Any vendor can say "HIPAA compliant" on a website. It costs nothing and means nothing on its own. Here's what to actually ask for.
If you're evaluating a billing partner — especially one using AI — these are the six things you should require before signing. If a vendor can't produce them, that tells you what you need to know.
1. A signed BAA that covers everyone who touches PHI
A Business Associate Agreement is not optional; it's legally required. But read it carefully for one thing in particular: does it cover subcontractors and offshore staff?
Many billing companies use offshore teams. That is entirely legal and often excellent work. What is not acceptable is a BAA that quietly excludes them, or a vendor who doesn't disclose them at all.
2. Named locations where PHI is processed
You are entitled to know this. Not a region — actual locations. If work happens in another country, you should be told before you sign, not discover it later.
For the record: Sterling is a Wyoming-registered LLC, and our billing and coding operations team works from Ahmedabad, India. We say that on our HIPAA page because you'd rather read it there than find out in an audit.
3. Evidence of HIPAA training, not just a claim
Ask for actual certificates. Ask when the training was completed and when it expires. "Our team is HIPAA trained" with nothing behind it is marketing.
4. Encryption in transit AND at rest
Both. In transit (TLS) is standard and easy. At rest is where vendors get lazy. Also ask: is PHI ever stored on individual staff machines? The answer should be no.
5. Access logging that is attributable to individuals
If there's a breach, you need to know exactly who accessed what and when. "We have access controls" is not the same as "every access is logged and attributable to a named individual."
6. A straight answer about what the AI does with the data
This is the new question, and it matters. Ask:
- Is our data used to train models that serve other clients?
- Is any data sent to third-party AI services?
- Is data ever sold, shared, or used for anything other than our billing?
The correct answers are no, no, and no. If you get hedging, walk.
What "SOC 2" actually means — and doesn't
Be careful here. SOC 2 Type II is a formal third-party audit resulting in a signed report. It is not a badge you can simply display. If a vendor claims SOC 2, ask to see the report. Many claim it without having done it.
HIPAA compliance and SOC 2 are also not the same thing. A vendor can be genuinely HIPAA compliant without being SOC 2 audited. Honesty about which one you have is worth more than a badge you didn't earn.
The uncomfortable truth is that most practices never ask any of these questions. Ask them. A good partner will have the answers ready.
See these numbers on your own claims
A free audit shows exactly where your revenue is leaking — no obligation, no contract.
Book a Free Consultation →