AI PHQ-9 HIPAA Compliance: 7 Questions Every Mental Health Clinic Should Ask in 2026

AI PHQ-9 HIPAA compliance is the procurement question most mental health clinics get wrong not because the regulation itself is unclear, but because the vendor marketing in this space rarely engages with what HIPAA specifically requires. This guide walks through the seven compliance questions every practice should ask before signing with any AI PHQ-9 vendor, including MedLaunch.

A compliance officer at a mental health practice opens an email from her clinical director.

The clinical director is excited about an AI PHQ-9 screening tool the practice has been demoing. She’s forwarded the vendor’s HIPAA materials. The compliance officer reads them in three minutes and closes the email with the same skeptical feeling she’s had reading every vendor’s HIPAA materials for the past five years.

The materials say “HIPAA compliant” prominently. They mention encryption. They mention “industry-leading” security practices. They mention SOC 2 in passing. They do not say which encryption, which access controls, what the audit logging captures, what happens to voice data after scoring, whether patient data is used for AI model training, what the BAA actually commits the vendor to, or what the breach notification process and timeline are.

She has seen this before. The marketing is confident. The substance underneath is undocumented. Her job for the next two hours is to figure out what’s actually there and what isn’t.

This is the procurement reality for HIPAA compliance in AI healthcare in 2026. Vendor marketing is uniformly confident. Vendor implementation varies enormously. The gap between the two is where compliance disputes start, and it’s where careful clinics catch problems before they become liabilities.

This guide is the procurement framework that closes that gap. It walks through how HIPAA actually applies to AI PHQ-9 screening in the current regulatory environment, the seven specific compliance questions that surface real implementation differences between vendors, what each question is actually asking, what good answers look like, what warning signs to watch for, and how the 2026 regulatory changes should shape vendor evaluation.

This is buyer education content. MedLaunch is named at the end as the example vendor in the voice-administered AI category, with a specific recommendation: every clinic’s compliance team should run this same diligence pass on MedLaunch as on any other vendor. The post does not substitute for the practice’s own compliance review.

1. Why HIPAA Is the Procurement Question Most Mental Health Clinics Get Wrong

The framing problem starts with the question itself. Is this vendor HIPAA compliant? sounds like a binary question with a yes-or-no answer. It is not.

HIPAA, specifically the HIPAA Security Rule at 45 CFR §164.308 (Administrative Safeguards), §164.310 (Physical Safeguards), and §164.312 (Technical Safeguards), is a structured framework of specific obligations that Business Associates and Covered Entities must implement. A vendor either implements those obligations correctly, partially, or not at all. “HIPAA compliant” without specificity tells you nothing about which.

Compliance professionals know this. The vendor materials that say “HIPAA compliant” without enumerating the specific safeguards under each rule section are recognized immediately as marketing rather than substance. A confident “we are HIPAA compliant” claim from a vendor who cannot produce documentation of specific encryption standards, specific access controls, specific audit logging implementation, and specific BAA terms is a warning sign, not because the vendor is necessarily non-compliant, but because the documentation gap creates uncertainty that procurement cannot absorb.

The right procurement question replaces “is this vendor HIPAA compliant?” with “what specifically does this vendor implement under each safeguard, and how is it documented?” The seven questions in this guide operationalize that reframing.

There is one more thing worth saying upfront. The 2026 regulatory environment is meaningfully different from even two years ago. The first major update to the HIPAA Security Rule in over two decades is on the OCR’s regulatory agenda for finalization in May 2026. The HHS Office for Civil Rights has explicitly stated that the HIPAA Security Rule governs ePHI used in AI training data and algorithms. Section 1557 nondiscrimination rules now apply to clinical decision support tools, including AI. Multiple states (including California effective January 1, 2026) have enacted specific regulations for AI mental health applications.

A vendor whose HIPAA posture barely meets 2024 standards is a vendor likely to be inadequate by 2027. Procurement diligence that evaluates only current minimums leaves the practice exposed to the regulatory direction the field is moving in. The seven questions are written with both the current standard and the trajectory in mind.

