Ask your IT provider these essential HIPAA questions: Will you sign a Business Associate Agreement? How do you encrypt data at rest and in transit? What is your incident response plan and breach notification timeline? Do you enforce multi-factor authentication on all systems? How do you handle audit logging and access monitoring? If your provider cannot answer these questions confidently and specifically, they may not have the specialized knowledge needed to keep your practice compliant with HIPAA requirements — and the regulatory changes coming in 2026 will make that gap even more dangerous.

Here is the reality that keeps practice managers up at night: you are trusting someone else with the security of your patients' most sensitive information, and you may not know whether that trust is justified. Most small healthcare practices in Volusia County — from Daytona Beach medical offices to Ormond Beach dental clinics to DeLand family practices — hire an IT provider, sign a contract, and assume everything is handled. The HIPAA box gets checked on the mental to-do list and everyone moves on.

Then a breach happens. Or an OCR audit letter arrives. And suddenly everyone discovers that the IT provider who said "we handle HIPAA" actually meant "we have antivirus software." Those are not the same thing. Not even close.

This guide gives you 15 specific questions to ask your IT provider, organized by category, with a scoring system that tells you exactly where your gaps are. We also include a free Python scoring tool and printable checklist you can use during your next vendor review. These are not softball questions. These are the questions that separate IT providers who understand healthcare compliance from ones who are winging it.

Why Most Practices Discover HIPAA Gaps Too Late

The average HIPAA violation costs between $100 and $50,000 per incident, depending on the level of negligence. Willful neglect that goes uncorrected can cost up to $1.5 million per violation category per year. Those numbers are not theoretical — the Office for Civil Rights enforces them.

But here is what most practice owners miss: you are liable even when your IT provider is the one who dropped the ball. The HIPAA Privacy Rule makes the covered entity — that is you, the practice — ultimately responsible for the protection of patient data. Your IT provider is a Business Associate, and while a BAA shares some of that responsibility, it does not transfer all of it. If your provider has a breach because they did not encrypt their backups, you are in the room with the OCR investigator explaining why you chose a provider without proper security controls.

This is why the questions matter. They are not busywork. They are the due diligence that proves you took reasonable steps to protect patient data. Document the answers. Keep them in your compliance binder. When — not if — someone asks how you evaluated your IT vendor, you can point to a systematic assessment with scores and findings.

The urgency is real in 2026. The Department of Health and Human Services proposed significant updates to the HIPAA Security Rule, with implementation expected to finalize in May 2026. These changes will eliminate the distinction between "addressable" and "required" safeguards. What used to be optional best practices will become mandatory requirements. Annual penetration testing. Mandatory MFA everywhere. Required encryption with no exceptions. If your IT provider is not preparing you for these changes right now, they are already behind.

For practices across Volusia County, this matters especially because the local IT landscape is a mix of excellent healthcare-specialized providers and generalists who serve everyone from law firms to auto dealerships. A generalist can keep your WiFi running and your email working, but HIPAA compliance requires specialized knowledge that generalists typically do not have. The questions below will help you figure out which category your provider falls into.

The 15 Questions Your IT Provider Should Answer

We have organized these into five categories. The critical questions — marked with [CRITICAL] — are non-negotiable. If your provider fails any critical question, you have a compliance gap that needs immediate attention.

Category 1: Legal and Contractual

Question 1 [CRITICAL]: Will you sign a Business Associate Agreement?

This is the most important question on the list. A BAA is not optional — it is legally required under HIPAA for any entity that creates, receives, maintains, or transmits protected health information on your behalf. If your IT provider has access to any system that contains PHI — your EHR, your email, your backups, your network — they need a BAA. No exceptions. No "we will get to it later." If they hesitate or say they have never signed one before, that tells you everything you need to know about their HIPAA experience.

Question 2: Can you provide proof of SOC 2 Type II, HITRUST CSF, or ISO 27001 certification?

Certifications are not required by HIPAA, but they demonstrate that a provider has been independently audited on their security practices. SOC 2 Type II is the gold standard because it evaluates controls over a period of time, not just a single snapshot. If your provider has none of these, ask what framework they follow internally. "We just do good security" is not a framework.

Question 3: Do you carry cyber liability insurance that covers HIPAA breaches?

Insurance does not prevent breaches, but it shows the provider takes breach risk seriously enough to insure against it. If a breach occurs and your provider cannot cover the damages, guess who pays? You. Ask for the coverage amount and verify it covers healthcare data specifically, not just generic cyber incidents.

