Why this checklist exists

Clinical directors at behavioral health practices are receiving AI vendor pitches weekly. Most of those vendors know their product well and know HIPAA poorly. The sales conversation is designed to move you toward a signature, not to surface the compliance gaps you will discover six months in when you get a notification from your privacy officer.

This checklist gives you the questions to ask before signing anything. Run through them on the vendor call. The answers will tell you what you need to know.

A note on what this covers: this checklist addresses AI tools used in administrative intake -- scheduling, follow-up, call handling, intake questionnaire routing. It does not address clinical AI tools, EHR systems, or telehealth platforms, which involve additional compliance considerations beyond this scope.

Section 1: Business Associate Agreement

See what this looks like for your practice

In 30 minutes we will identify where your practice is losing clients, quantify the revenue impact, and give you the single highest-leverage fix to implement first.

Book a Strategy Call
  • Does the vendor have a standard Business Associate Agreement they can provide?
  • Are they willing to sign your organization's BAA if you have one?
  • Does their BAA include breach notification obligations within 60 days of discovery?
  • Does the BAA cover all subcontractors and sub-processors the vendor uses?
  • What is their process for updating the BAA if their data handling practices change?

What a compliant vendor says: Yes, we have a standard BAA. We sign it before any PHI is transmitted to our systems. We extend BAA obligations to all subprocessors contractually. Red flag: "We do not handle PHI directly" from a vendor whose product clearly touches client names and appointment data.

Section 2: Data storage and transmission

  • Where is data stored? Is it in the United States?
  • Is data encrypted in transit using TLS 1.2 or higher?
  • Is data encrypted at rest?
  • Which cloud infrastructure provider hosts the system? (AWS, Google Cloud, Azure are common; each has HIPAA-eligible services.)
  • What is the data retention policy? How long is client data kept after a client relationship ends?

What a compliant vendor says: Data is stored in the US on HIPAA-eligible AWS (or equivalent) infrastructure. Encryption in transit and at rest is standard. Retention periods are defined and configurable. Red flag: "Our servers are in [European country]" without a clear explanation of cross-border data transfer compliance.

Section 3: PHI handling in intake

  • Does the vendor understand that name plus appointment date at a behavioral health practice constitutes PHI?
  • Does their system log and store intake conversation content? If so, where and for how long?
  • Who within the vendor's organization has access to the content of client intake conversations?
  • Is intake data used for any purpose other than providing the contracted service? (Training AI models, analytics, product improvement.)
  • Can you request deletion of a specific client's data, and what is the process?

What a compliant vendor says: We understand that intake data is PHI. Conversation logs are stored only for the period specified in your BAA and are not used for model training without explicit written consent. Deletion requests are fulfilled within [defined timeline]. Red flag: Any vendor who is uncertain whether their intake data is PHI, or who cannot explain what happens to conversation logs.

Section 4: Access controls

  • Is access to your practice's data within their platform restricted to specific named roles?
  • Does the vendor maintain audit logs of who accessed what data and when?
  • Are audit logs available to you as the covered entity upon request?
  • What is the vendor's process for revoking access when an employee leaves their company?

What a compliant vendor says: Access is role-based and logged. Audit logs are available upon request and are retained for a minimum of six years per HIPAA requirements. Offboarding removes access within 24 hours. Red flag: "We have not had a request for audit logs before" or inability to specify what roles have access to PHI.

Section 5: Incident response

  • What is the vendor's breach notification policy and timeline?
  • Who is your point of contact at the vendor if a potential breach is identified?
  • Has the vendor experienced a data breach in the last 24 months? If so, what happened and what changed?
  • Do they carry cyber liability insurance? What are the coverage limits?

What a compliant vendor says: We notify covered entities within 72 hours of discovering a potential breach, and no later than 60 days regardless of investigation status. You will have a named security contact. We carry cyber liability insurance with a minimum of [defined limit]. Red flag: A vendor who deflects the breach history question or does not have a named security contact for covered entities.

Section 6: Ten questions to ask on the vendor call

  • Will you sign a Business Associate Agreement before we share any client data?
  • Is your platform HIPAA-compliant, and can you provide documentation?
  • Where is client intake data stored, and is it encrypted at rest?
  • Who within your organization has access to the content of our client intake conversations?
  • Is our data used for AI model training or product improvement?
  • What is your breach notification process and timeline?
  • Have you had a data breach in the last 24 months?
  • Can we see your standard BAA before the next call?
  • What is your data retention and deletion policy?
  • Do you carry cyber liability insurance? What are your coverage limits?

What good answers look like

A compliant vendor can answer all 10 questions without hesitation, provides documentation before being asked twice, and does not treat your compliance questions as an obstacle to the sales process. A vendor who treats HIPAA questions as bureaucratic friction -- "let's not get too into the weeds on that" or "our legal team will sort that out later" -- is telling you something important about how they will handle your obligations if a problem arises.

The right vendor understands that for a behavioral health practice, HIPAA compliance is not a checklist item. It is the foundation of client trust and clinical operations. A vendor who gets that does not need to be pushed on any of these questions.

The bottom line

HIPAA-aligned AI in behavioral health intake is achievable and, when implemented correctly, straightforward. The compliance burden is in vendor selection, not in the technology itself. A well-configured AI intake system running on a compliant infrastructure with a signed BAA carries no more HIPAA exposure than your current scheduling software or secure messaging platform.

The risk is not in the technology. The risk is in signing a contract with a vendor who has not thought carefully about their obligations. This checklist exists to prevent that.