What to ask a dental RCM or PMS vendor about HIPAA

Before you hand a vendor your patients’ PHI, these are the questions that separate real safeguards from a “HIPAA compliant” line on a slide.

By ClaimZen · Updated July 2026 · ~7 min read

When you sign up a billing service, a practice-management system, a clearinghouse, or an AI scheduling tool, you are choosing a business associate — a company that will create, receive, store, or transmit your patients’ protected health information (PHI). The sales deck will say “HIPAA compliant.” That phrase, by itself, means almost nothing: there is no HIPAA certification to earn (see our note in HIPAA compliance by design). Here is what to actually ask — and what a good answer sounds like.

1. The BAA — non-negotiable, ask first

“Will you sign a Business Associate Agreement before we share any PHI?” If the answer is anything but a clear yes, stop there. Then read it: does it flow obligations down to their subcontractors, set a breach-notification timeline, and require your data to be returned or destroyed when you leave? A BAA is a legal prerequisite, not a formality — more in our BAA guide.

2. Where does our data live, and who can touch it?

Ask which subprocessors they use (each needs its own BAA), where the data is hosted, whether any access is offshore, and how employee access is limited to least-privilege. “Everyone on support can see everything” is a red flag.

3. How is PHI protected at rest and in transit?

You want encryption in transit (TLS) and at rest as table stakes, plus a sensible answer on key management. Vague answers here usually mean the controls are vague too.

4. Prove the audit trail

“For any given record, can you show me a complete history of who did what and when — and could an administrator alter that log?” Most systems can produce a log; few can prove it wasn’t edited. A tamper-evident trail is the strong answer (we go deep on this in audit trails & tamper-evidence).

5. What does your AI do with our PHI?

If the tool uses AI, ask three things: Do you train on our data? Can the model take actions or make decisions on its own? Can we audit what it saw and proposed? “The AI drafts, a human approves, and every step is logged” is good; “the AI just handles it” is not (see AI and PHI).

6. Breach history and response

Ask whether they’ve had a reportable breach, what their notification process and timeline are, and whether they carry cyber-liability insurance. You want a specific, rehearsed answer — not a pause.

7. Certifications — what does the badge mean?

SOC 2 Type II and HITRUST are real, useful third-party assessments. “HIPAA certified” is not a real credential. Ask what any badge actually covers, and when it was last assessed.

8. Getting your data back

“If we leave, how do we get our data, in what format, and can we verify it’s complete?” Exit terms reveal how a vendor really thinks about your ownership of the record.

AskWhy it mattersA good answer sounds like
Will you sign a BAA?Legally required before sharing PHI.“Yes, here it is” — with subcontractor flow-down and breach terms.
Who can access our data?Minimum-necessary / access control.Role-based, least-privilege, logged, no blanket offshore access.
Can the audit log be altered?Integrity & audit controls (§164.312).Append-only and cryptographically verifiable — provable, not asserted.
What does the AI do with PHI?Autonomy & training are the risk.Propose-only, human-approved, auditable, no training on your data.
Breach process?Breach Notification Rule.A specific timeline, a named contact, and insurance.
ClaimZen is built to answer this list without hedging: a signed BAA, a hash-chained audit trail an administrator can’t rewrite, an AI that only proposes, per-practice tenant isolation, and case evidence you can verify offline. See how the architecture does it.

Frequently asked questions

Is “HIPAA compliant” a meaningful claim from a vendor?

On its own, no — there’s no official HIPAA certification, so it’s a self-assertion. What matters is a signed BAA, real safeguards, and the ability to prove them.

What’s the single most important question?

“Will you sign a BAA before we share PHI?” A no makes everything else moot.

Should a vendor have SOC 2 or HITRUST?

They’re a good signal (SOC 2 Type II especially), but they don’t replace a BAA and aren’t the same as being “HIPAA certified.” Ask what the report covers and its date.

Sources

  1. HHS, Business Associate Contracts, 45 CFR §164.502(e) and §164.308(b).
  2. HHS, HIPAA Security Rule technical safeguards, 45 CFR §164.312.
  3. HHS Office for Civil Rights: HHS does not certify HIPAA compliance.
  4. HHS, Breach Notification Rule, 45 CFR §§164.400–414.
  5. ClaimZen, HIPAA compliance by design and system architecture.

General information, not legal or compliance advice. HIPAA obligations depend on your organization, your data, and your contracts — consult your privacy/security officer and counsel.

A vendor built to pass this checklist.

ClaimZen answers every question below by design — a signed BAA, a tamper-evident audit trail, a contained AI, and evidence you can verify yourself.

Get early access