Every vendor in a care-management stack claims to be "HIPAA compliant." The phrase means little on its own — HIPAA is a set of obligations, not a certificate. What matters is whether a vendor can show you, concretely, how they meet those obligations for the protected health information you'd be entrusting to them. Use the questions below as a working checklist when you evaluate anyone who will touch PHI.
Contracts and accountability
- Will they sign a Business Associate Agreement (BAA) without carve-outs that shift breach liability back to you?
- Can they name their subprocessors — the cloud, analytics, and support vendors who may also touch PHI — and confirm each is under its own BAA?
- Do they carry cyber-liability insurance, and will they share the coverage summary?
Technical safeguards
- Is PHI encrypted both in transit (TLS 1.2+) and at rest (AES-256 or equivalent)?
- Is access role-based and least-privilege, so a billing user can't read clinical notes they don't need?
- Is every read, write, and export of PHI captured in an immutable audit log you can review?
- How are secrets and encryption keys managed, and who internally can access production data?
Operational maturity
- Do they hold a current SOC 2 Type II report, and will they share it under NDA?
- When was their last third-party penetration test, and can they share the remediation summary?
- What is their breach-notification commitment — within how many hours will they notify you?
- Where is data hosted, and can they keep it in-region if you have data-residency requirements?
Your data, on your terms
- Can you export your data in a standard, machine-readable format on demand — not just at offboarding?
- What is the documented retention and secure-deletion policy when you terminate?
- Do they ever use your PHI to train models or for any purpose beyond providing the service? Get the answer in writing.
A vendor that handles PHI well will answer these quickly and in specifics, because they've been asked before and built the program to back it up. Vague or defensive answers are themselves a finding. Run the checklist before signing — retrofitting compliance expectations onto a live integration is far more expensive than asking up front.