Question 1: Do You Have a Signed BAA — Not Just Access to a Tool?
Search your email for the vendor's name plus "Business Associate Agreement." If you can't find a signed copy, you don't have one — an account login isn't a BAA, and a vendor's general terms of service usually isn't either. (We cover what a proper BAA actually needs to contain separately.) No signed BAA, patient photos already uploaded: that's the single biggest finding this audit can surface.
Question 2: How Long Do Patient Photos Stay on the Platform?
Check the vendor's privacy policy or ask directly: is there an automatic deletion window, or do photos stay indefinitely unless someone manually removes them? Indefinite retention isn't automatically a HIPAA violation, but it's more risk surface than most practices realize they're carrying — every day a photo sits on a server is another day it could be part of a breach.
Question 3: Where Is the Data Actually Stored?
Ask the vendor directly if you don't know: what country, and under what security certification? A vague answer or no answer is itself the finding.
Question 4: Who on Your Team Can Access Old Patient Photos?
Log into the tool and check the user list. Does it match your current staff? Departed employees with live access to a platform holding patient photos is a common, easy-to-miss gap — audit this list the same way you'd audit practice management software access.
Question 5: What Happens If the Vendor Has a Breach?
Your BAA should specify the vendor's breach notification obligations — how fast they tell you, and what they cover. If you don't have a BAA (see Question 1), you don't have this protection either, regardless of what their marketing page claims about security.
Score Yourself
| Findings | What it means |
|---|---|
| Signed BAA, defined retention, known storage location, current staff list, breach terms specified | Low risk — you're in reasonable shape |
| 1–2 gaps (e.g. BAA exists but retention is unclear) | Moderate risk — close the gaps this week, don't wait for a renewal cycle |
| No signed BAA, and/or indefinite retention with no visibility into storage | High risk — patient photos are PHI; treat this as urgent, not routine |
If You Found Gaps
Contact the vendor and ask for a BAA before uploading another photo — a responsible vendor will have one ready, not a multi-week process. If they can't produce one promptly, that's information about how they treat compliance generally. In the meantime, stop uploading new patient photos to that tool until the agreement is signed.