Category 2: Technical Controls

Question 4 [CRITICAL]: How do you encrypt data at rest and in transit?

You want specific answers here. "We use encryption" is not enough. You need to hear "AES-256 for data at rest" and "TLS 1.2 or higher for data in transit." If they cannot name the algorithms and protocols, they may not actually have encryption properly configured. This applies to everything — your email, your file storage, your backups, your EHR database. As we covered in our guide to HIPAA-compliant email, encryption misconfigurations are one of the most common compliance gaps in healthcare practices.

Question 5 [CRITICAL]: Do you enforce multi-factor authentication on all systems?

MFA is the single most effective security control against credential compromise. Under the proposed 2026 HIPAA Security Rule updates, MFA will be mandatory — not just recommended. Your provider should already be enforcing it on email, VPN connections, administrative panels, and any remote access tool. If they say "we recommend MFA but it is up to the practice," that is a red flag. A HIPAA-competent provider does not make critical security controls optional.

Question 6: What are your patching SLAs for critical security updates?

Unpatched systems are the number one attack vector in healthcare breaches. Ask for specific timelines: critical patches should be applied within 72 hours of release, and routine patches within 30 days. Ask them what happened with the last critical patch — can they show you when it was deployed across your systems? If they cannot, their patching process is not documented, which means it is not reliable.

Question 7: How do you handle endpoint protection and device management?

Modern endpoint protection goes beyond antivirus. You should hear terms like "EDR" (Endpoint Detection and Response), "MDM" (Mobile Device Management), and "remote wipe capability." Every device that connects to your network and touches patient data needs to be managed, monitored, and capable of being wiped if it is lost or stolen. This includes the tablet your medical assistant uses in exam rooms and the laptop your billing coordinator takes home.

Question 8 [CRITICAL]: How do you manage backups and disaster recovery?

Backups are your last line of defense against ransomware, hardware failure, and human error. You need encrypted offsite backups — "encrypted" and "offsite" are both non-negotiable. Ask when they last tested a full restore. If the answer is "we have not" or "I am not sure," your backups might not work when you need them most. Hurricane season in Central Florida is not an abstract risk. A practice in Daytona Beach that loses its server to a power surge and cannot restore from backup is looking at days of downtime, lost revenue, and potential HIPAA violations from destroyed audit logs.

Category 3: Monitoring and Response

Question 9 [CRITICAL]: What is your incident response plan and breach notification timeline?

Ask them to walk you through their incident response steps: containment, forensics, communication, notification. HIPAA requires breach notification to affected individuals within 60 days, but your provider should be notifying you within hours, not weeks. A documented, tested plan is the difference between a managed incident and a catastrophe. Ask if they have ever executed the plan in a real scenario. If they have, they will have learned from it. If they have not, you want to know that they at least run tabletop exercises.

Question 10: How do you capture and retain audit logs?

HIPAA requires maintaining audit logs, and the retention period is generally interpreted as six years. Your provider should have centralized logging that captures who accessed what, when, and from where. Ask where logs are stored — they should be in tamper-evident storage, separate from the systems they monitor. If an attacker compromises your server and can also delete the logs, you have no forensic evidence for investigation.

Question 11: Do you perform regular penetration testing?

Annual penetration testing is currently best practice and will become mandatory under the proposed 2026 HIPAA Security Rule. Ask for the scope of their most recent pen test — was it just external, or did it include internal network assessment and social engineering? Ask if they can share a redacted summary of findings. Providers who take security seriously will have recent pen test results and a remediation plan for any findings.

Category 4: Compliance and Training

Question 12 [CRITICAL]: How often do you conduct HIPAA risk assessments?

Risk assessments are the cornerstone of HIPAA compliance. They are explicitly required by the Security Rule, and failure to conduct them is the number one finding in OCR audits. Annual assessments are the minimum. Quarterly is best practice. The assessment should cover technical, administrative, and physical safeguards, and the results should be documented with a remediation plan for identified risks. If your provider says "we did one when you signed up," that is not compliant.

Question 13: Do you provide HIPAA security awareness training for your staff?

Your practice staff needs regular training on HIPAA security, and ideally your IT provider helps coordinate or deliver it. Ask about the format — is it just a PDF they email once a year, or do they run interactive sessions with phishing simulations? Training should happen at onboarding and at least annually after that. Document attendance. The OCR wants to see training records.

Question 14: How do you handle workforce access changes when someone leaves?

