How to Vet a Healthcare AI Vendor's Security and BAA

Security is a procurement decision

By the time a tool reaches production, its security posture is largely fixed by the contract you signed. Vetting a vendor's security and its business associate agreement is therefore a procurement decision, not a final-step formality. Do it before any PHI is shared.

HealthAIdir reviews tools that position themselves as compliance-aware, including Paubox, Aptible, Vanta HIPAA, and TrueVault. Even so, no directory listing replaces your own due diligence.

Ask for the BAA early

A vendor that handles PHI on your behalf must sign a BAA. Ask for it early, read what it actually says about breach notification timelines, subcontractor flow-down, data return and deletion, and liability. A reluctance to provide a BAA, or vague answers about who is responsible for a breach, is a signal to slow down.

Check certifications, but understand their scope

Certifications such as HITRUST or SOC 2 can indicate a mature security program, but scope matters. A certification may cover one product or environment and not another. Ask what exactly is in scope, when it was last assessed, and whether the HIPAA-relevant systems are included.

Trace where the data goes

Map the data path. Ask what data the tool collects, where it is stored, which subprocessors and AI model providers see it, whether customer data is used for model training, and how retention and deletion work. For AI tools specifically, confirm whether prompts or outputs containing PHI are logged or reused.

Avoid absolute compliance claims

Be skeptical of marketing that promises "guaranteed compliance" or "HIPAA certified" as if it were a government seal. Compliance is an ongoing program shared between you and the vendor. Favor vendors who describe their controls precisely and who tell you what remains your responsibility. See HIPAA-Compliant AI Tools for Healthcare for related guidance.