"HIPAA compliant." "HIPAA certified." "HIPAA secure." "Built for HIPAA."
These phrases appear in the marketing of nearly every healthcare software vendor. Most of them are technically meaningless. Understanding what they actually mean — and don't mean — protects your practice from compliance risk and vendor confusion alike.
- "HIPAA certified" doesn't exist — there is no government certification for HIPAA compliance
- What actually matters: BAAs, technical safeguards, and documented operational controls
- The phrases that indicate genuine compliance readiness vs. marketing language are specific and verifiable
- Your own practice's marketing should describe what you do, not claim certifications that don't exist
The HIPAA Marketing Language Problem
HIPAA's regulatory framework doesn't include a product or vendor certification process. The Department of Health and Human Services (HHS) enforces HIPAA but doesn't certify software. Third-party auditors can validate compliance practices, but there's no official "HIPAA certification" stamp.
Despite this, "HIPAA certified" appears in vendor marketing everywhere. When you see it, it means one of three things:
- The vendor doesn't understand HIPAA (concerning)
- The vendor is using the phrase loosely to mean "we take security seriously" (misleading but common)
- The vendor has completed a third-party audit process (valuable, but not the same as government certification)
None of these are the same as the safeguards and BAAs that actually protect your practice.
Common HIPAA Marketing Claims: Decoded
The Phrases That Actually Indicate Readiness
When evaluating vendors, these specific claims are meaningful:
- "We will sign a BAA" — Non-negotiable; any vendor handling PHI must sign one
- "We use AWS HIPAA-eligible services" (or Azure, GCP equivalents) — Specifies the infrastructure layer
- "We have zero-retention policies with our AI subprocessors" — Critical for voice AI specifically
- "We have immutable audit logs retained for 7 years" — Indicates genuine compliance architecture
- "We can provide a SOC 2 Type II report" — Third-party validated security controls
- "We have executed BAAs with all subprocessors" — Covers the full chain, not just the primary vendor
What Your Practice Should and Shouldn't Say
The same HIPAA language problem affects how healthcare practices market themselves. Some common errors:
Don't say: "We are HIPAA certified" (not a real thing)
Do say: "We maintain strict HIPAA compliance through documented safeguards and a rigorous vendor vetting process"
Don't say: "Your information is completely safe with us"
Do say: "We use industry-standard encryption and access controls to protect your personal health information"
Don't say: "We never share your information" (technically you do — with your EHR vendor, billing service, etc.)
Do say: "We only share your information with vendors who have signed HIPAA Business Associate Agreements and who maintain appropriate security controls"
Don't say: "Our AI is HIPAA compliant" (your AI vendor must also be — it's a chain)
Do say: "Our AI voice assistant is provided by a vendor with an executed HIPAA BAA, zero-retention AI policies, and documented technical safeguards"
A Quick Reference for Your Vendor Evaluation
The 3 non-negotiables for any healthcare vendor handling PHI:
- Signed BAA — If they won't sign one, stop the conversation.
- Technical safeguards documentation — Encryption, access controls, audit logging.
- Breach notification commitment — Explicit timeline and process for notifying you in the event of an incident.
Everything else is context — important, but secondary to these three.