Access provisioning and revocation is a critical security process. When a nurse or administrator leaves your practice, their access to every system needs to be revoked immediately — not next week, not when IT "gets around to it." The same day. Ideally the same hour. Ask your provider what their offboarding process looks like and how quickly they can execute it. Also ask about the reverse — when a new hire starts, how quickly can they get set up with appropriate access levels?

Category 5: Vendor and Integration

Question 15: How do they coordinate with your EHR, imaging, and other healthcare vendors?

Healthcare IT is not a single system — it is an ecosystem. Your EHR, your imaging system, your lab interface, your practice management software, your revenue cycle management platform — they all need to work together, and they all handle PHI. Ask your IT provider how they coordinate with these other vendors during outages, updates, and security incidents. Do they have direct contacts at your EHR vendor? Do they understand the data flows between systems? A provider who manages your network but does not understand your clinical workflows is only doing half the job.

How to Score Your IT Provider's Responses

We built a simple scoring tool that turns these 15 questions into a quantitative assessment. You can run it on any computer with Python installed.

python

#!/usr/bin/env python3
"""hipaa_gap_assessment.py — Score your IT provider's HIPAA readiness"""
 
import sys
from datetime import datetime
 
QUESTIONS = [
    {"id": 1, "cat": "Legal", "q": "BAA signed?", "weight": 10, "critical": True},
    {"id": 2, "cat": "Legal", "q": "SOC 2/HITRUST/ISO cert?", "weight": 7, "critical": False},
    {"id": 3, "cat": "Legal", "q": "Cyber insurance?", "weight": 6, "critical": False},
    {"id": 4, "cat": "Technical", "q": "Encryption (AES-256 + TLS)?", "weight": 9, "critical": True},
    {"id": 5, "cat": "Technical", "q": "MFA enforced?", "weight": 9, "critical": True},
    {"id": 6, "cat": "Technical", "q": "Patching SLAs?", "weight": 7, "critical": False},
    {"id": 7, "cat": "Technical", "q": "Endpoint/MDM?", "weight": 7, "critical": False},
    {"id": 8, "cat": "Technical", "q": "Encrypted offsite backups?", "weight": 8, "critical": True},
    {"id": 9, "cat": "Response", "q": "Incident response plan?", "weight": 9, "critical": True},
    {"id": 10, "cat": "Response", "q": "Audit log retention?", "weight": 8, "critical": False},
    {"id": 11, "cat": "Response", "q": "Pen testing?", "weight": 7, "critical": False},
    {"id": 12, "cat": "Compliance", "q": "Annual risk assessment?", "weight": 8, "critical": True},
    {"id": 13, "cat": "Compliance", "q": "Staff training?", "weight": 6, "critical": False},
    {"id": 14, "cat": "Compliance", "q": "Access provisioning?", "weight": 7, "critical": False},
    {"id": 15, "cat": "Vendor", "q": "Vendor coordination?", "weight": 6, "critical": False},
]
 
def assess():
    total_possible = sum(q["weight"] for q in QUESTIONS)
    total_score = 0
    critical_fails = []
 
    print("\nHIPAA IT Provider Gap Assessment")
    print("Score each: 0=No/Absent  1=Partial  2=Yes/Complete\n")
 
    for q in QUESTIONS:
        tag = " [CRITICAL]" if q["critical"] else ""
        score = int(input(f"Q{q['id']}{tag} {q['q']} (0/1/2): "))
        weighted = (score / 2) * q["weight"]
        total_score += weighted
        if q["critical"] and score == 0:
            critical_fails.append(q)
 
    pct = (total_score / total_possible) * 100
    grade = ("A" if pct >= 80 else "B" if pct >= 60 else "C" if pct >= 40 else "F")
    risk = ("LOW" if pct >= 80 else "MEDIUM" if pct >= 60 else "HIGH" if pct >= 40 else "CRITICAL")
 
    print(f"\nScore: {total_score:.1f}/{total_possible} ({pct:.0f}%)")
    print(f"Grade: {grade} | Risk: {risk}")
    if critical_fails:
        print(f"\nCRITICAL FAILURES ({len(critical_fails)}):")
        for cf in critical_fails:
            print(f"  - Q{cf['id']}: {cf['q']}")
 
if __name__ == "__main__":
    assess()

Each question is scored 0 (absent), 1 (partial), or 2 (complete), then weighted by importance. Critical questions carry the heaviest weights because a failure in any one of them represents a fundamental compliance gap. The scoring bands are:

80% or above (Grade A): Strong HIPAA posture. Maintain and re-assess annually.
60-79% (Grade B): Adequate with gaps. Create a remediation timeline with your provider.
40-59% (Grade C): Significant gaps. Engage a HIPAA specialist for a formal assessment.
Below 40% (Grade F): Critical deficiencies. Immediate action required. Consider changing providers.