2. How HIPAA Applies to AI PHQ-9 Specifically

Three structural facts ground every compliance discussion that follows.

First — voice recordings containing patient identifiers are ePHI without exception. When a patient verbally completes a PHQ-9 with an AI voice assistant, the audio recording, the transcription, the scored result, and any metadata that links the response to the patient are all electronic protected health information. The voice itself can be a biometric identifier when tied to health information. There is no carve-out for “voice data” or “AI processing.” Once the data is identifiable health information, it is ePHI, and HIPAA applies.

Second — AI PHQ-9 vendors handling ePHI are Business Associates. A Business Associate is an entity that creates, receives, maintains, or transmits ePHI on behalf of a Covered Entity. An AI PHQ-9 vendor administers screening, processes the response, and delivers the scored result. By definition, this is creating, receiving, and maintaining ePHI on behalf of the practice. The vendor is a Business Associate. There is no gray area on this designation.

Third — a Business Associate Agreement is federally required before any ePHI flows. A signed BAA is not optional, not a best practice, not a vendor courtesy; it is a federal requirement. A Covered Entity that allows ePHI to flow to a Business Associate without a signed BAA has itself committed a HIPAA violation, regardless of how careful the Business Associate is with the data. If a vendor will not sign a BAA at the price tier the practice is being quoted, the procurement should not proceed at that tier.

These three facts establish the floor. The seven questions that follow are about what good implementation looks like above the floor.

One more concept matters before the questions: the shared responsibility model. HIPAA compliance is shared between the Covered Entity (the practice) and the Business Associate (the vendor). The practice retains responsibility for its own HIPAA program, its own risk analysis, its own workforce training, its own administrative safeguards, and its own access governance. The vendor is responsible for its role as defined in the BAA, the safeguards it implements, the data it processes, and the breach notifications it provides.

A vendor whose marketing claims to “make your practice HIPAA compliant” is misstating the structure. No vendor can make a Covered Entity HIPAA compliant. The vendor can only fulfill its Business Associate obligations under the BAA. The practice’s broader HIPAA program is the practice’s work. A vendor whose materials understand this distinction is positioned correctly. A vendor whose materials collapse the distinction is signaling a misunderstanding of the regulatory structure — which is itself a warning sign.

3. Question 1 — Will the Vendor Sign a BAA Before Any Patient Data Flows?

This is the foundational question. Every other question in this guide assumes a signed BAA is in place.

What the question is asking

Will the vendor execute a Business Associate Agreement with the practice at the price tier under consideration before any patient data is processed by the vendor’s system?

Why it matters

A BAA is the contractual document that defines what the Business Associate can and cannot do with ePHI, what safeguards it commits to, what breach notification obligations apply, what subprocessor obligations exist, and what happens to ePHI when the contract ends. Without it, the practice has no contractual recourse for vendor failures and is itself in violation of HIPAA the moment ePHI flows.

What the right answer looks like

The vendor signs a BAA before any patient data is processed. The BAA is available at every paid tier, not gated to enterprise. The BAA is the vendor’s standard agreement, with reasonable provisions for negotiation on specific clauses. The vendor can produce a sample BAA for the practice’s legal review during procurement, before signing.

Warning signs

The vendor describes the BAA as “available on the enterprise plan” but not on lower tiers. The vendor offers to “sign a BAA-equivalent” rather than a BAA itself. The vendor’s BAA references obligations that are not actually written into the document. The vendor cannot produce a sample BAA for review until after a signed contract.

Follow-up questions to ask

What are the BAA’s provisions on subcontractor obligations? On breach notification timeline? On data return and destruction at contract termination? On the vendor’s indemnification scope? What is the BAA negotiation process? Are specific clauses open to negotiation, or is it take-it-or-leave-it?

4. Question 2 — What Encryption Is in Place for Voice Data in Transit and at Rest?

What the question is asking

What specific encryption standards does the vendor apply to voice recordings, transcriptions, and scored results both while the data is moving between systems (in transit) and while it is stored (at rest)?

