If you care about HIPAA, Security or protecting your patient information at all, then you need to evaluate your Business Associates or potential Business Associates. A really great way to start gauging if a vendor is serious about HIPAA or just trying to sell you something is to ask them if they are HIPAA Certified and by whom. If they give you a name, run away. Illiana Peters of Office for Civil Rights stated today during the NIST/HHS/OCR Conference on HIPAA Security that there is no such thing as HIPAA Certified.
There are HIPAA education certifications for individuals and there are certificates of completion for meeting certain requirements in programs (like ACS does) and there are security evaluations, but there is no entity that makes a business HIPAA Certified.
You’ll obviously want to ask more questions such as reviewing their BAA and their insurance policy, but this is a really easy way to weed out legitimate vendors.