Healthcare practices adopt AI tools faster than they audit them. A product demo, a sales call, and a signed contract — and the AI is live on the phones handling patient information before anyone has confirmed whether the vendor can legally touch that data.

The Office for Civil Rights does not grade on a curve for convenience. If your AI vendor processes protected health information without a valid Business Associate Agreement, or without the technical safeguards HIPAA requires, your practice bears the liability. The vendor's marketing materials about being "HIPAA-aware" or "privacy-first" are not a substitute for documented compliance.

This checklist gives you a structured way to assess any AI vendor before they go live — and a framework for annual reviews of vendors you already use.

Quick Answer

Before giving any AI vendor access to patient communications, run through 12 questions covering: BAA availability, what PHI they access, encryption standards, data retention, staff access controls, data resale policies, breach notification timelines, audit log duration, subcontractor BAA processes, prior HIPAA incidents, security certifications, and data return or deletion upon contract termination.

A vendor that cannot answer all 12 questions clearly and in writing is not ready for use in a HIPAA-covered environment. The answers tell you what the vendor knows about their own compliance posture — which tells you how much to trust the rest of what they say.

Why AI Vendor Audits Are Different from Standard Vendor Assessments

AI systems process PHI at scale, make autonomous decisions about patient interactions, and generate outputs — call summaries, transcripts, intake notes — that may become part of the patient record. These characteristics make AI vendor assessments more consequential than standard software procurement reviews, where a misconfigured tool affects one workflow rather than every patient interaction.

Three characteristics of AI tools change the risk calculus relative to standard software vendors:

PHI Processing at Scale

A human receptionist handles one call at a time. An AI phone system handles every inbound call simultaneously. If the AI is processing calls in a non-HIPAA-compliant environment — unencrypted storage, no access controls, data shared with a subprocessor without a BAA — the volume of PHI at risk is your entire patient call volume, not a single incident.

Autonomous Decision-Making

AI systems make decisions without human review: which calls to route, what information to collect, when to escalate, what to include in a summary. If those decisions are governed by logic that was configured without HIPAA constraints, the system can produce impermissible disclosures without any individual staff member being involved in or aware of the violation.

Outputs That Enter the Patient Record

AI-generated transcripts, call summaries, and intake form responses often flow into EHR systems and become part of the patient record. This creates a chain of PHI custody that extends from the AI vendor through your EHR vendor. Each link in that chain requires its own BAA and its own compliance review.

The 12-Point AI Vendor HIPAA Audit Checklist

Work through all 12 items in writing. Verbal assurances are not documentation. Ask each question in a formal vendor questionnaire, and require written responses that can be retained as part of your compliance program. If a vendor refuses to respond in writing, treat that refusal as an answer.

  • 1. Will they sign a Business Associate Agreement?

    This is the first and only question that matters before all others. If the vendor will not sign a BAA, stop the evaluation immediately. No other compliance feature compensates for the absence of a BAA. A vendor unwilling to sign a BAA is explicitly declining to accept HIPAA obligations for the PHI you would entrust to them.

    Red flag answer: "We don't typically sign BAAs," "Our platform is HIPAA-aware but not fully compliant," or "Let us look into that." Any of these responses disqualifies the vendor.
  • 2. What PHI do they access, store, and process?

    Require a specific enumeration of every data element the system touches: patient names, phone numbers, dates of birth, appointment information, call recordings, transcripts, and any other identifiers. Vague answers like "we process call data" are insufficient. You need to know exactly what PHI the vendor holds so you can assess whether the BAA covers all of it.

    Red flag answer: "We don't store patient data" from a vendor that handles call recordings or generates transcripts — these are PHI by definition.
  • 3. How is data encrypted in transit and at rest?

    HIPAA's Security Rule requires addressable encryption safeguards. Healthcare-grade systems use AES-256 encryption for stored data and TLS 1.2 or higher for data in transit. Request written confirmation of both encryption standards and the specific protocols used. Ask whether encryption applies to all storage locations, including backups and logs.

    Red flag answer: "We use industry-standard encryption" without specifying the standard, or confirmation that call recordings are stored without encryption.
  • 4. What is the data retention policy?