Why it matters

Encryption is the technical safeguard that protects ePHI from unauthorized access if a system is compromised. Under 45 CFR §164.312(a)(2)(iv), encryption is currently classified as an “addressable” specification meaning it must be implemented or, if not, the decision must be documented and an equivalent alternative measure used. The HIPAA Security Rule update on the regulatory agenda for May 2026 is expected to remove the addressable/required distinction, effectively making encryption mandatory.

For voice data specifically, encryption matters at every stage of the pipeline: capture, transmission, processing, storage, and any temporary caching at subprocessors.

What the right answer looks like

The vendor specifies the encryption standards used, typically TLS 1.2+ in transit and AES-256 at rest, both of which are current industry-standard implementations recognized by NIST. The vendor’s encryption documentation is available for review as part of compliance diligence. End-to-end encryption is implemented for voice capture-to-storage paths where technically feasible.

Warning signs

The vendor’s marketing says “data is encrypted” without specifying the encryption standard. The vendor cannot produce documentation of which encryption is applied at which stage. The vendor’s encryption is described as “industry-leading” or “bank-grade.” These are marketing phrases, not technical specifications.

Follow-up questions to ask

What encryption is applied at each stage of the voice pipeline (capture, transmission, processing, storage)? What encryption documentation is available for review? Is encryption documentation maintained as part of the vendor’s risk analysis (which is itself an Administrative Safeguard requirement)?

5. Question 3 — What Access Controls Govern Who Can See ePHI in the Vendor’s System?

What the question is asking

Who at the vendor’s organization can access patient data, under what conditions, with what authentication requirements, and how is that access logged?

Why it matters

The HIPAA Security Rule’s Technical Safeguards under 45 CFR §164.312 require unique user identification, automatic logoff, encryption and decryption controls, and audit controls. Under the proposed Security Rule update expected to finalize in May 2026, multi-factor authentication is likely to become explicitly required. Access controls are the layer that limits the blast radius of any compromise.

For AI PHQ-9 specifically, the access governance question matters because patient voice data and scored results are highly sensitive, and a vendor with weak access controls creates a risk that the BAA does not fully mitigate.

What the right answer looks like

The vendor implements role-based access control (RBAC) with unique user IDs, multi-factor authentication for all administrative and ePHI-accessing roles, automatic logoff after inactivity, and audit logging of every ePHI access event. Access is granted on a minimum-necessary basis (the principle that workforce members should access only the ePHI required for their role, per the HIPAA Privacy Rule).

Warning signs

The vendor cannot describe its access control structure beyond “we have access controls.” The vendor’s authentication does not include MFA for ePHI-accessing roles. Access logging is not retained for a meaningful period or is not auditable. Customer support staff have unrestricted access to all customer data.

Follow-up questions to ask

How does the vendor’s RBAC structure work, what roles exist, and what each role can access? Is MFA required for all ePHI-accessing roles? What is the inactivity timeout for automatic logoff? Are access events logged, and is the log retained for at least the duration of the BAA? Can the practice request an access audit for its own data?

6. Question 4 — What Happens to the Raw Audio After Scoring?

What the question is asking

After the AI has captured the patient’s verbal PHQ-9 responses and produced the scored result, what happens to the raw audio? Is it retained? For how long? For what purposes?

Why it matters

Voice data has a longer compliance tail than text data. Raw audio recordings of patient responses contain biometric voice data plus the literal content of what the patient said, often more information than the scored result reflects. Indefinite retention of voice data creates ongoing compliance exposure proportional to the retention duration. The emerging 2026 standard among well-positioned vendors is “zero retention” the raw audio is scrubbed immediately after scoring, leaving only the structured response data and audit metadata.

This is not yet a regulatory requirement, but it is the bar that distinguishes serious vendors from “checkbox compliance” vendors in the current procurement environment.

What the right answer looks like

The vendor specifies the data lifecycle from capture to deletion. Raw audio is either not retained after scoring is complete or retained for a specifically defined and documented purpose (e.g., a defined quality-improvement window) with explicit deletion timing. The retention policy is documented in the BAA, not just in marketing materials. Data deletion at contract termination is committed to in the BAA with a specific timeline.

