HIPAA in Buying

PHI implications.

The HIPAA question

HIPAA buying decisions are the discipline of getting BAAs in place for every vendor in the PHI path. Scope creeps quietly; the audit must keep up rather than discover the gap during enforcement.

• BAA requirement. Business Associate Agreement per vendor in the PHI path. If the software handles PHI, every vendor that touches the data needs one.
• BAAs are not optional. Fifty to one and a half million dollar penalty range per violation. Missing BAAs are the cheapest path to a fine and the easiest one for OCR to find.
• Scope creeps. "Did this tool see PHI?" check per tool. A logging tool that captures patient names is in scope even if the team did not intend it to be.
• Named privacy officer. Responsible HIPAA owner per org. Operational reviews have a target; without one, scope drift is invisible until the audit.

What to ask vendors

The questions matter. BAA availability, encryption posture, access logs, and breach-notification SLAs each surface during procurement rather than after the contract signs.

• BAA availability and price. Gated-tier check per vendor. Some vendors gate BAA behind enterprise tiers; budget accordingly rather than discovering the upgrade cost mid-rollout.
• Encryption at rest and in transit. AES-256 and TLS 1.2 or above minimum per vendor. Anything weaker fails HIPAA; the audit team will not negotiate.
• Access controls and audit logs. PHI-access-log retention per vendor, six years minimum. The retention is the regulatory floor rather than the operational ceiling.
• Breach-notification SLA. Documented notification window per vendor. Supports incident response and shapes the recovery clock if a breach occurs.

Data flow mapping

The data flow map is what makes scope concrete. Every path, every node, every annotation. Without the map, "we use these vendors" leaves PHI in places nobody knew.

• Diagram every path. Application, DB, backups, BI tools, logs, support tickets per system. PHI lives in places the team would not predict; the diagram surfaces them.
• Tag each node. "Covered by BAA" or "out of scope" tag per node. Out-of-scope nodes must not see PHI; enforce the boundary in code rather than in policy.
• Annual re-audit. Data-flow refresh per year. New tools sneak into the data path; HIPAA scope grows silently and the diagram needs to catch up.
• Named node owner. Responsible team per node. Supports compliance reviews and gives the audit a target to ask rather than a generic engineering distribution list.

Common traps

The traps are predictable. Slack and Jira at standard tiers, email without enterprise tiers, and production data in dev each catch teams that thought they were out of scope.

• Slack and Jira at standard tiers. No-BAA-at-standard-tier reality per tool. PHI in tickets is a violation; the standard tier of most collaboration tools does not sign BAAs.
• Email. Enterprise-tier BAA with correct config per provider. Gmail and Outlook 365 sign BAAs at enterprise tiers, but only if configured correctly; default settings often fail.
• Production data in dev. No-real-PHI rule per environment. Even synthetic-looking data triggers HIPAA scope if it derived from real PHI; sanitisation must be deterministic and audited.
• Documented mitigation. Named mitigation per trap. Catches recurring violations when the team's first instinct is to copy real data into a debugging environment.

Apply

Apply the discipline by listing vendors, signing BAAs with everyone in path, and auditing annually. The audit is the part that prevents creep from becoming a violation.

• List all SaaS vendors. Vendor inventory per org. Tag each with "in HIPAA path" or "out of scope"; the boundary is the start of the compliance conversation.
• Sign BAAs with everyone in path. BAA signed and the upgrade tier paid where required per vendor. The cost of the upgrade is smaller than the cost of a violation.
• Audit annually. HIPAA scope review per year. Add to the security review checklist so scope drift gets caught on a schedule rather than during an incident.
• BAA-status check. BAA-renewal and new-vendor scan per quarter. Catches drift when vendors quietly let BAAs expire or new tools enter the path without procurement noticing.