PursuitAgent
Menu

Field notes

Healthcare RFP compliance patterns

An analysis of HIPAA, HITRUST, and data-residency clauses across 50 hospital-system RFPs. What language is now standard, what is still customer-specific, and the three clauses that have sharpened since 2024.

The PursuitAgent research team 10 min read Research

We pulled 50 hospital-system and integrated-delivery-network RFPs that closed between January 2025 and August 2025, with permission from anonymizing partners or from the publicly available state-procurement portals where the originals live. The goal: characterize the compliance language that hospital-system buyers now routinely require, and flag the patterns that have shifted recently.

This is a sample, not a census. Fifty RFPs across roughly 30 hospital systems is enough to see structure but not enough to make claims about every healthcare buyer. The systems span academic medical centers, regional integrated networks, and a handful of national health-system parents.

Pattern 1 — HIPAA language is now standardized

Forty-eight of 50 RFPs included HIPAA Business Associate Agreement (BAA) language as a mandatory attachment or required clause. The two that did not were both pure infrastructure procurements (HVAC, electrical) where the vendor would not encounter PHI.

The standardization has gone further than even five years ago. The BAA language across the 48 RFPs cluster around three template sources: the AHA’s reference template, the HHS sample BAA, and a small number of system-specific variants that appear to have started from one of those two. Vendors with a single mature BAA template that has been pre-cleared by their counsel can respond to most healthcare RFPs without legal triage on this clause.

What is not standardized: subcontractor flow-down requirements. Eighteen of 48 RFPs required vendors to flow BAA terms to subcontractors with specific named obligations (notification timelines, breach reporting). The remaining 30 used softer language (“comparable obligations,” “reasonably similar terms”). Vendors with subcontractors should expect this clause to be specifically negotiated.

Pattern 2 — HITRUST is rising, not yet ubiquitous

Twenty-six of 50 RFPs (52%) required, requested, or scored HITRUST certification. Two years ago, our partner’s archive showed roughly 30% asking for HITRUST. The rise is real.

Of the 26: 11 required HITRUST CSF certification as a hard gate (no certification, no bid). 15 listed it as preferred or scored. The split is roughly the split between systems that consider HITRUST as the de facto floor (large academic medical centers, large integrated networks) and systems still treating it as a differentiator (regional networks, specialty hospitals).

What is not yet standard: HITRUST i1 vs. r2 language. Some RFPs accept either. Some specifically require r2. A few require i1 with a roadmap to r2. Vendors with i1 only should read the clause carefully — submitting an i1 attestation against a r2 requirement is technically non-compliant.

Pattern 3 — Data residency clauses, sharpened

Data residency is the area that has changed the most since 2024. In the 2024 baseline (we did the same analysis last year on a smaller sample), about 40% of healthcare RFPs had explicit data-residency language, and most of it was generic (“data must remain in the United States”).

In the 2025 sample, 39 of 50 RFPs (78%) had explicit data-residency language. The language has sharpened in three specific ways:

Region specificity. Eighteen of 39 specified specific cloud regions (e.g., “AWS us-east-1, us-east-2, us-west-2”) rather than the generic country boundary. This locks vendors out of vendors who use other regions for failover, which has implications for disaster recovery architecture.

Subprocessor disclosure. Twenty-four of 39 required disclosure of all data subprocessors with their geographic locations. Vendors who use a CDN, an email-deliverability service, or a logging vendor have to enumerate all of them with their data residency posture.

Re-residence on request. Eleven of 39 included a clause requiring the vendor to re-residence data on the buyer’s request within a defined period (commonly 90 days). This is a meaningful operational obligation. Vendors should price it.

Pattern 4 — Breach notification timelines, tightening

HIPAA’s 60-day breach notification floor is the regulatory minimum. The 50 RFPs we sampled told a different story.

  • 24-hour notification: 4 RFPs.
  • 48-hour notification: 11 RFPs.
  • 72-hour notification: 17 RFPs.
  • 5-day notification: 6 RFPs.
  • 60-day or “as required by law”: 12 RFPs.