Warning signs

The vendor cannot specify how long voice data is retained. The vendor’s retention policy is described differently in marketing than in the BAA. Voice data is described as “stored securely” without a retention duration. Data deletion at contract termination is a generic clause without a specific timeline. The vendor mentions data being used to “improve our service” without explaining what that means concretely.

Follow-up questions to ask

What is the specific data lifecycle from capture to deletion? Is raw audio retained after scoring, and if so, for how long and for what purpose? Is the retention policy written into the BAA? What happens to the practice’s data at contract termination? What is the deletion timeline, and does the vendor provide a deletion certification?

7. Question 5 — Is Patient Data Used to Train AI Models?

What the question is asking

Does the vendor use patient data, including voice data, transcriptions, scored results, or any derivative thereof, to train, fine-tune, or improve any AI model, internally or externally?

Why it matters

This is the question most often asked vaguely and answered vaguely. It is also the question of where the gap between vendor marketing and contractual reality is widest. A BAA alone does not automatically prohibit a vendor from using ePHI for AI model training; the prohibition has to be explicit. Many vendors in 2024 and 2025 marketed themselves as HIPAA compliant while reserving rights to use de-identified or aggregated data for model improvement, which is a meaningful gap from the buyer’s perspective.

The HHS Office for Civil Rights has explicitly stated that the HIPAA Security Rule governs ePHI used in AI training data, meaning that if patient data is used for training, the training pipeline itself is subject to HIPAA. This is a more stringent regulatory posture than many vendors operated under in earlier years.

What the right answer looks like

The vendor’s BAA explicitly excludes use of patient data for AI model training, both internal and external. The exclusion covers raw audio, transcriptions, scored results, and any derivative data. The exclusion is contractual, not just stated in marketing. The vendor can produce the specific BAA clause that contains the exclusion for the practice’s review.

Warning signs

The vendor’s marketing says, “We don’t sell your data.” This is a different commitment than not training on it. The vendor reserves the right to use “de-identified” or “aggregated” data without specifying whether that includes any AI model training. The vendor describes data use for “service improvement” without distinguishing operational improvement (allowed) from model training (which the buyer may want to exclude). The exclusion is not in the BAA itself, only in supplementary marketing.

Follow-up questions to ask

What is the specific BAA clause on data use for AI model training? Does the exclusion cover internal model improvement as well as external model training? Does it cover de-identified or aggregated data, or only identifiable data? If the vendor uses any data for model improvement, what data, under what conditions, with what additional safeguards?

8. Question 6 — What Audit Logging Exists, and Is It Accessible to the Practice?

What the question is asking

What events does the vendor’s system log for ePHI access, alert delivery, configuration changes, and administrative actions, and is the log auditable by the practice as part of its own HIPAA Security Rule risk analysis?

Why it matters

Audit logging is required under 45 CFR §164.312(b) Audit Controls. The Security Rule requires Covered Entities and Business Associates to “implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”

For AI PHQ-9 specifically, audit logging matters at multiple layers: every patient screening administered, every alert generated and delivered, every clinical staff acknowledgment of a Question 9 alert, every access of ePHI by vendor personnel, and every configuration change to the alert routing or severity tiers. The practice’s own HIPAA risk analysis depends on having access to this audit data.

What the right answer looks like

The vendor maintains comprehensive audit logging of ePHI access events, alert generation and delivery, configuration changes, and administrative actions. Logs are retained for at least the duration of the BAA. The practice can request access to its own audit data as part of compliance reviews. The vendor can produce documentation of what events are logged, in what format, and with what retention.

Warning signs

The vendor cannot describe what events are logged. The vendor’s audit log retention is unspecified or short. The practice cannot access its own audit data for compliance reviews. Audit logs do not capture critical events like Q9 alert delivery or vendor staff access to patient data.

Follow-up questions to ask

What specific events are logged, and at what level of detail? What is the audit log retention duration? Can the practice request its own audit data, and what is the process for doing so? Are audit logs themselves protected against tampering, typically through write-once or cryptographic integrity controls?

