Running a behavioral health practice today means managing a wide range of digital tools. These include EHR systems, billing software, telehealth platforms, note-taking apps, CRMs, and more. But here’s what many providers don’t realize:
You’re still responsible for HIPAA compliance, even if a data incident happens through one of your vendors.
Third-party tools can be a major weak point in your security posture. If they’re not properly vetted, they can push your practice out of compliance fast.
What HIPAA Says About Third-Party Vendors
Under HIPAA, any service provider that handles protected health information (PHI) on your behalf is considered a Business Associate. That includes:
- Telehealth platforms
- Cloud storage providers like Google Drive or Dropbox
- Practice management software
- AI note-taking tools
- Email marketing platforms such as Mailchimp or Constant Contact
You’re required to have a Business Associate Agreement (BAA) in place with each of these vendors. You’re also responsible for making sure their security practices meet HIPAA standards.
Real-World Risks from Unvetted Vendors
Just because a vendor says they’re “HIPAA-compliant” doesn’t mean they’re secure. Here’s what can go wrong:
- Unencrypted data stored on shared servers
- Weak access controls or shared user accounts
- Overseas teams with full access to PHI
- Insecure connections or integrations with other apps
- Outdated software with no update schedule
One mistake from a third-party can lead to a data exposure that results in fines, lawsuits, and damage to your reputation. Worse, your practice could end up listed on the HHS HIPAA Breach Reporting Tool, often referred to as the “Wall of Shame.”
Behavioral Health Tools to Watch
Some of the most commonly used tools in behavioral health are also among the most overlooked when it comes to security. These include:
- AI transcription tools that store sensitive session transcripts in the cloud
- Scheduling platforms that collect detailed intake forms
- Free email services used for client communication
- Form builders without signed BAAs or proper encryption
One particularly risky area is the use of WordPress form plugins and general web forms to collect PHI, insurance details, or other patient data. Many popular plugins are not HIPAA-compliant by default. If misconfigured, they can expose sensitive information through unencrypted submissions, poor access control, or unsecured file storage. Any online form that collects patient information must be properly secured, encrypted, and covered by a valid BAA with the tool provider.
Even if you trust the platform, it’s your responsibility to verify how data is stored, who has access