A solid star-stamped badge beside an empty hollow ring on a dark wooden surface, illustrating the difference between a HIPAA-certified vendor and one that is merely HIPAA-aware.

HIPAA-aware vs. HIPAA-certified: the distinction your vendor should explain

ByGus

A vendor’s website said, in bold type, “HIPAA-Certified Cloud Storage.” The practice manager forwarded the page and asked if that was good enough. The honest answer was that the phrase did not mean what the vendor wanted her to think it meant, and that no vendor in the United States can sell her HIPAA certification because no such certification exists. The HIPAA-aware vs HIPAA-certified distinction is the one she actually needed.

This is one of the most common misunderstandings in clinic IT. The vendor knows it. The clinic does not. The gap is where bad procurement happens.

What HIPAA certification would mean, if it existed

If HIPAA certification were real, it would be a process where an independent body audited a system against a published standard and issued a certificate of compliance. The way PCI works for credit card data, or SOC 2 works for service organizations, or ISO 27001 works for information security management.

HIPAA does not work that way. The Department of Health and Human Services does not certify anything. There is no recognized auditor body for HIPAA compliance. The HITECH Act and the HIPAA Security Rule define what covered entities and business associates must do, but compliance is a posture, not a credential. A system is compliant the way a person is honest: by acting that way, not by carrying a certificate.

When a vendor says “HIPAA-certified,” they are using marketing language for something that does not exist. The charitable reading is that they mean “we have done a self-assessment and we believe we are compliant.” The less charitable reading is that they know exactly what they are doing.

What “HIPAA-aware” actually looks like

The phrase that has real meaning is “HIPAA-aware” or “willing to enter into a Business Associate Agreement.” Those are the indicators that the vendor has done the actual work. Specifically:

  • The vendor will sign a BAA with the clinic, naming themselves as a business associate and agreeing to the HIPAA Privacy Rule and Security Rule requirements for handling PHI.
  • The vendor can describe, in writing, what data they will receive, how it is encrypted in transit and at rest, who has access, and what the audit trail looks like.
  • The vendor can produce, on request, a SOC 2 Type II report or equivalent third-party security audit. Not as proof of HIPAA compliance, but as evidence that they are subject to ongoing external review.
  • The vendor has a documented breach notification process and can tell the clinic, in plain language, what happens in the first 72 hours after an incident.
  • The vendor distinguishes between which of their products handle PHI and which do not. Most vendors have both. The free tier almost never includes BAA coverage. The paid tier sometimes does.

If a vendor can do all five of those things, the vendor is HIPAA-aware in a meaningful sense. The clinic can build a defensible posture using their service. If a vendor cannot do any of those things, the vendor is selling words.

The BAA is the document, not the badge

The Business Associate Agreement is the single most important artifact in this conversation. It is the legal instrument by which a vendor takes on liability for handling PHI on the clinic’s behalf. Without a BAA, the clinic cannot legally send PHI to the vendor. Period.

This means the procurement question to ask first is not “are you HIPAA compliant.” It is “will you sign our BAA, and what are the terms.” The terms matter. A BAA that limits the vendor’s liability to a refund of the monthly fee is not the same as a BAA with reasonable indemnification. A BAA that requires the clinic to use a specific tier of the product is workable; a BAA that requires the clinic to follow a specific configuration is operationally relevant.

Read the BAA. If the BAA has been drafted by the vendor’s lawyers, have your own counsel look at it. Most clinics never do this and accept whatever the vendor sends.

The vendors that confuse this on purpose

Some vendor categories are particularly aggressive about misrepresenting HIPAA posture:

  • Email marketing platforms. Most are not HIPAA-aware. The ones that are will sign a BAA only on enterprise tiers, and will limit what kinds of content the BAA covers.
  • Form builders. The cheap ones use language like “HIPAA-friendly” with no BAA available. The compliant ones charge meaningfully more and require a paid tier.
  • Analytics platforms. Almost none will sign a BAA, which means almost none can be used on pages that contain PHI. The popular ones are explicit about this in their terms.
  • Generic cloud storage. Some, like AWS and Google Cloud, will sign a BAA but only for specific services and only after a specific configuration. The default settings are not compliant.
  • CRMs. Most are not. The ones that claim to be often mean their enterprise tier, sometimes with specific modules disabled.

The pattern: the smaller and cheaper the vendor, the louder the HIPAA marketing language, and the less substantive the actual compliance posture. There are good small vendors, but they tend to talk about HIPAA in careful, specific terms because they know the standard.

The clinic’s own HIPAA-aware posture

Even with the best vendors, the clinic is the covered entity. The clinic is responsible for its own HIPAA posture. The vendors are business associates. The clinic cannot outsource compliance. It can only enter into agreements that make compliance possible.

What this means practically: the clinic needs its own documented policies, its own risk assessment, its own staff training, its own incident response plan, its own audit of where PHI lives across its vendor stack. The vendor’s posture is necessary. It is not sufficient.

This is also why “HIPAA-certified” is a misleading promise even from honest vendors. The vendor cannot certify the clinic. The clinic must do its own work. A clean vendor reduces the surface area, but does not remove the obligation.

The procurement script

When evaluating any vendor that will touch PHI, ask these questions in order:

  1. Do you sign Business Associate Agreements, and on which products or tiers?
  2. Can you share a recent SOC 2 Type II report or equivalent third-party audit?
  3. What is your encryption posture in transit and at rest, and where are the keys held?
  4. Where is the data hosted, and in what jurisdictions?
  5. What is your breach notification timeline?
  6. What does the audit trail look like, and how long is it retained?

If a vendor cannot answer those six questions in writing, the vendor is not ready for clinic work. The marketing language on their homepage is not part of the answer.

The clinic at the top of this post switched vendors. The new vendor signed a clean BAA, produced a SOC 2 report on request, and stopped using the phrase “HIPAA-certified” altogether. The cost was 30 dollars a month more. The peace of mind was worth more than that. See also why notification emails should never carry PHI, and how we structure our engagement around BAA-ready vendor selection.

Similar Posts