HIPAA Compliance: What to Ask Vendors

For a smaller healthcare organization, the key is balancing regulatory compliance, risk reduction, and simplicity.

Here’s a practical FAQ you can use as a guide to evaluate vendors:

1.   Do you sign Business Associate Agreements (BAAs)?

Any vendor handling PHI must sign a BAA². This legal document outlines their responsibilities and confirms their commitment to HIPAA compliance.

Why it matters: HIPAA requires vendors who handle PHI (Protected Health Information) to sign a BAA². If they won't, they're not compliant.

2.   What specific safeguards do you use to protect PHI?

    Ask about:

• Encryption (at rest and in transit)³
• Role-based access controls⁴
• Multi-factor authentication³
• Secure data centers³
• Regular security audits³ Why it matters: PHI must be protected whether it's being stored, transmitted, or accessed³.

Why it matters: PHI must be protected whether it’s being stored, transmitted, or accessed.

3.   Have you undergone third-party HIPAA audits or certifications?

Independent audits validate a vendor's compliance⁹. Request documentation or summaries of recent assessments.

4.   How do you handle breach detection and notification?

Vendors must notify you within 60 days of discovering a breach⁵,⁶ and provide details to support your required notifications to patients and HHS.

Why it matters: HIPAA requires timely reporting⁵; you need confidence in their plan.

5.   Where is data stored and processed?

Ensure PHI is stored in secure, U.S.-based environments with appropriate physical and technical safeguards³. Determine which data centers and/or cloud providers are used¹⁰.

Why it matters: HIPAA requires clear accountability for where PHI resides¹⁰.

6.   What training do your employees receive on HIPAA?

Regular, role-specific HIPAA training for vendor staff is essential to prevent accidental breaches and ensure proper handling of PHI⁴.

Why it matters: Even the best technology fails if staff mishandle PHI⁴.

7.   Can you provide documentation of your HIPAA policies and procedures?

Request access to internal HIPAA compliance policies, risk assessments, and incident response plans⁷,¹¹.

8.   How do you support small practices like ours in maintaining compliance?

Ask if the vendor offers onboarding support, compliance guidance, or simplified tools tailored to small practices⁸.

Why it matters: In the case of an audit, you'll need vendor cooperation and documentation⁸.

9.     What happens to our data if we stop using your service?

Ensure the vendor has a clear data retention and deletion policy that complies with HIPAA and protects patient information after contract termination².

10.  Do you conduct regular risk assessments?

Vendors should perform ongoing risk assessments to identify vulnerabilities and update their security measures accordingly⁷,¹¹.

11.  How do you manage access to PHI within your organization?

Ask about internal access controls, employee permissions, and how they prevent unauthorized access to sensitive data⁴.

12.  Who has access to our patient data and how is it monitored?

Audit logs help monitor who accessed PHI, when, and what actions were taken—critical for compliance and breach investigations³,⁴.

Why it matters: Prevents unauthorized employees or third parties from viewing PHI³.

13.  Are your subcontractors also HIPAA compliant?

If the vendor uses third-party services, ensure those subcontractors are also HIPAA compliant and covered under the vendor's BAA²,⁹.

Why it matters: Your vendor's partners must also comply with HIPAA—your liability extends to them²

14.  Can you help us with HIPAA documentation or compliance reporting?

Some vendors offer tools or templates to help small practices maintain documentation and prepare for audits or inspections⁸,¹².

Here is a downloadable questionnaire to help guide your initial vendor evaluation.  Wish to see how Cox Business could help your healthcare practice and unlock new levels of efficiency, security, and patient care? Contact Cox Business to discover how our reliable connectivity solutions and dedicated support can help you build a more resilient and thriving future.

HIPAA Vendor Compliance Checklist¹²

       Vendor signs a Business Associate Agreement (BAA)².

       PHI is encrypted both in transit and at rest³.

       Vendor has undergone third-party HIPAA audits or certifications⁹.

       Vendor provides breach detection and notification procedures⁵.

       Data is stored in secure, HIPAA-compliant environments within the U.S.¹⁰.

       Vendor staff receive regular HIPAA training⁴.

       Vendor provides documentation of HIPAA policies and procedures⁷,¹¹.

       Vendor conducts regular risk assessments⁷.

       Vendor offers audit logs and activity tracking³,⁴.

       Vendor ensures subcontractors are also HIPAA compliant²,⁹.

Sources

1.     U.S. Department of Health and Human Services, Office for Civil Rights. "HIPAA Privacy Rule." HHS.gov, Updated December 2022. https://www.hhs.gov/hipaa/for-professionals/privacy/index.html

2.     U.S. Department of Health and Human Services, Office for Civil Rights. "Business Associate Contracts." HHS.gov, Updated March 2023. https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html

3.     U.S. Department of Health and Human Services, Office for Civil Rights. "HIPAA Security Rule." HHS.gov, Updated January 2023. https://www.hhs.gov/hipaa/for-professionals/security/index.html

4.      45 CFR § 164.308 - Administrative Safeguards. Code of Federal Regulations, Title 45, Part 164. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308

5.     U.S. Department of Health and Human Services, Office for Civil Rights. "Breach Notification Rule." HHS.gov, Updated February 2023. https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

6.      45 CFR § 164.410 - Notification to the Secretary. Code of Federal Regulations, Title 45, Part 164. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.410

7.      U.S. Department of Health and Human Services, Office for Civil Rights. "Risk Assessment." HHS.gov, Security Risk Assessment Tool, Updated 2023. https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool

8.      American Medical Association. "HIPAA Compliance for Small Practices." AMA Practice Management, 2023. https://www.ama-assn.org/practice-management/hipaa/hipaa-compliance-small-practices

9.     Healthcare Information and Management Systems Society (HIMSS). "Third-Party Risk Management in Healthcare." HIMSS.org, 2023. https://www.himss.org/resources/third-party-risk-management-healthcare

10.   U.S. Department of Health and Human Services, Office for Civil Rights. "Guidance on HIPAA & Cloud Computing." HHS.gov, Updated July 2022. https://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html

11.   National Institute of Standards and Technology. "NIST Special Publication 800-66: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule." NIST.gov, October 2008. https://csrc.nist.gov/publications/detail/sp/800-66/rev-1/final

12.   Healthcare Financial Management Association. "HIPAA Compliance Checklist for Healthcare Organizations." HFMA.org, 2023. https://www.hfma.org/topics/hfm/2023/april/hipaa-compliance-checklist.html