    HIPAA does not specify a universal retention period for PHI held by business associates, but your BAA should define how long the vendor retains data and what they do with it after the retention period expires. AI systems that retain call recordings indefinitely without a defined deletion schedule create escalating PHI exposure over time. Require a specific retention timeline and a documented deletion process.

    Red flag answer: "We retain data as long as needed" without a defined duration, or no ability to request earlier deletion of specific patient records.
  • 5. Who has access to your data — employees and subcontractors?

    HIPAA requires that access to PHI be limited to authorized persons only. Ask for a description of which vendor employees can access your call data, under what circumstances, and through what controls. Also ask for a complete list of subcontractors who may access your data, such as cloud infrastructure providers, transcription services, or analytics platforms.

    Red flag answer: "Our engineers have access for support purposes" without specifics about access controls, or inability to identify subcontractors who touch your data.
  • 6. Do they sell or share data for product improvement?

    Some AI platforms reserve the right to use conversation data to improve their models or to share aggregate data with research partners. Any use of PHI beyond what is specified in the BAA requires explicit patient authorization under HIPAA. Verify that both the terms of service and the BAA prohibit using your patient data for model training, product analytics, or third-party sharing of any kind.

    Red flag answer: Terms of service language reserving any right to use "anonymized" or "aggregated" data from your conversations — de-identification must meet HIPAA's Safe Harbor or Expert Determination standards, which most vendors have not formally applied.
  • 7. What is the breach notification process and timeline?

    HIPAA requires business associates to notify covered entities of a breach within 60 days of discovery. Your BAA should specify a faster internal timeline — most well-constructed BAAs require notification within 24 to 72 hours. Ask the vendor how they define a "breach," who in their organization is responsible for breach notification, and what documentation they provide to help you fulfill your own notification obligations to patients and OCR.

    Red flag answer: "We would notify you according to applicable law" without specifying a timeline, or no designated breach response contact within the vendor organization.
  • 8. Do they maintain audit logs, and for how long?

    HIPAA requires audit controls that record and examine access to ePHI. Ask whether the vendor maintains logs of: which staff accessed which patient records, when AI interactions occurred and what data was processed, system configuration changes, and any administrative actions taken on your account. Ask how long these logs are retained and whether you can access them directly or must request them.

    Red flag answer: Logs are retained for less than six years (the HIPAA documentation retention standard), or logs are not available to the covered entity on request.
  • 9. What is the subcontractor BAA process?

    Every subcontractor that handles PHI on the vendor's behalf must also be covered by a BAA. Ask the vendor to confirm that they have signed BAAs with all subcontractors who may access your data — cloud hosting providers, telephony carriers, transcription engines, and any other third-party service. Ask whether they notify you when they add or change subcontractors who could access your PHI.

    Red flag answer: "We rely on our subcontractors' own compliance programs" without confirmed BAAs in place, or inability to provide a list of subcontractors on request.
  • 10. Have they had any prior HIPAA incidents or OCR investigations?

    Vendors are not legally required to disclose prior HIPAA incidents to prospective customers unless those incidents resulted in public enforcement actions. Ask directly. A vendor with a prior breach is not automatically disqualified — how they responded and what they changed matters more than the incident itself. A vendor that is evasive about their incident history is a different concern.

    Red flag answer: Evasiveness or refusal to answer, or confirmation of a prior incident without a clear description of the remediation steps taken.
  • 11. What is their security certification status (SOC 2, HITRUST, etc.)?

    Third-party security certifications provide independent validation that a vendor's security controls have been assessed and verified. SOC 2 Type II is the baseline expectation for healthcare SaaS vendors. HITRUST CSF certification is a stronger signal because it incorporates HIPAA-specific controls. Ask for the most recent certification report and check the report date — a SOC 2 report more than 12 months old is stale.

    Red flag answer: "We are working toward SOC 2" with no current certification, or a certification report that is more than 18 months old with no renewal in progress.
  • 12. What happens to your data if you terminate the contract?

