Passing Epic's Vendor Security Review: SOC 2, HITRUST, BAA & the Evidence Checklist (2026)

Upcoming Webinar

Deploying AI in Regulated Environments: What Pharma Leaders Must Know

June 26, 2026

5:00 PM IST

Live On MS Team

June 25, 2026

15 min read

Epic

Your app works. It cleared Epic's sandbox, the FHIR calls return clean data, a hospital wants it. Then a security questionnaire lands, and the deal that should have closed in a month is still open in month four. The build was never the risk. The vendor security review is.

This is the guide we wish every health-tech founder had before that questionnaire arrived: who actually runs the review, the exact evidence you have to hand over, the two gaps that stall most vendors, and how to get unstuck. It's the work our team does to get clients live, and it's written to help you genuinely pass on merit, not to game a checkbox.

Two reviews, not one

The single most misunderstood thing about going live on Epic: you pass a security review twice, and they're different gates.

Gate 1 — Epic's listing review. To list on the Showroom / Connection Hub, Epic runs an application and technical security review, typically 8 to 16 weeks. This gets you discoverable; it does not get you live.
Gate 2 — each hospital's own review. This is the gate that actually controls go-live, and it's run by that customer's security, privacy, and vendor-management teams. As one integration guide puts it, "every individual hospital must turn the app on, in their environment, on their schedule, and the BAA is signed here, before the first real patient record moves."

Because Epic is federated — every health system runs its own instance and governance — Gate 2 repeats for every customer, each on its own calendar. A peer-reviewed study of one decision-aid integrated across five academic health systems found the whole process took roughly 18 months, and noted that "each institution had different security risk assessment processes, with each requiring departmental approval." The review is not a one-time hurdle; it's a recurring tax.

Why the review exists

It helps to remember what the hospital is actually afraid of. A healthcare data breach is the most expensive kind there is — IBM put the 2024 average at $9.77 million, the costliest of any industry for the 14th year running, easing to $7.42 million in 2025. The vendor you're asking them to plug into their record is new attack surface. The review is the hospital pricing that risk before it says yes.

Who runs it, and in what order

It isn't one person with a checklist. It's a cross-functional gauntlet, and knowing the cast tells you what each reviewer cares about.

CISO / InfoSec — your cyber controls, the questionnaire, the evidence.
Privacy officer — HIPAA, minimum-necessary, the BAA.
Vendor management/procurement — intake, risk tiering, and the contract.
Legal — BAA redlines.
Clinical operations — workflow and system-dependency risk.

The sequence most hospitals run: classify the vendor by PHI access, verify your compliance evidence, check your security controls, score the risk, then approve and monitor. A surgeon-founder described the room bluntly: "IT security, procurement, legal, compliance, the CIO's office. This floor is not interested in your clinical outcomes story. They are interested in risk." And a real health-system reviewer summed up the trigger: "When we bring in new technology, it has to go to Security, Privacy, Architecture, and Data Assurance review, but if there is no PHI it will get blessed faster." PHI is what turns a quick yes into the full gauntlet.

The evidence pack: what you actually hand over

The review feels mysterious until you see that it's a finite list of artifacts. Have these ready, and the review takes weeks; discover them mid-review, and it takes quarters.

SOC 2 Type II report, scoped to the right systems
HITRUST (i1 or r2), where the buyer expects it
Penetration test within the last 12 months (attestation, full report under NDA)
Signed BAA template with subcontractor flow-down
Subprocessor list, reconciled to the BAA
Application-level PHI access audit logs
MFA, RBAC, documented offboarding
Encryption in transit and at rest
Data-flow diagram and an incident-response plan

SOC 2 Type II, in one view

SOC 2 is the baseline most hospitals expect. The detail that matters for the review:

Only the Security criterion is mandatory (the "Common Criteria"). Availability, Confidentiality, Processing Integrity and Privacy are added based on what you commit to.
Type II tests controls over a period — three months is the technical minimum, six to twelve is the norm hospitals prefer; a short window reads as "they got organized for the audit."
The bridge letter covers the gap between the report period and today. It's signed by your management, not the auditor (a CPA can't attest beyond the report period), and shouldn't stretch more than ~3 months.
Scope is everything. If the report doesn't cover the patient-facing app, the PHI-handling API, and the data pipeline, procurement will notice the gap.

