Buying Guides

Your EMR Vendor's Risk Analysis Is Not Your Risk Analysis

If an EMR salesperson tells you their product is HIPAA compliant, they may be telling the truth and it still does not do what you think it does. Your HIPAA risk analysis obligation is yours. It attaches to your organization, it covers all of the electronic protected health information you hold, and no vendor's certification, audit report, or security assessment discharges it. The vendor's work is an input to your analysis. It is not a replacement for it, and the parts it cannot reach happen to be the parts most likely to hurt you: your building, your workstations, your staff, and your paperwork.

The short answer

The requirement is at 45 CFR 164.308(a)(1)(ii)(A), it is labeled Required, and it reads:

Risk analysis (Required). “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”

Read the last clause again. Not held in your EMR. Not held on servers you own. Held by the covered entity or business associate. HHS makes the scope explicit in its risk analysis guidance: the scope “includes the potential risks and vulnerabilities to the confidentiality, availability and integrity of all e-PHI that an organization creates, receives, maintains, or transmits,” and an organization's analysis “should take into account all of its e-PHI, regardless of the particular electronic medium in which it is created, received, maintained or transmitted or the source or location of its e-PHI.”

Your EMR holds some of your ePHI. Probably most of it. The obligation is written against all of it.

There are two risk analyses, and they are not the same one

Here is the structure that clears up most of the confusion. When you buy a cloud EMR, two separate risk analysis obligations exist at the same time:

Your risk analysisYour vendor's risk analysis
Who owes itYou, the covered entityThem, the business associate
Legal basis164.308(a)(1)(ii)(A)164.308(a)(1)(ii)(A) — the same provision, applied to them
ScopeAll ePHI your organization holds, everywhere it livesAll ePHI their organization holds, in their environment
Covers your server closet?YesNo
Covers your front-desk workstation?YesNo
Covers your staff and sanctions?YesNo
Covers their data center?You assess the security measures protecting your ePHI thereYes, in detail

Since the 2013 amendments, business associates are directly subject to the Security Rule. Your EMR vendor owes its own risk analysis, its own security official under 164.308(a)(2), and its own safeguards, and it can be enforced against directly. That is genuinely good news. It is also not your risk analysis, because the two have different scopes. Two documents, two organizations, two sets of walls.

What a business associate agreement actually moves

The BAA is where buyers most often believe a transfer happened. What the regulation says is narrower.

45 CFR 164.308(b)(1): a covered entity may permit a business associate to create, receive, maintain, or transmit ePHI on its behalf only if the covered entity obtains satisfactory assurances that the business associate will appropriately safeguard the information. 164.308(b)(3) requires those assurances to be documented through a written contract.

So a BAA does three things. It permits the arrangement. It obtains assurances. It documents them. What it conspicuously does not do is relocate your obligations into the vendor's scope of work. It is a condition on your ability to share data, not a transfer of your compliance duties.

There is a useful asymmetry worth knowing: 164.308(b)(1) also states that a covered entity is not required to obtain satisfactory assurances from a business associate that is a subcontractor. That flows the other way — under 164.308(b)(2), your business associate must obtain them from its own subcontractors. Your vendor's vendors are your vendor's problem, contractually. Whether the ePHI they hold is in your risk analysis scope is a different question, and the answer follows the ePHI.

Where the vendor's scope stops

The Security Rule sets standards in three categories, and it is worth seeing which ones an EMR vendor can plausibly reach.

  • Technical safeguards — 45 CFR 164.312. Access control, audit controls, integrity, person or entity authentication, transmission security. This is where a good EMR does real work. Unique user identification and emergency access procedure are both Required; automatic logoff and encryption are Addressable. Your vendor supplies the capability. You still configure it, and configuring it is your decision to document.
  • Physical safeguards — 45 CFR 164.310. Facility access controls. Workstation use, including “the physical attributes of the surroundings” of a workstation that can access ePHI. Workstation security. Device and media controls, where Disposal and Media re-use are both labeled Required. No EMR vendor can cover any of this. The regulation names walls, doors, and locks in its own text at 164.310(a)(2)(iv). Software does not have an opinion about your records room.
  • Administrative safeguards — 45 CFR 164.308. Mostly yours. Sanction policy (Required). Assigned security responsibility. Workforce security, including authorization and supervision of workforce members who work with ePHI “or in locations where it might be accessed.” Security awareness and training. Contingency planning. The periodic technical and nontechnical evaluation at 164.308(a)(8).

That word nontechnical at 164.308(a)(8) is doing a lot of work and it is easy to skim past. The rule requires “a periodic technical and nontechnical evaluation”. A vendor security questionnaire is not a nontechnical evaluation of your organization. It is a technical evaluation of theirs.

“It's in the cloud” changes the inventory, not the obligation

Moving to a cloud EMR genuinely reduces some risk. Your ePHI is no longer sitting on a tower under the reception desk, and that is a real improvement to a real threat.