    Your BAA must specify what the vendor does with your PHI upon contract termination: return it to you, certify its deletion, or both. Require a specific process and timeline for data return and deletion, and ask whether that process extends to backups and disaster recovery copies. Data that persists in a former vendor's systems after contract termination is PHI outside your control.

    Red flag answer: "Data will be deleted per our standard schedule" without a defined timeline, or no process for certified deletion confirmation.

Summary: Red Flag Answers by Category

The red flag answers across all 12 checklist items share a common pattern: vagueness, deferral, or self-referential assurance. Any vendor who responds to specific compliance questions with general statements about being "privacy-focused" or "security-conscious" without providing documented specifics is telling you something important about how seriously they take HIPAA obligations.

Three categories of red flag responses warrant immediate disqualification:

  • BAA refusal or indefinite delay: No BAA means no compliant use of PHI. Period.
  • Data resale or model training rights: Any reservation of rights to use patient conversation data beyond service delivery violates HIPAA unless patients have individually authorized it.
  • No audit logs or inaccessible logs: Without audit logs, you cannot demonstrate compliance to OCR, and you cannot investigate a potential breach. A vendor that cannot support your audit obligations cannot be your business associate.

Evaluating the BAA Itself: What Good BAAs Include

A vendor-provided BAA that protects the vendor more than the covered entity is a common problem. Good BAAs are specific about permitted uses of PHI, include short breach notification timelines, require subcontractor BAA chains, and give the covered entity the right to audit compliance. Vendor-favorable BAAs are vague on all four counts.

When reviewing a BAA, look for these specific provisions:

Permitted uses and disclosures: The BAA should list every permitted use of your PHI specifically. Generic language permitting "any use necessary to provide services" is too broad and may authorize uses that HIPAA would otherwise prohibit.

Breach notification timeline: The statutory 60-day timeline is the floor, not the target. A well-negotiated BAA specifies 24 to 48 hours for initial notification, even if the full investigation is not complete at that point.

Subcontractor obligations: The BAA should require the vendor to flow HIPAA obligations down to all subcontractors who handle your PHI and to notify you of any subcontractor change that could affect data handling.

Audit rights: You should have the contractual right to request compliance documentation and, in appropriate circumstances, to audit the vendor's practices. Vendors who resist audit rights in the BAA are limiting your ability to verify the compliance they are claiming.

Termination and data disposition: The BAA should specify exactly what happens to your data at contract end — return, deletion, or both — with a documented timeline and a requirement for written confirmation of completion.

Ongoing Monitoring: This Is Not a One-Time Audit

HIPAA compliance is not a point-in-time status — it is an ongoing obligation. OCR guidance calls for periodic review of business associate relationships. Industry best practice is annual at minimum, with unscheduled reviews triggered by material changes to the vendor's product, ownership, subcontractors, or security posture.

Set a calendar reminder to run through the 12-point checklist with each AI vendor annually. In addition, schedule an unscheduled review if any of the following occur:

  • The vendor announces a product update that changes how PHI is processed or stored
  • The vendor is acquired, merges with another company, or changes its subprocessor stack
  • You receive a breach notification from the vendor — even if your data was not affected
  • The vendor's SOC 2 or HITRUST certification expires and is not renewed
  • The vendor updates its terms of service in ways that affect data handling
  • You receive a patient complaint related to information shared through the AI system
60 days Maximum time for a business associate to notify you of a breach after discovery
$1.9M Annual cap for willful neglect HIPAA violations per violation category
Annual Minimum recommended vendor compliance review frequency

How BetaQuick — Haven and Aria — Answers Each Checklist Item

Haven and Aria were built for healthcare environments where HIPAA compliance is a requirement, not a differentiator. Every item on this checklist has a specific, documented answer — and that documentation is available to prospective customers before they sign anything.