The median has moved to 72 hours, well below the regulatory floor. Vendors operating in this space should align their incident-response runbooks to a 72-hour external-notification commitment. The Safe Security research on vendor security questionnaire patterns shows a similar tightening across non-healthcare verticals.

Pattern 5 — Specific security framework questions

Forty-three of 50 RFPs included a security questionnaire or DDQ as an attachment. Of those:

  • 19 used a SIG variant (mostly SIG Lite or SIG Core).
  • 11 used a CAIQ variant.
  • 8 used a custom buyer-specific questionnaire.
  • 5 used a HITRUST-derived shortform.

The 8 with custom questionnaires are where vendors burn the most time. Those questionnaires don’t map cleanly onto a vendor’s KB-cached answers, and the SME burden is roughly 2x compared to a SIG or CAIQ. We covered the mechanics in the DDQ response playbook.

Pattern 6 — Insurance requirements, more granular

Hospital systems are pushing more granular insurance language than they were two years ago. The historical baseline was a flat requirement: general liability $X million, professional liability $Y million, cyber liability $Z million. The 2025 sample shows differentiation:

  • 31 of 50 specified per-incident vs. aggregate limits (the older baseline left this ambiguous).
  • 19 of 50 required specific cyber-liability coverage for HIPAA-related incidents distinct from general cyber.
  • 14 of 50 required coverage for breach-notification costs as a named line item.
  • 9 of 50 required tail coverage for a specified period after contract end.
  • 6 of 50 required errors-and-omissions coverage in addition to professional liability.

This is meaningful for vendors. Insurance riders cost money and have to be in place before contract execution. A vendor whose policy was written against the historical baseline may discover at award time that they need additional coverage. The 90 days between award and execution is not a comfortable window to negotiate new insurance.

Pattern 7 — Audit and inspection rights

Twenty-eight of 50 RFPs (56%) included explicit audit and inspection rights for the buyer. These rights take three forms in roughly equal proportions:

  • Documentation review. Buyer can request specified documents (audit reports, security assessments, training records) on a defined cadence. Lowest burden.
  • Self-assessment attestation. Buyer requires the vendor to complete and return a defined self-assessment, often annually. Moderate burden.
  • On-site or remote inspection. Buyer reserves the right to conduct an audit, sometimes with named third-party assessors. Highest burden.

The third form is the one that vendors should price into the bid. An on-site inspection is staff time, prep time, and remediation time if findings emerge. The clauses we sampled differ on whether the buyer pays for these audits or the vendor does — 17 of 28 specified vendor-paid; 6 specified buyer-paid; 5 were silent.

Pattern 8 — Telehealth and remote-care addendums

A new pattern we did not see in the 2024 baseline: 14 of 50 RFPs (28%) included telehealth-specific or remote-care-specific addendums. These addendums layered on top of the standard HIPAA language and added clauses around state-specific telehealth licensure, audio-versus-video session storage requirements, and patient-consent flows for cross-border care.

Vendors operating in the telehealth space should expect this trend to continue. Vendors who are not in that space but support buyers who use telehealth (e.g., scheduling, EHR integration, identity) may find themselves pulled into the addendum requirements anyway.

What this means for healthcare proposal teams

The compliance work is more standardized than it used to be, but not uniformly across buyers. The leverage from a well-maintained KB of compliance answers is highest on the SIG and CAIQ-derived questionnaires (about 60% of the volume). The custom-questionnaire RFPs still require SME triage on every bid.

Two operational implications:

Pre-stage your evidence library. SOC 2, HITRUST attestation letters, BAA templates, subprocessor lists with geographic data — all should live in a versioned, dated KB structure. We covered the evidence-attachment API in the DDQ evidence-attachment changelog.

Treat data-residency as architecture, not paperwork. The clauses are sharper than they used to be. A vendor whose architecture cannot meet the buyer’s specific cloud-region requirement cannot just write a clever paragraph. Catch this at bid/no-bid, not at the legal review.

