5 HIPAA Compliance Questions Every IT Vendor Must Answer


The digital transformation within the healthcare industry have led to a dramatic increase in the demand for IT vendors within this field.

This means that there is more business for you, and more potentials to profit from the revenue you receive from these companies through selling your software and other related products.

When working with a healthcare organization, or within the industry as a whole, however, you need to be mindful of legislations that have been put into place to protect services users within these establishments.

HIPAA is a big one for healthcare organizations, as it aims to make sure patient’s data remains secure and confidential.

As an IT vendor, this means your software needs to have measures in place to keep this information secure, and you should be ready to answer questions about how you are HIPAA compliant.

To help you feel prepared, here are just a few of the questions you should be prepared to answer as an IT vendor when it comes to being HIPAA compliant.

What security measures do you have in place?

Whether you are an IT vendor selling products or software, you need to make sure that you have apt security measures that will help protect healthcare organizations and those who access them.

This is related to HIPAA as security is one of the main parts of these regulations, helping to keep patients information secure, and provide them with trust in their healthcare organization.

Often, organizations will ask this question to get an idea of what measures you have put in place to help them so that they can repeat these to the executives and any other relevant professional within their company.

It’s also a good way of determining whether your security measures are enough, or the right ones, for what they need.

After all, you know better than anyone that IT vendors all have a different way of keeping data secure, so it’s important that you are ready to talk about how you do it.

When it comes to security measures, some things you might want to think about talking about include:

  •      Antivirus systems
  •      Intrusion-detection systems
  •      General network tools
  •      Port scanners
  •      Vulnerability scanners

How is secure data backed up?

Healthcare organizations are often dealing with the records of hundreds—if not thousands—of patients at any one time, meaning they need secure back-ups of this information at all times in case something happens to the original files.

With this question, you need to be prepared to tell them what software or tools you are using to make sure these measures are in place should they need to utilise them.

You might have separate databases and web servers where these backups are stored, or a cloud that can only be accessed by people within the organization.

If you have the ability to store copies of information of-site, then you may also want to mention this.

Do you regularly update your software and/or products?

Something the healthcare industry knows better than most is just how quickly technology moves on.

It can be tempting to forget about your software once it becomes old and you have moved onto new projects, but the ability to upgrade isn’t often there for healthcare organizations.

When asked this question, what people really want to know is whether you will keep updating their software and/or products to maintain the same level of security years down the line.

If you don’t, be honest about it, but be aware that this could lose you customers as people want to know that there isn’t the chance of their organization becoming vulnerable to data breaches down the line.

Are you HITRUST certified?

If you’re working with a healthcare organization that handles protected healthcare information, you need to be HITRUST certified.

HITRUST stands for Health Information Trust Alliance, and brings together multiple vague pieces of legislation—including HIPAA—to make regulations that are easy to follow and understand.

The regulations that you must follow to be HITRUST compliant are included within the common security framework, which is a gold standard framework in the US and the most well regarded one in the healthcare industry.

Just because you are compliant with these regulations, however, it doesn’t mean you can start saying that you are certified.

The certification process takes between three or four months, during which time your software and/or products will be investigated to make sure they definitely comply with HITRUST standards.

You will then be given certified status, with renewals of this taking place every year to make sure that you continue to use the latest technology and security tools on the market.

If you aren’t sure whether you need to be HIPAA compliant with the organizations you are working for, these generally include any organization within the healthcare industry.

If you become HITRUST certified, you can benefit from many things, including an increase in business from healthcare organizations who’re more likely to trust you and the security software and/or products you have on offer.

Are your employees trained well enough to troubleshoot and answer questions?

As an IT vendor, you will be dealing with lots of organizations who don’t have the same knowledge about technology as your employees do.

Obviously your IT vendor’s staff will be trained in using the technology itself, but are they trained well enough to use the technology in terms of HIPAA compliance?

To answer yes to this question, you need to make sure that your staff known about a range of specific security protocols, which include:

  •      Physical security
  •      Logical security
  •      Risk response and reporting
  •      Passwords and workstation use
  •      Data protection

If your staff are not trained in these, you could be risking patient data due to ignorance or negligence.

Making sure that staff know enough about these subjects to answer questions about this is also helpful, and can help to build trustful relationships with the organizations you work for.


While HIPAA compliance related questions can seem difficult to answer, you can probably tell that they rely on knowledge you will already have about your company as an IT vendor.

All you need to do is make sure that you are prepared, and know the laws and regulations surrounding security in healthcare technology.

This will allow you to provide valuable answers to the organizations you work with, which will build relationships and could lead to more custom in the future.

Looking ahead: Why invest in a Dubai villa

Previous article

Fundamental roles of a Brampton Defense Lawyer

Next article