Here is how BetaQuick responds to each checklist item:

  1. BAA: Yes, we sign a BAA with every healthcare customer before the system goes live. Our standard BAA is available for review prior to any contract commitment.
  2. PHI accessed: We process patient first name, callback number, appointment date/time, and call recording where applicable. We do not access or store diagnosis codes, medication data, or insurance identifiers.
  3. Encryption: AES-256 encryption at rest; TLS 1.2+ in transit. This applies to all storage, including backups and logs.
  4. Retention: Call data is retained for the period specified in your BAA, with a default of 12 months. Deletion is triggered automatically at the retention period end and confirmed in the audit log.
  5. Access: Access to patient call data is restricted to named customer administrators and BetaQuick support staff through role-based access controls. All access is logged. Subcontractors are enumerated in our BAA.
  6. Data resale: We do not use your patient data for model training, product analytics, or third-party sharing. This prohibition is explicit in our BAA and our terms of service.
  7. Breach notification: We notify customers within 24 hours of confirming a breach involving PHI, with a full incident report within 72 hours. Our BAA specifies these timelines.
  8. Audit logs: Audit logs are retained for a minimum of six years and are accessible to customers on request through the admin dashboard.
  9. Subcontractor BAAs: All subcontractors with access to PHI have signed BAAs with BetaQuick. Our current subprocessor list is available on request and is updated when subprocessors change.
  10. Prior incidents: BetaQuick has not experienced a HIPAA breach or been subject to an OCR investigation.
  11. Certifications: BetaQuick maintains SOC 2 Type II certification. Our most recent report is available under NDA to prospective customers during due diligence.
  12. Termination: Upon contract termination, your data is returned in a standard format within 30 days and then deleted from all systems including backups. Written deletion confirmation is provided.

Frequently Asked Questions

Is a BAA enough to make an AI vendor HIPAA compliant?

No. A signed BAA is a necessary condition for HIPAA compliance but not a sufficient one. The BAA creates contractual obligations, but compliance depends on whether the vendor actually implements the required technical and administrative safeguards. A vendor can sign a BAA and still fail to encrypt data, maintain audit logs, or notify you of a breach within the required timeframe. The BAA is the starting point for your audit, not the end of it.

What is the difference between HIPAA compliance and HITRUST certification?

HIPAA compliance is a legal requirement governed by federal law and enforced by the Office for Civil Rights. HITRUST CSF certification is a voluntary third-party assurance framework that incorporates HIPAA requirements along with other security standards including NIST and ISO 27001. A HITRUST-certified vendor has undergone independent validation of their security controls, which provides stronger assurance than self-attestation alone. HIPAA compliance without HITRUST certification is still legally valid; HITRUST simply provides an additional layer of documented verification.

Can I use a free AI tool if I get them to sign a BAA?

In most cases, no. Free AI tools — including consumer-grade chatbots, general-purpose voice assistants, and free-tier transcription services — are typically built on infrastructure that does not meet HIPAA's technical safeguard requirements regardless of what a BAA says. The BAA binds the vendor to HIPAA obligations, but if the underlying system architecture does not support encryption, access controls, and audit logging, the BAA is a legal document promising compliance the vendor cannot actually deliver.

What happens if my AI vendor has a breach?

Under HIPAA's Breach Notification Rule, your AI vendor is required to notify you of any breach affecting PHI within 60 days of discovering it. As the covered entity, you are then responsible for notifying affected patients without unreasonable delay and within 60 days of learning of the breach. If the breach affects 500 or more individuals in a single state, you must also notify the Secretary of HHS and prominent media outlets in that state. The breach notification obligations in your BAA should specify the vendor's timeline and process for notifying you.

How often should I audit my AI vendors?

HIPAA does not specify a fixed audit interval for business associate assessments, but OCR guidance and industry best practice call for at least an annual review. Beyond the scheduled annual audit, you should trigger an unscheduled review when: the vendor announces a material change to their product or infrastructure, the vendor is acquired or merges with another company, you learn of a security incident at the vendor even if your data was not affected, or the vendor updates their terms of service in ways that could affect data handling.

Do I need separate BAAs for each AI product I use?

Yes. Each business associate relationship requires its own BAA. If you use three separate AI products — a phone system, a scheduling tool, and a clinical documentation assistant — you need a BAA with each vendor. An umbrella BAA with a parent company does not automatically cover subsidiary products or platforms unless the BAA explicitly names them. Review each BAA to confirm it covers the specific product, the specific PHI data flows, and the specific subprocessors involved in that product.