During the course of vetting Business Associates for Risk Assessments, it became apparent that Practices don’t have a good resource to know the vendors they work with. So, we compiled one!

It is customary in larger organizations to vet vendors prior to signing a contract or engaging in services, however, in smaller practices, this simply doesn’t happen. That doesn’t mean you should trust your vendors without question. Trust, but verify.


We’ve done the work for you.

Every company is vetted in the exact same manner and under no circumstances is a financial arrangement used to determine whether or not that company gets on this list.

In fact, all companies must adhere to the following requirements:

  • Acknowledges and accepts role as a Business Associate (a non-employee who creates, receives, maintains or transmits Protected Health Information on behalf of a Covered Entity) under HIPAA
  • Has submitted a Security Evaluation to ACS outlining their own current state of HIPAA Compliance.
  • Provide or sign a Business Associate Agreement that accepts full financial responsibility in the event Business Associate has a data breach.
  • Provides proof of cyberliability & Data Breach Insurance.


To date, the following companies have put their money where their mouth is and submitted to the harsh Amy Wood Standard.