9. Question 7 — What Is the Breach Notification Process and Timeline?

What the question is asking

If a breach occurs at the vendor’s system that affects the practice’s patient data, what is the notification timeline, what is the notification process, and what is the practice’s role in subsequent regulatory notification?

Why it matters

The HIPAA Breach Notification Rule at 45 CFR §164.404-414 requires Covered Entities to notify affected individuals, HHS, and (in some cases) the media of breaches of unsecured ePHI. Business Associates have parallel obligations to notify Covered Entities of breaches at the BA level. The federal ceiling for BA notification of CE is 60 days from discovery of the breach, but most well-positioned vendors commit to substantially shorter timelines because the practice itself faces a 60-day federal deadline (and shorter state deadlines in some jurisdictions) to notify affected individuals once notified by the BA.

What the right answer looks like

The vendor commits in the BAA to a specific breach notification timeline that is meaningfully shorter than the 60-day federal ceiling. The notification process is documented, including what information is provided to the practice, what format, through what channel, and with what immediate response support. The vendor maintains an incident response plan that the practice can review during diligence. The vendor’s breach response includes coordination with the practice’s own breach response, not just unilateral notification.

Warning signs

The vendor commits only to “applicable HIPAA timelines” without specifying. The vendor’s notification process is undocumented. The vendor’s BAA breach clause is generic boilerplate without specific commitments. The vendor has no documented incident response plan available for review.

Follow-up questions to ask

What is the specific breach notification timeline written in the BAA, measured in hours, business days, or calendar days? What information is included in a breach notification? What is the vendor’s incident response plan, and is it available for review during diligence? Has the vendor experienced a reportable breach historically, and how was it handled? What support does the vendor provide for the practice’s own subsequent regulatory notifications?

10. How to Run a HIPAA Diligence Pass on Any AI PHQ-9 Vendor

The seven questions above are the procurement framework. They should be applied to every AI PHQ-9 vendor under consideration, including MedLaunch.

What MedLaunch confirms publicly

Three commitments MedLaunch makes contractually and operationally:

A signed Business Associate Agreement before go-live. MedLaunch executes a BAA with every customer practice before the system processes any patient data. The BAA is available at every paid tier, not gated to enterprise.

Customer-controlled alert routing. The practice’s clinical leadership defines who receives alerts at each Q9 severity tier, through what channel, and with what acknowledgment expectation. MedLaunch implements the configuration; the practice retains the clinical decision-making authority.

Patient data is not used to train AI models. MedLaunch’s BAA explicitly excludes the use of patient data, raw audio, transcriptions, scored results, or derivatives for any AI model training, internal or external. The exclusion is contractual.

What MedLaunch invites the practice to verify directly

For every other safeguard discussed in this guide, encryption standards, access control structure, audit logging, retention duration, breach notification timeline, subprocessor structure, and incident response plan, the practice’s compliance team should request specific documentation from MedLaunch as part of its standard procurement diligence.

This is the right procurement workflow for any vendor in this space, including MedLaunch. The vendor that publishes claims it is willing to substantiate during diligence is positioned differently from the vendor that publishes claims it cannot back up. The practice’s diligence is the mechanism that distinguishes the two.

The seven questions in this guide are the framework. The diligence pass is the practice’s work. MedLaunch is one of several vendors that should be evaluated against the framework, and the practice should expect MedLaunch to substantiate its commitments under the same diligence standard applied to any other vendor.

What to do if the vendor cannot answer

A vendor that cannot answer one or more of the seven questions during diligence is not necessarily disqualified. Some vendors operate compliantly but have not yet formalized documentation. The honest signal is whether the vendor engages with the question seriously, provides the documentation that exists, is transparent about what is in progress, and commits to providing fuller documentation by a specific date, or deflects the question with marketing language.

The first kind of vendor is positioned to mature with the regulatory environment. The second kind is positioned to be inadequate as the environment tightens.

11. The 2026 Regulatory Changes Mental Health Practices Should Track

The procurement diligence is a snapshot. The regulatory direction is the trajectory. A vendor evaluation that captures only current minimums leaves the practice exposed to where compliance is moving.

