When a vendor handles protected health information, their security is your security. A breach on their side becomes your incident, your notification obligation, and your reputational hit. Evaluating a vendor's security posture before you sign is one of the most consequential parts of any health-tech purchase.
Start with the Business Associate Agreement
If a vendor creates, receives, maintains, or transmits PHI on your behalf, they are a business associate under HIPAA, and you must have a signed Business Associate Agreement (BAA) in place. A vendor that hesitates to provide a BAA, or doesn't understand the request, is a red flag. The BAA defines their obligations to safeguard data and to notify you of breaches.
Security questions to ask every vendor
| Area | What to ask |
|---|---|
| Encryption | Is data encrypted in transit and at rest? |
| Access control | Role-based access, MFA, audit logs? |
| Certifications | SOC 2, HITRUST, ONC certification? |
| Breach history | Past incidents and how handled? |
| Subprocessors | Who else touches the data? |
| Incident response | How fast will they notify you? |
| Data location | Where is data stored and backed up? |
Look for independent validation
Marketing claims of being "bank-level secure" mean little on their own. Ask for evidence: a SOC 2 Type II report, third-party penetration test summaries, or recognized certifications. For health IT capabilities specifically, certification can be verified on the ONC Certified Health IT Product List. The NIST Cybersecurity Framework provides a common vocabulary for these conversations and is worth referencing when you ask how a vendor manages risk.
Don't forget the FTC dimension
Beyond HIPAA, the Federal Trade Commission has acted against companies that made misleading security promises or mishandled health data, including through the Health Breach Notification Rule for certain non-HIPAA entities. If a vendor's product touches consumer health data outside the typical HIPAA framework, those FTC obligations may apply — another reason to understand exactly how your data is handled.
Make security a scored dimension
Security shouldn't be a pass/fail afterthought at contract time. Build it into your vendor comparison as a weighted dimension alongside cost and workflow fit. A tool that's slightly more expensive but demonstrably more secure is often the better long-term value, because the cost of a breach — financial, regulatory, and reputational — dwarfs the price difference.
Subprocessors extend your risk surface
Most modern software vendors don't operate alone. They rely on cloud hosting providers, email services, analytics tools, and other subcontractors — each of which may touch your data. This chain of subprocessors extends your risk surface beyond the vendor you actually signed with. Ask any vendor for a current list of their subprocessors and how they vet them, because a weak link three steps down the chain can still cause a breach that lands on your desk. Strong vendors maintain this list openly and flow their HIPAA obligations down to the partners who handle PHI on their behalf; vendors who can't tell you who else touches your data haven't thought hard enough about security.
Trust is also about behavior over time
A point-in-time certification tells you a vendor passed an audit on a given day; it doesn't tell you how they'll behave when something goes wrong. Look for evidence of a security culture: regular penetration testing, a public process for reporting vulnerabilities, prompt patching, and transparency about past incidents. How a vendor handled a previous breach — whether they disclosed it quickly, explained what changed, and notified affected customers — predicts how they'll treat you. A vendor with no incidents in their history isn't necessarily safer than one who handled a past incident well; sometimes it just means they haven't been tested or aren't being candid.
The takeaway
Evaluate vendor security on concrete evidence: a signed BAA, encryption in transit and at rest, strong access controls, independent certifications, and a clear breach-notification commitment. Verify certifications through primary sources, weigh security as a real scoring dimension, and treat evasive answers as the warning they are.