medcomply.ai
Intel
The HIPAA Security Rule — A Complete Guide for 2026 · Security RuleUnderstanding the HIPAA Breach Notification Rule · Data BreachHIPAA breach notification overview · Data BreachHow to respond to a HIPAA breach · Data BreachHIPAA compliance checklist for covered entities · AnalysisOCR audit preparation checklist and evidence map · OCR EnforcementPatient rights under HIPAA: practical guide · Rule UpdateHIPAA staff training requirements and cadence · AnalysisHIPAA for SaaS and technology vendors · SaaS & TechnologyHIPAA Security Rule overview for compliance teams · Security RuleWhat is a Business Associate Agreement (BAA)? · BAAWhat counts as PHI under HIPAA? · Privacy RuleThe HIPAA Security Rule — A Complete Guide for 2026 · Security RuleUnderstanding the HIPAA Breach Notification Rule · Data BreachHIPAA breach notification overview · Data BreachHow to respond to a HIPAA breach · Data BreachHIPAA compliance checklist for covered entities · AnalysisOCR audit preparation checklist and evidence map · OCR EnforcementPatient rights under HIPAA: practical guide · Rule UpdateHIPAA staff training requirements and cadence · AnalysisHIPAA for SaaS and technology vendors · SaaS & TechnologyHIPAA Security Rule overview for compliance teams · Security RuleWhat is a Business Associate Agreement (BAA)? · BAAWhat counts as PHI under HIPAA? · Privacy Rule

A customer asked, "Are you HIPAA compliant?"

Be honest: explain your controls and BAAs — never promise a checkbox no one can guarantee.

  1. 1

    Clarify what they mean

    Ask whether they mean you will sign a BAA, support their audit, or meet specific security standards. Vague questions get vague answers.

  2. 2

    Describe how you protect health data

    Encryption, access controls, logging, backups, and subprocessors are concrete. Avoid marketing fluff.

  3. 3

    Offer a BAA if you handle PHI

    If their data includes patient information, offer your standard BAA and security documentation.

  4. 4

    Point to independent review if available

    SOC 2, HITRUST, or penetration test summaries help — but they do not replace the customer's own risk assessment.

Important

HIPAA compliance is shared: your customer must configure your product correctly and train their staff — you cannot "HIPAA certify" them.

Related

Ask AI about this situation →

Not legal advice. Follow your organization's policies and consult counsel for legal questions.