Pattern 9 — Vendor-supplied training and awareness language

Sixteen of 50 RFPs (32%) included specific requirements around vendor-employee training: HIPAA training cadence (often annually), security-awareness training, role-specific training for staff handling PHI. Of those, 9 required the vendor to attest to training completion on a defined cadence (usually quarterly or annually), and 4 required vendor-supplied training records on request.

This is downstream cost for vendors. A vendor whose internal training cadence does not align with the buyer’s required cadence has to reconcile the two — either changing internal cadence or producing buyer-specific tracking. Smaller vendors are disproportionately affected; an enterprise vendor with mature training-tracking is unbothered.

Pattern 10 — De-identification and minimum-necessary clauses

Twenty-two of 50 RFPs (44%) included specific de-identification or minimum-necessary clauses. The pattern: the buyer requires the vendor to receive only the minimum PHI necessary for the contracted service, and to apply de-identification when feasible. This shows up most in analytics, research-support, and population-health vendors.

The clause is reasonable on its face but operationally non-trivial. A vendor whose architecture pulls full patient records and filters in application code is technically receiving more than minimum-necessary, even if only minimum-necessary is processed. Some buyers care about the technical receipt; some care about the processing. The RFP language usually does not distinguish, and vendors should ask in Q&A.

Cross-pattern observations

Looking across all eight patterns, two cross-cutting observations.

The “compliance as evidence” trend. Three years ago, hospital-system RFPs would accept assertions: “we maintain X certification.” Today, more RFPs require attached evidence: a current attestation letter, a redacted SOC 2 report, a HITRUST validation summary. This shifts vendor work from writing about compliance to maintaining a current evidence library. We covered the implications for evidence vault tooling in the DDQ evidence-attachment API post.

The “named subprocessor” trend. Several patterns above touch on this — data residency, BAA flow-down, audit rights. The common thread is that hospital-system buyers are pushing transparency further down the supply chain. They want to know who your CDN is, who your email vendor is, who your monitoring SaaS is. Vendors with small fourth-party lists have an easier time. Vendors with sprawling subprocessor lists have to either narrow them or invest in subprocessor-disclosure tooling.

Pattern 11 — Disaster recovery and BCP language

Sixteen of 50 RFPs (32%) included specific recovery-time-objective (RTO) and recovery-point-objective (RPO) requirements with named numerical targets. Of those, the median RTO was 4 hours and the median RPO was 1 hour. The tightest targets we saw: 1-hour RTO, 15-minute RPO (for an EHR-adjacent vendor). The loosest: 24-hour RTO, 8-hour RPO.

These numbers are sometimes negotiable and sometimes not. The clauses we sampled split roughly evenly: half required the vendor to commit to the buyer’s named targets in the proposal, half allowed the vendor to propose alternative targets with justification. Vendors should read the BCP clause carefully — committing to a 1-hour RTO without the architecture to deliver it is a future contract breach.

Three clauses that have sharpened since 2024

If we had to highlight the three clauses that look meaningfully different from the 2024 baseline, they would be:

  1. Data residency at the cloud-region level. This was rare in 2024. It is mainstream now.
  2. Breach notification at 72 hours or sooner. The median has tightened. Vendor incident-response runbooks should align.
  3. Subprocessor disclosure with geographic data. The transparency expectation has stepped up, with implications for vendors with international support staffing.

Vendors who responded to a hospital-system RFP using a 2024-era boilerplate would, in roughly half the cases, find themselves non-compliant on at least one of these three. Refreshing your boilerplate is not optional.

We will run this analysis again next year. The trend lines we are watching: HITRUST adoption, breach-notification timeline median, and whether the custom-questionnaire share decreases as more buyers standardize on SIG or CAIQ.

Sources

  1. 1. HHS — HIPAA Privacy and Security Rules
  2. 2. HITRUST Alliance — CSF documentation
  3. 3. Safe Security — Vendor security questionnaire best practices
Tagged research healthcare compliance hipaa hitrust