Run the script, walk through the questions with your IT provider on the phone, and you will have a documented assessment in ten minutes. Save the output. Date it. File it in your compliance documentation. That is evidence of due diligence.

For a printable version you can fill out by hand during an in-person meeting, we also built a checklist generator:

javascript

// hipaa-checklist-generator.mjs — Run: node hipaa-checklist-generator.mjs > checklist.md
const questions = [
  { id: 1, cat: "Legal", q: "BAA signed?", critical: true },
  { id: 2, cat: "Legal", q: "SOC 2/HITRUST/ISO cert?", critical: false },
  { id: 3, cat: "Legal", q: "Cyber insurance?", critical: false },
  {
    id: 4,
    cat: "Technical",
    q: "AES-256 + TLS 1.2+ encryption?",
    critical: true,
  },
  { id: 5, cat: "Technical", q: "MFA on all systems?", critical: true },
  { id: 6, cat: "Technical", q: "Patching SLAs met?", critical: false },
  { id: 7, cat: "Technical", q: "Endpoint protection + MDM?", critical: false },
  {
    id: 8,
    cat: "Technical",
    q: "Encrypted offsite backups + tested restore?",
    critical: true,
  },
  {
    id: 9,
    cat: "Response",
    q: "Incident response plan documented?",
    critical: true,
  },
  {
    id: 10,
    cat: "Response",
    q: "Audit logs (6+ year retention)?",
    critical: false,
  },
  { id: 11, cat: "Response", q: "Annual pen testing?", critical: false },
  { id: 12, cat: "Compliance", q: "Annual risk assessment?", critical: true },
  { id: 13, cat: "Compliance", q: "Staff security training?", critical: false },
  {
    id: 14,
    cat: "Compliance",
    q: "Access provisioning/revocation?",
    critical: false,
  },
  { id: 15, cat: "Vendor", q: "EHR vendor coordination?", critical: false },
];
let md = "# HIPAA IT Provider Audit Checklist\n\n";
md += "| # | Category | Question | Critical | Pass | Partial | Fail |\n";
md += "|---|----------|----------|----------|------|---------|------|\n";
for (const q of questions) {
  md += `| ${q.id} | ${q.cat} | ${q.q} | ${q.critical ? "YES" : "-"} | [ ] | [ ] | [ ] |\n`;
}
console.log(md);

That generates a Markdown table you can print or paste into a Google Doc. Hand it to your office manager before the next IT review meeting.

Red Flags That Mean You Should Switch Providers

Some answers to these questions are not just gaps — they are dealbreakers. If your IT provider exhibits any of these behaviors, it is time to start looking for a replacement.

They refuse to sign a BAA. This is the single biggest red flag. Any provider who handles PHI and will not sign a BAA either does not understand HIPAA or is deliberately avoiding legal responsibility. Either way, you cannot work with them.

They cannot explain their encryption. If you ask "how do you encrypt our data" and the answer is vague — "we use industry standard security" or "everything is protected" — they may not have encryption properly configured. Real answers include specific algorithms, key lengths, and protocols. If they cannot name them, they may not know them.

They have no documented incident response plan. When you ask "what happens if we have a breach," the answer should not be "we will figure it out." It should be a step-by-step process with roles, timelines, and communication protocols. If they have to think about it, they do not have a plan.

They use consumer-grade tools for healthcare data. Free Gmail. Personal Dropbox. Consumer-tier Microsoft 365 without the HIPAA-eligible features enabled. These are not compliant for PHI. Full stop. If your provider set these up for your practice and told you they were fine for healthcare, they were wrong.

They push back on penetration testing. A provider who says "we do not need pen testing" or "that is overkill for a small practice" is not keeping up with the industry. The 2026 HIPAA Security Rule will make annual pen testing mandatory. A provider who does not see this coming is not paying attention to the regulatory environment.

They have not mentioned the 2026 HIPAA Security Rule changes. If your provider has not proactively talked to you about the upcoming regulatory changes, they may not be tracking HIPAA developments. This is their industry. They should be leading the conversation, not waiting for you to bring it up.

The 2026 HIPAA Security Rule Changes You Need to Know

The Department of Health and Human Services proposed major updates to the HIPAA Security Rule that are expected to finalize in May 2026. These changes are the most significant overhaul of HIPAA's technical requirements since the rule was first published. Here is what matters for your practice:

Addressable vs required is going away. Currently, some HIPAA safeguards are "addressable," meaning you can implement an alternative control if you document why the standard implementation is not reasonable. Under the proposed changes, all safeguards become required. No more workarounds. No more "we decided encryption was not feasible." Encryption is now mandatory.