But look at what is left in the building after the server leaves:

  • Workstations that display ePHI, and where they face — 164.310(b) and (c).
  • Laptops and tablets that leave and return — 164.310(d)(1) governs receipt and removal of hardware and media into and out of a facility, and movement within it.
  • Old drives, old phones, and the drawer nobody has opened since 2019 — Disposal and Media re-use, both Required.
  • Scanners, printers, and the fax machine, which have storage in them.
  • Local exports. Someone runs a report to a spreadsheet and saves it to a desktop, and that spreadsheet is ePHI you hold.
  • Backups you keep yourself.
  • The people. All of 164.308's workforce provisions.

HHS's sample risk analysis questions include exactly this line of inquiry: “What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain or transmit e-PHI?” The question assumes you have both — internal ePHI and external ePHI — and that you are accounting for the whole set.

What the vendor's documentation is good for

None of this makes a vendor's security documentation worthless. It makes it an ingredient.

HHS lists Assess Current Security Measures as an element of a risk analysis: organizations should assess and document the security measures used to safeguard ePHI, whether measures required by the rule are already in place, and whether current measures are configured and used properly. For the ePHI that lives in your EMR, your vendor's documentation is the best available evidence for that element. Use it there. Cite it there. It is doing real work in your analysis.

What it cannot do is answer the other elements — identifying your threats and vulnerabilities, determining likelihood and impact for your organization, and determining your risk levels. Those are judgments about your environment, and HHS's guidance is explicit that risk analysis has no one-size-fits-all blueprint and that methods vary with the size, complexity, and capabilities of the organization.

Five questions for the demo

  1. “Which safeguard categories does your documentation cover, and which does it not?” A good vendor answers this cleanly and without defensiveness: we cover 164.312 in depth, we support parts of 164.308, we cannot cover 164.310 at your site.
  2. “Will you sign a BAA, and what does your BAA say about your subcontractors?” 164.308(b)(2) requires them to obtain assurances from subcontractors. Ask how.
  3. “Which security settings are ours to configure, and what are the defaults?” Automatic logoff and encryption are addressable, which means your decision and your documentation. Find out what ships turned on.
  4. “What ePHI will end up outside your system in normal use?” Exports, reports, integrations, printed material. This is your scope, and the vendor knows the answer better than you do.
  5. “Does anything you provide claim to satisfy our risk analysis?” If the answer is yes, ask which provision, and ask how a remote product assesses your facility under 164.310.

The bottom line

The clean way to hold this: your vendor is responsible for their environment; you are responsible for all of your ePHI, including the part sitting in their environment. Those overlap. They are not the same set, and the difference is not a technicality — it is your building, your equipment, and your staff.

Buying good software is a legitimate and effective way to reduce risk, and a vendor with strong documentation makes your analysis easier and better evidenced. Just do not mistake a well-secured system for a completed obligation. The rule was written against the organization, not the application.

Common questions

Does using a HIPAA compliant EMR make my practice HIPAA compliant?

No. The risk analysis requirement at 45 CFR 164.308(a)(1)(ii)(A) applies to the covered entity or business associate and covers all electronic protected health information it holds. HHS guidance states the scope includes all ePHI an organization creates, receives, maintains, or transmits, regardless of the source or location of that ePHI. Your EMR is one system holding some of your ePHI. Your obligation covers all of it, plus the physical safeguards at 45 CFR 164.310 and the administrative safeguards at 164.308, which are about your building and your workforce, not your vendor's software.

Does a vendor's SOC 2 report satisfy the HIPAA risk analysis requirement?

It does not, because it is a different document about a different scope. A vendor's audit report describes controls at the vendor. The risk analysis required at 45 CFR 164.308(a)(1)(ii)(A) is an accurate and thorough assessment of risks and vulnerabilities to the ePHI held by your organization. A vendor report can be useful evidence when you assess the security measures protecting the portion of your ePHI that sits in their system, which is one of the elements HHS lists. It is an input to your analysis, not a substitute for it.

What does a business associate agreement actually transfer?

Less than most buyers assume. Under 45 CFR 164.308(b)(1), a covered entity may permit a business associate to handle ePHI on its behalf only if it obtains satisfactory assurances that the business associate will appropriately safeguard the information, documented through a written contract under 164.308(b)(3). That obligates the business associate to safeguard the data and it makes the business associate directly subject to the Security Rule, including its own risk analysis and its own security official. It does not move your risk analysis obligation onto them, and it does not put your server closet, your workstations, or your workforce inside their scope.

Which parts of the Security Rule can no EMR vendor cover for you?

Broadly, the physical safeguards at 45 CFR 164.310 and most of the administrative safeguards at 164.308. That includes facility access controls, workstation use and workstation security, and device and media controls, where disposal and media re-use are both labeled Required. On the administrative side it includes your sanction policy, your assigned security official, your contingency plan, and the periodic technical and nontechnical evaluation at 164.308(a)(8). A cloud EMR removes your server from the closet. It does not remove the closet, the front desk monitor, the box of backup drives, or the people.