medcomply.ai
Intel
The HIPAA Security Rule — A Complete Guide for 2026 · Security RuleUnderstanding the HIPAA Breach Notification Rule · Data BreachHIPAA breach notification overview · Data BreachHow to respond to a HIPAA breach · Data BreachHIPAA compliance checklist for covered entities · AnalysisOCR audit preparation checklist and evidence map · OCR EnforcementPatient rights under HIPAA: practical guide · Rule UpdateHIPAA staff training requirements and cadence · AnalysisHIPAA for SaaS and technology vendors · SaaS & TechnologyHIPAA Security Rule overview for compliance teams · Security RuleWhat is a Business Associate Agreement (BAA)? · BAAWhat counts as PHI under HIPAA? · Privacy RuleThe HIPAA Security Rule — A Complete Guide for 2026 · Security RuleUnderstanding the HIPAA Breach Notification Rule · Data BreachHIPAA breach notification overview · Data BreachHow to respond to a HIPAA breach · Data BreachHIPAA compliance checklist for covered entities · AnalysisOCR audit preparation checklist and evidence map · OCR EnforcementPatient rights under HIPAA: practical guide · Rule UpdateHIPAA staff training requirements and cadence · AnalysisHIPAA for SaaS and technology vendors · SaaS & TechnologyHIPAA Security Rule overview for compliance teams · Security RuleWhat is a Business Associate Agreement (BAA)? · BAAWhat counts as PHI under HIPAA? · Privacy Rule

A vendor is asking us to send them patient information

Only share what they need, with a BAA in place, and through a secure method.

  1. 1

    Confirm you have a signed BAA

    Do not send patient data to a vendor until a Business Associate Agreement is signed. If they refuse, escalate to your privacy officer.

  2. 2

    Share the minimum necessary

    Send only the specific information they need for the task — not full charts unless truly required.

  3. 3

    Use secure transmission

    Prefer encrypted upload portals or secure fax over unencrypted email. If you must use email, confirm encryption policies with the vendor.

  4. 4

    Document the disclosure

    Keep a record of what was sent, to whom, and why. Your privacy officer may need this for audits.

Important

When in doubt, ask your privacy officer before releasing any patient information outside the practice.

Related

Ask AI about this situation →

Not legal advice. Follow your organization's policies and consult counsel for legal questions.