Three specific changes mental health practices should track in 2026:

Final HIPAA Security Rule update, expected May 2026. The first major update in over two decades. The proposed rule would remove the distinction between “required” and “addressable” safeguards (effectively making encryption, MFA, and other previously addressable specifications mandatory), require formal asset inventories that include AI tools, mandate vulnerability testing and incident response plan documentation, and tighten breach notification expectations. The compliance window after finalization is typically 12-24 months. Vendors whose current posture barely meets the existing rule are likely to be inadequate after finalization.

HHS extension of HIPAA Security Rule to AI training data. The OCR has explicitly stated that the Security Rule governs ePHI used in AI training data and algorithms developed by regulated entities. The implication for AI vendors is that any patient data used in model training is itself subject to HIPAA including the training pipeline, the storage, and the access controls around the training data. Vendors who use patient data for model training (whether or not they market themselves as HIPAA compliant) face a stricter regulatory posture in 2026 than they did in 2024.

Section 1557 nondiscrimination rules for AI clinical decision support. Effective May 1, 2025, regulated organizations must identify and mitigate risks of unlawful discrimination when using AI in patient care decision support, including PHQ-9 screening administered through AI. This is a parallel obligation to HIPAA, not a substitute for it. Practices using AI screening tools should document their compliance with both regimes.

State-level AI mental health regulation. California’s AI mental health chatbot law took effect January 1, 2026, with similar provisions enacted or proposed in multiple other states. Provisions vary but commonly include requirements that AI systems detect mental health crises, refer users to crisis resources, and disclose their AI nature to users. Mental health practices using AI screening should track the specific state requirements that apply to their jurisdiction.

The procurement implication: a vendor whose roadmap is silent on these regulatory changes is a vendor whose 2027 posture is unclear. A vendor that engages with the regulatory direction, can describe how the system will adapt, and treats compliance as ongoing rather than checkbox-completed, is a vendor positioned to remain adequate as the environment tightens.

12. Frequently Asked Questions

Is AI PHQ-9 screening HIPAA compliant?

The question itself is the wrong framing. HIPAA is a structured framework of obligations, not a yes-or-no certification. The right question is whether a specific vendor implements the specific HIPAA safeguards required for its role as a Business Associate, and how the vendor documents that implementation. Any AI PHQ-9 vendor handling patient data on behalf of a practice is a Business Associate under HIPAA and must sign a BAA before patient data flows. The seven questions in this guide are the framework for evaluating whether a specific vendor’s implementation meets the standard.

Does an AI PHQ-9 vendor have to sign a BAA?

Yes, federally, without exception. A Business Associate Agreement is required by HIPAA before a vendor processes ePHI on behalf of a Covered Entity. A vendor that will not sign a BAA or that gates BAA availability to enterprise tiers only should not be processing patient data. The Covered Entity that allows ePHI to flow to a vendor without a signed BAA has itself committed a HIPAA violation.

Are voice recordings of patients PHI?

Yes. A voice recording that contains patient identifiers and relates to treatment, payment, or healthcare operations is electronic protected health information without exception. Voice itself can be a biometric identifier when tied to health information. AI PHQ-9 screening that captures patient voice responses is processing ePHI from the moment the patient begins speaking.

What encryption is required for AI PHQ-9 systems?

Under the current HIPAA Security Rule, encryption is technically classified as “addressable,” meaning a Covered Entity or Business Associate must either implement it or document why an alternative measure is used. In practice, encryption is the operational standard for any system handling ePHI. Industry-standard implementations include TLS 1.2 or higher in transit and AES-256 at rest. The proposed HIPAA Security Rule update, expected to be finalized in May 2026, is anticipated to remove the addressable/required distinction, effectively making encryption mandatory.

What is the difference between “HIPAA compliant” and “HIPAA secure”?

There is no regulatory category called “HIPAA secure.” There is also no certification called “HIPAA compliant” issued by HHS or any federal authority. The HIPAA Security Rule defines specific safeguards that Covered Entities and Business Associates must implement. A vendor either implements those safeguards (with documentation) or does not. Marketing phrases like “HIPAA compliant,” “HIPAA secure,” “fully compliant,” or “industry-leading security” are not regulatory categories; they are vendor positioning. The regulatory question is whether the specific safeguards are in place.

