Choosing HIPAA Compliant Software

Looking for HIPAA compliant software for your organization? There are many options to choose from when picking the perfect software to support your healthcare practice or service. We asked our expert team of software security engineers their top recommendations for determining whether a vendor’s software is HIPAA compliant.

If you have questions about a specific application or service, check out our linked articles to determine which software can be HIPAA compliant for your business.

If you still aren’t sure, keep reading to learn how to choose HIPAA compliant software for your business. 

How to Choose HIPAA Compliant Software

For most healthcare providers and business associates, handling electronic PHI is a daily responsibility. For each process in your business, there is software built to facilitate the transport of associated data.

But how do you know whether or not the software you’ve chosen is HIPAA compliant?

Before trusting a business associate to handle your PHI, you must obtain “reasonable assurance” that the information they use will remain confidential or disclosed only as required by law.

What does “reasonable assurance” mean?

Well, it’s up to you to make that determination, but it should be based on the amount of risk you are willing to take on by partnering with your vendor. If the amount of risk you want your vendor to impart on you is “none” then be sure to turn over all appropriate stones.

Here are 3 factors that need to be considered when determining if software is HIPAA compliant.

Top Tips for Choosing HIPAA Compliant Software

HIPAA Compliant Software Checklist

We’ve provided a checklist of questions and some methods you can use to evaluate the security posture of your vendors and obtain “reasonable assurance” that they are compliant.

1) Will the vendor sign a business associate agreement?

An efficient way to determine if software is HIPAA compliant is by conducting a web search for “Software Name HIPAA”. If HIPAA is important to a software vendor, they will likely have a page on their website to field questions about HIPAA compliance.

While conducting your search you will mostly likely find 1 of 3 possible results:

Situation 1: The website has an entire page dedicated to HIPAA that states they are willing to sign a business associate agreement.

This is the best outcome you could hope for and means the software is OK for further consideration. It’s important that the software you choose meets technical requirements, but the software vendor must also be willing to sign a business associate agreement stating they are responsible for your PHI.

Situation 2: The website has an entire page dedicated to HIPAA, but does not proudly indicate they are HIPAA compliant or will sign a business associate agreement.

Most software services that can meet the needs of healthcare providers have already been asked whether they are HIPAA compliant and have an answer ready in anticipation of being asked again (and again). If there are no clear statements proclaiming HIPAA compliance and a willingness to sign a business associate agreement, then that software is most likely not a HIPAA compliant choice.

Rather than state their lack of HIPAA compliance plainly, some software companies obfuscate their stance on HIPAA in hopes of making a sale. When in doubt, send their support team a message and ask if they sign business associate agreements. If they will not sign, then cross them off the list.

Another option you have is to ask a potential business associate if they will share their risk assessment. Organizations who have not conducted a risk assessment will be found willfully negligent if they breach PHI you are stewarding. Subsequent HHS investigations may determine you are negligent as well.

Situation 3: The website for the software does not mention HIPAA at all.

If you’ve searched the official website for the software you’re considering but see no mention of HIPAA software compliance and how PHI is managed, then the vendor is probably not accustomed to emphasizing HIPAA requirements or signing business associate agreements. It’s possible that their HIPAA page is buried or had accidently been removed, so it may be worth sending an email to their support team to ask if the software in question is an otherwise perfect fit for your business needs.

2) Does the vendor take HIPAA compliance seriously?

If you have a reason to believe the software vendor you are considering is willing to sign a business associate agreement, the next thing you should consider is whether they take the responsibility of handling PHI seriously. Use the vendor’s website to learn all you can about what security controls they have in place.

Is ePHI within their system encrypted in transit and at rest? Do they have policies and procedure documentation?

Do they conduct periodic risk assessments?

By signing a business associate agreement with a software vendor, you are indicating that you have considered their internal HIPAA compliance activities and believe they meet all requirements.

Ultimately you are responsible for how your patient data is handled, and thoroughly vetting your vendors for compliance is a wise choice. If there is any question about their compliance activities, send their team a message and ask for more details. If you find the vendor will put your PHI at risk, their software is not a viable choice.

3) Does the software empower you to achieve compliance?

Good HIPAA compliant software should handle your data securely, but should also enable you to meet the HIPAA requirements outlined in your own policy and procedure documentation.

Does the software require authentication to access it and does it provide role-based access?

Does the software generate accessible logs you can use to periodically monitor user activity?

These features are required by HIPAA and empower you to spot potential data breaches as they occur, or investigate what happened if a breach does occur.


Software vendors that can confidently answer yes to the questions above are worth serious consideration when it comes to choosing HIPAA compliant software. Identifying the right software to manage ePHI is not difficult once you are aware of our HIPAA compliant software checklist:

  • Will the vendor sign a business associate agreement?
  • Can the vendor provide some evidence they are truly HIPAA compliant, or are they just paying lip service to their HIPAA responsibilities?
  • Once you have the software up and running, does it adequately support your own HIPAA compliance initiatives?

By asking the right questions to obtain reasonable assurance, you can make the right decisions when choosing who to trust as a business associate.

Meeting HIPAA requirements can be a complicated endeavor.

Is this all sounding like a hefty workload? Gazelle Consulting can make implementing the minimum necessary standard feel like a delightful bound through a grassy Savannah. Give us a call at (503) 389-5666 or email us at (no lions please).

Nav close