What "HIPAA-aware" really means — and what to ask any vendor before you sign

Some honest disambiguation, because the terminology is muddy and most healthcare vendors lean on it.

HIPAA does not have a certification body

There is no federal authority that issues a "HIPAA certified" badge. The Department of Health and Human Services enforces HIPAA, but it does not pre-certify vendors. Anyone marketing themselves as "HIPAA certified" is using a phrase with no regulatory standing.

What actually exists:

• HIPAA-aware — informal industry shorthand meaning the vendor has read the rule, designed the platform to support compliance, and offers a signed Business Associate Agreement.
• HIPAA-eligible / HIPAA-ready — same thing as HIPAA-aware. Mostly cloud-provider terminology (AWS, GCP, Azure).
• SOC 2 Type II audit — a real audit conducted by a CPA firm covering security, availability, confidentiality, processing integrity, and privacy. SOC 2 reports are the closest thing to a "certification" most healthcare SaaS vendors can legitimately offer.

The checklist to ask any vendor

1. Do you offer a signed Business Associate Agreement? Can I see the standard form before we engage?
2. What is your current SOC 2 status (Type I, Type II, or in progress)? If in progress, who is the auditor and what is the target window?
3. Where is data hosted? Region matters for residency and for some state laws.
4. What is your subprocessor list? Each one needs its own BAA when PHI flows through.
5. What is your incident response window?
6. What is your data export and deletion policy on termination?

If a vendor can answer all six in writing, you have something to evaluate. If any are dodged, that's the signal.