Annual vulnerability assessments become required. Not just risk assessments — vulnerability scans of your actual infrastructure. Your IT provider needs to be scanning your network, your endpoints, and your applications at least twice a year, with formal assessments annually.

Annual penetration testing becomes required. A third party needs to actively try to break into your systems once a year and report what they find. This is not something most small practices do today, which means your IT provider needs to start planning and budgeting for it now.

Continuous risk monitoring. The shift from point-in-time assessments to ongoing monitoring means your provider needs tools and processes that watch your environment continuously, not just when they remember to check.

These changes will affect every healthcare practice in the country, including every small clinic and dental office in Daytona Beach, Port Orange, and across Volusia County. The practices that start preparing now — with a provider who understands what is coming — will handle the transition smoothly. The practices that wait will scramble.

If your current provider has not brought these changes to your attention, that should be a conversation topic at your next review. And if you need help evaluating where your practice stands, our IT consulting team in Daytona Beach specializes in HIPAA readiness assessments.

What the Custom-Built Version Looks Like

The questions and scoring tool above give you a solid self-assessment framework. But a professional HIPAA gap assessment goes deeper:

Network vulnerability scanning with automated discovery of all devices and services on your network
Policy document review of your HIPAA policies, procedures, and training documentation against current regulatory requirements
Technical control validation where we actually test your encryption, access controls, and audit logging — not just ask about them
Vendor BAA audit to verify that every vendor with access to PHI has a current, properly executed BAA
Remediation roadmap with prioritized findings, estimated costs, and implementation timeline
Compliance monitoring dashboard that tracks your ongoing posture and alerts you when something drifts

The self-assessment tells you if you have a problem. The professional assessment tells you exactly what the problem is, how to fix it, and how much it will cost.

Want a professional HIPAA gap assessment for your practice? Schedule a free discovery call and we will walk through your current setup, identify your biggest compliance risks, and create a prioritized remediation plan. We work with practices from solo practitioners to multi-location groups across Central Florida.

Not sure where to start with automation and compliance? Take our free automation quiz to get a personalized recommendation.

Frequently Asked Questions

Does my IT provider need a BAA for HIPAA compliance?

Yes. Any IT provider that creates, receives, maintains, or transmits protected health information on behalf of your practice is a Business Associate under HIPAA and must sign a Business Associate Agreement. This includes managed service providers, cloud hosting companies, email providers, and backup vendors. Without a BAA, your practice bears full liability for any breach involving that vendor.

What certifications should a HIPAA-compliant IT provider have?

Look for SOC 2 Type II, HITRUST CSF, or ISO 27001 certifications. SOC 2 Type II is the most relevant because it evaluates security controls over a period of time, not just a single point-in-time snapshot. Some providers also hold the HIPAA for MSPs certification. Ask for copies of their most recent audit reports.

How often should my IT provider perform HIPAA risk assessments?

HIPAA requires risk assessments at least annually, but best practice is continuous monitoring with formal assessments quarterly. The proposed 2026 HIPAA Security Rule updates will require annual vulnerability assessments, biannual vulnerability scans, and annual penetration testing — making regular assessment mandatory rather than recommended.

What are red flags that my IT provider is not HIPAA compliant?

Red flags include refusing to sign a BAA, inability to explain their encryption methods, no documented incident response plan, lack of regular security audits or penetration tests, no MFA enforcement, and using consumer-grade tools like free Gmail or Dropbox for healthcare data. If they say "we handle HIPAA" without specifics, that is a warning sign.

What changes to the HIPAA Security Rule should I prepare for in 2026?

The proposed HIPAA Security Rule updates expected to finalize in May 2026 will eliminate the distinction between addressable and required safeguards — making all security controls mandatory. This includes required encryption, mandatory MFA, annual penetration testing, and continuous risk monitoring. Practices should start preparing now.

The questions in this guide are not designed to create an adversarial relationship with your IT provider. They are designed to create an informed one. A good provider will welcome these questions because they are an opportunity to demonstrate their expertise. A great provider will have answers ready before you even ask. And a provider who gets defensive, evasive, or dismissive? That tells you something important too.

Your patients trust you with their most sensitive information. Make sure the people you trust with that information deserve it.

What to Ask Your IT Provider About HIPAA (Before It's Too Late)