Why This Checklist Matters
Healthcare AI adoption is accelerating, but so are data breaches. The HHS Office for Civil Rights reported 725 healthcare data breaches affecting 133 million records in 2023 alone. When you bring an AI vendor into your practice, you're extending your HIPAA compliance perimeter to include their infrastructure, their employees, and their algorithms.
This isn't a reason to avoid AI — it's a reason to vet vendors rigorously before signing.
Section 1: Business Associate Agreement (BAA)
A BAA is non-negotiable. Any vendor that processes, stores, or transmits protected health information (PHI) on your behalf must sign one.
Questions to Ask
Will you sign a BAA before any PHI is processed?
Does your BAA cover all subcontractors and sub-processors?
What is your breach notification timeline? (HIPAA requires 60 days; best vendors commit to 24-72 hours)
Does the BAA specify data retention and destruction timelines?
Red Flags
Vendor claims a BAA "isn't necessary" for their serviceBAA excludes AI model training from its scopeNo mention of subcontractor obligationsSection 2: Data Handling and Storage
Questions to Ask
Where is PHI stored geographically? (US-only for most compliance frameworks)
Is PHI encrypted at rest? What algorithm and key length? (AES-256 minimum)
Is PHI encrypted in transit? (TLS 1.2+ minimum)
Is PHI used to train or fine-tune AI models? If so, is it de-identified first?
Can PHI be permanently deleted upon contract termination?
Do you support customer-managed encryption keys (CMEK)?
What Good Looks Like
The vendor stores PHI in SOC 2 Type II certified US data centers, uses AES-256 encryption at rest, TLS 1.3 in transit, and never uses raw PHI for model training. Data deletion is available on demand with certification.
Section 3: Access Controls
Questions to Ask
Does the platform support role-based access control (RBAC)?
Is multi-factor authentication (MFA) available? Is it mandatory for admin accounts?
Can access be scoped to specific patient populations or data types?
How are API keys and service accounts managed?
Is there support for single sign-on (SSO) via SAML or OIDC?
Minimum Requirements
RBAC with at least three roles: admin, provider, and staffMFA mandatory for all accounts with PHI accessSession timeout after 15 minutes of inactivityAPI keys rotatable and scopeableSection 4: Audit Logging
HIPAA requires that covered entities and their associates maintain audit trails of PHI access.
Questions to Ask
Are all PHI access events logged? (read, write, delete, export)
Are logs tamper-evident and append-only?
How long are audit logs retained? (Minimum 6 years for HIPAA)
Can logs be exported for your own compliance tools?
Are anomalous access patterns flagged automatically?
What Good Looks Like
Every PHI access event is logged with timestamp, user ID, action type, and affected records. Logs are stored in an immutable, append-only system retained for 7 years. Anomaly detection alerts the practice admin within 15 minutes.
Section 5: AI-Specific Risks
AI introduces risks that traditional software doesn't. Your checklist must cover these.
Questions to Ask
Is the AI model hosted in a HIPAA-compliant environment, or does data leave the compliance perimeter for inference?
Are AI model inputs and outputs logged for auditability?
Can AI-generated content (notes, codes, recommendations) be reviewed and edited before it affects the medical record?
Does the vendor have a process for correcting AI errors in clinical outputs?
Is the AI model validated for your patient population and specialty?
Critical Principle
AI should assist, not automate. Every AI output that touches the medical record must pass through physician review. Vendors that promise "fully automated" clinical documentation without a review step are creating liability, not efficiency.
Section 6: Incident Response
Questions to Ask
What is your incident response plan? Can we review it?
What is your target time-to-detection for security incidents?
What is your target time-to-notification for affected customers?
Do you conduct tabletop exercises or simulated breach drills?
Will you provide a post-incident report with root cause analysis?
Section 7: Compliance Certifications
Must-Have
SOC 2 Type II report (current, not older than 12 months)HIPAA compliance attestationBAA willingnessNice-to-Have
HITRUST CSF certificationISO 27001FedRAMP (if serving government-affiliated practices)The Vendor Evaluation Scorecard
Rate each section 1-5 and weight by importance:
| Section | Weight | Score (1-5) | Weighted |
|---|
| BAA | 20% | — | — |
| Data Handling | 20% | — | — |
| Access Controls | 15% | — | — |
| Audit Logging | 15% | — | — |
| AI-Specific Risks | 15% | — | — |
| Incident Response | 10% | — | — |
| Certifications | 5% | — | — |
Threshold: Vendors scoring below 3.5 weighted average should not be considered for PHI-handling roles.
MediFlow's Compliance Posture
For transparency, here's how MediFlow addresses each area:
BAA: Signed before any data processing begins, covering all sub-processorsData: US-only hosting, AES-256 at rest, TLS 1.3 in transit, no PHI in model trainingAccess: RBAC, mandatory MFA, SSO via SAML, 15-minute session timeoutAudit: Immutable logs retained 7 years, real-time anomaly alertsAI: All AI outputs require physician review, model I/O fully loggedCertifications: SOC 2 Type II, HIPAA compliant, HITRUST in progressReview our full security documentation →
