document good-faith due diligence.

Coming Soon: 2025 HIPAA Security Rule Updates

HHS is planning significant updates to the HIPAA Security Rule. While not finalized yet, covered entities and business associates are expected to:

• Conduct and document vendor-specific risk assessments

• Create and maintain a written incident response plan

• Use stronger, standards-based encryption

• Ensure your workforce—and vendors—complete cybersecurity training

• Maintain audit logs and restrict endpoint access to ePHI

What You Can Do Now:

• Review your vendor list

• Start using a vendor vetting checklist

• Confirm vendors are prepared to sign and uphold a BAA

• Ask about their incident response plan

• Update your documentation now—before it’s mandatory

HIPAA Vendor Vetting Checklist

☐ Does the vendor handle ePHI? If yes, continue.

☐ Do they explicitly state HIPAA compliance on their site or in writing?

☐ Will they sign a Business Associate Agreement (BAA)?

☐ Is ePHI encrypted both at rest and in transit using current standards (e.g., AES-256, TLS 1.2+)?

☐ Do they use multi-factor authentication (MFA) and role-based access control?

☐ How often do they update and patch their systems?

☐ Who on their team has access to ePHI, and how is access monitored?

☐ Do they maintain audit logs and incident detection capabilities?

☐ Do they have a documented incident response and breach notification plan?

☐ Have they had any known data breaches? If so, how did they handle them?

☐ Do they conduct regular HIPAA training for their staff?

☐ Can they provide documentation to support their answers (e.g., security policy summary)

☐ Do you have notes or screenshots of the conversation for your records?

☐ If the vendor mentions HITRUST, SOC 2, or ISO 27001 certification, ask for documentation or a summary of the findings. If they are hesitant to provide documentation, that is a sign to walk away.

Ready to Stop Guessing and Start Protecting?

If you're feeling overwhelmed by HIPAA requirements or unsure if your vendors are up to par, let’s talk. Choosing HIPAA-compliant tools is too important to leave to guesswork, and vendor websites don’t always make it easy to understand what you're really getting.

If you're evaluating software or services and want to make sure you're protecting patient data, book a free 30-minute call to see if we can help with what you need.