Half the software you will see this year claims to be “HIPAA-compliant.” The phrase is doing a lot of work. HIPAA is not a checkbox a vendor stamps on a marketing page — it is a framework of administrative, physical, and technical safeguards that the practice (the Covered Entity) is responsible for, with the vendor (the Business Associate) responsible for the slice it touches.
If you are picking an intake tool, here is what actually matters.
What “HIPAA-compliant” should mean
A vendor that handles Protected Health Information (PHI) is a Business Associate. To handle PHI legally, that vendor must sign a Business Associate Agreement (BAA) with you. No BAA, no PHI — even if the vendor is technically capable.
A BAA is a contract. It defines what the vendor will and will not do with PHI, what happens if there is a breach, and what audit and notification rights you have. Marketing claims of “HIPAA-compliant” without an executed BAA are meaningless. If you cannot get the BAA before signing the service agreement, walk away.
The five controls that actually matter
1. Encryption in transit and at rest. PHI moving between the patient and the vendor must use TLS 1.2 or higher. PHI stored at the vendor must be encrypted at rest with AES-256 or equivalent. This is table stakes; if a vendor cannot answer this question in one sentence, that is a flag.
2. Access controls with audit logs. Who at the vendor can see PHI? Under what circumstances? Is every access logged with user, timestamp, and reason? If you ask for an access log for a specific patient and the vendor cannot produce one, they are not as compliant as they claim.
3. No PHI in third-party AI training. This one is fresh and load-bearing in 2026. Many “AI-powered” tools route patient text and voice through general-purpose LLM APIs that retain data for model training by default. Ask explicitly: Is any PHI ever sent to a third-party LLM provider? If yes, are training and retention disabled via the provider’s BAA-equivalent enterprise tier? If the answer is hand-wavy, the answer is no.
4. Breach notification protocols. A real BAA specifies the breach-notification timeline (typically 60 days to the Covered Entity, who then has 60 days to notify HHS for breaches affecting 500+ individuals). The vendor should be able to walk you through their incident response plan without thinking about it.
5. Patient consent and minimum necessary. PHI collection should be limited to what is actually needed for the service. An intake tool that asks for a patient’s mother’s maiden name “just in case” is creating risk for you, not value.
Where most practices get exposed
Three patterns we see over and over:
- Email-based intake. Sending intake PDFs over standard email is not HIPAA-compliant. The fix is a portal or a secure intake link, not “we trust our patients to use Gmail responsibly.”
- Shared front-desk logins. Three staff sharing one EHR login destroys your audit trail. Auditors love this one. Individual logins, immediately.
- Vendor sprawl without BAAs. Practices accumulate tools — appointment reminders, review collection, marketing platforms — and forget that any tool that touches a patient phone number or email is processing PHI-adjacent data. Audit your vendor list annually and confirm BAAs on file for each.
What to ask any intake vendor before signing
- Will you sign a BAA before we go live? (Required answer: yes.)
- Where is data stored, and is it encrypted at rest with a documented key management process?
- If your product uses AI, is PHI ever sent to a third-party model provider, and if so under what terms?
- Can you produce an access log for a specific patient if I request one?
- What is your breach notification timeline and process?
If the vendor answers all five cleanly and the BAA is on the table, you are dealing with a serious vendor. If three out of five answers are “let me check with our compliance team and get back to you,” that is your answer.
How PatientCopilot handles this
PatientCopilot signs a BAA with every paid customer. PHI is encrypted in transit (TLS 1.3) and at rest (AES-256). AI message handling uses BAA-covered enterprise model providers with training and retention disabled. Access logs are queryable per patient. Breach notification is 60 days or sooner.
We are not going to claim this makes your practice HIPAA-compliant — only your practice can do that, by combining your vendors, policies, and training into a coherent program. What we will claim is that we hold up our end of the BAA, and we will not hide behind marketing language when you ask the hard questions.