Should I rely on the vendor’s website for HIPAA information?

The vendor’s website is a starting point, not the basis for procurement. The contractual commitments that bind are in the BAA, not in marketing materials. A vendor whose website makes claims that are not reflected in the BAA is making non-binding marketing claims. The practice’s compliance team should verify that the commitments described in marketing actually appear in the executed BAA before signing.

Is SOC 2 certification the same as HIPAA compliance?

No. SOC 2 is a security framework administered by the AICPA that audits a service organization’s controls around security, availability, confidentiality, processing integrity, and privacy. SOC 2 Type II reports are useful evidence of operational security maturity, but are not HIPAA certifications. A vendor can be SOC 2 Type II audited and not meet specific HIPAA requirements; conversely, a vendor can meet HIPAA Business Associate obligations without a SOC 2 audit. Both are valuable signals; neither substitutes for the other.

What if our practice already uses an EHR with PHQ-9 functionality? Does HIPAA apply differently?

The HIPAA framework applies the same way to EHR-native PHQ-9 as to standalone AI PHQ-9 vendors. The EHR vendor is a Business Associate of the practice and must have a BAA in place, encrypt ePHI in transit and at rest, implement appropriate access controls, and so on. The practical difference is that for established EHR vendors (SimplePractice, TherapyNotes, ICANotes, etc.), HIPAA documentation is typically more mature, but the practice should still verify the specifics during procurement.

How long should the practice retain audit logs?

This is a practice-level decision based on the practice’s own HIPAA risk analysis, state-level requirements, and operational needs. The HIPAA Security Rule requires retention of HIPAA-related documentation for six years from creation or last effective date. Audit logs that are part of the practice’s HIPAA Security Rule compliance documentation typically fall under this six-year retention. The vendor’s audit log retention should be at least the duration of the BAA, with some vendors offering longer retention as a practice option.

What should I do if I think my AI PHQ-9 vendor has had a breach?

First, the vendor is contractually obligated under the BAA to notify the practice of breaches affecting the practice’s patient data. If the practice becomes aware of a potential breach independently, the practice should immediately contact the vendor for confirmation and incident response support. The practice’s own HIPAA breach notification obligations to affected individuals, HHS, and (for breaches of 500+ individuals) media run from the practice’s discovery of the breach, with a 60-day federal ceiling. State-level requirements may be shorter. The practice’s legal counsel and the practice’s HIPAA Privacy Officer should be involved in any breach response from the earliest point.

13. Conclusion

The compliance officer at the start of this guide is asking the right question.

What’s actually here? This is the question that protects the practice, the patients, and the clinical team from the structural failure where vendor marketing substitutes for vendor implementation, and the gap is discovered only when something goes wrong.

The honest answer to that question, for AI PHQ-9 screening in 2026, has three parts.

;HIPAA applies in full to AI PHQ-9 voice data, which is ePHI; vendors are Business Associates, BAAs are federally required, and the 2026 regulatory environment is more stringent than even two years ago.

“HIPAA compliant” without specificity is a marketing phrase, not a regulatory category. The right procurement question replaces “is this vendor HIPAA compliant?” with “what specifically does this vendor implement under each safeguard, and how is it documented?” The seven questions in this guide are the framework that operationalizes that reframing.

Every vendor, including MedLaunch, should be evaluated against the framework. The vendor that engages substantively with each question, produces documentation where it exists, is transparent about what is in progress, and welcomes the practice’s compliance diligence is positioned correctly. The vendor that deflects with marketing language is positioned to be inadequate as the regulatory environment tightens.

For mental health practices evaluating AI PHQ-9 screening in 2026, the right procurement workflow is: review this guide, develop the practice’s specific compliance criteria, request documentation from each vendor under consideration, conduct a structured diligence pass against the seven questions, and ensure the practice’s own compliance team or legal counsel reviews the BAA before signing.

The practice’s diligence is the mechanism that distinguishes vendors who are actually positioned to handle ePHI from vendors who are not. The seven questions are the framework. Diligence is the work.