HITRUST: which tier, and the honest truth about "required"

HITRUST is the healthcare-leaning certification, and the tier you need depends on the buyer.

e1 — 44 requirements, 1-year validity, and an entry assessment.
i1 — 182 requirements, 1-year, moderate assurance.
r2 — a tailored ~300 to 400 controls, 2-year validity, the one hospital and health-plan buyers most often expect.

One honest clarification, because the internet blurs it: roughly 84% of hospitals and health plans use the HITRUST CSF in some capacity (a 2018 HIMSS figure widely repeated since). That is not the same as "84% require HITRUST certification of their vendors." Many accept SOC 2 Type II. Treat HITRUST as a strong accelerant — a buyer can review your r2 report instead of sending a 200-question assessment — rather than a universal gate.

The questionnaires you'll meet

Different buyers reach for different questionnaires. Knowing them keeps you from starting each one from scratch.

HECVAT — built for higher education (EDUCAUSE), occasionally borrowed in healthcare.
Censinet — the healthcare-native third-party-risk platform that many health systems actually run the review through.
SIG — a broad questionnaire (18 risk domains) from Shared Assessments.
CAIQ — cloud-specific, from the Cloud Security Alliance.

Keep a completed SIG and CAIQ on the shelf so you can answer a customer's questionnaire the same day instead of writing it under deal pressure.

The two things that stall most reviews

Across the practitioners who've been through this, two gaps block more deals than anything else.

#1 — Subprocessor list versus BAA. In a security consultancy's words: "Hospital procurement will request your full sub-processor list and compare it against your BAA's sub-processor coverage. Any tool that touches PHI and is not listed will be flagged down." The forgotten one is usually a logging, email or analytics service. HIPAA requires that flow-down (45 CFR §164.504(e)), so a gap here is a real finding, not a nitpick.
#2 — Incomplete PHI access audit logs. Again: "The common gap hospital procurement finds most often is application-level PHI access logs. That absence is a HIPAA audit control failure, not just a SOC 2 gap." Infrastructure logs aren't enough; you need who-saw-which-record-when at the application level.

Behind those: a SOC 2 whose scope doesn't cover the right systems, a missing bridge letter, no enforced MFA, and undocumented policies. And a procedural trap worth knowing — submit an incomplete or flawed package and you can go to the back of the queue, which alone adds 2 to 3 months.

The 2026 regulatory backdrop

The bar is moving. HHS published a proposed overhaul of the HIPAA Security Rule on January 6, 2025, that would make today's "addressable" safeguards mandatory — including encryption of ePHI and multi-factor authentication, annual penetration testing, and tighter breach timelines. As of mid-2026, the rule is not finalized (over a hundred hospital systems asked HHS to withdraw it, and the spring 2026 target passed with nothing published), so its fate is open. But the direction is clear, and reviewers increasingly ask for MFA and encryption now. Build for that floor, and you're ahead of the rule either way.

How to get through it faster

You can't make the hospital move faster, but you can stop adding self-inflicted delay.

Have your SOC 2 Type II and BAA ready before you start. SOC 2 from scratch is months of observation window you can't compress later.
Reconcile your subprocessor list to the BAA up front — the #1 stall, closed before procurement finds it.
Turn on application-level PHI audit logging — the #2 stall.
Keep a completed SIG/CAIQ on the shelf so questionnaires have a same-day answer.

This is the moment our team is built for. We get health-tech products through the Epic gauntlet — the FHIR build, the access path in our guide to getting into Epic, the timeline (see how long it really takes), and the security review you're staring at now. If you're stuck in one, our healthcare interoperability solutions team can help you get unstuck, and our custom healthcare software development team builds to pass the review by design. Talk to our team.

Frequently Asked Questions

How long does Epic's vendor security review take?

There are two reviews. Epic's own listing review for Showroom / Connection Hub runs about 8 to 16 weeks. Then each hospital runs its own vendor security review before go-live, typically 4 to 16 weeks per site, and it repeats for every customer. End to end, expect the security and provisioning phases to add several months, and a SOC 2 Type II from scratch adds months before you can even submit.

Do I need SOC 2 and HITRUST to integrate with Epic, or just one?

SOC 2 Type II is the common baseline most hospitals expect. HITRUST (i1 or r2) is a strong accelerant — many health systems will review a HITRUST r2 report instead of sending a long questionnaire — but it isn't universally required; plenty accept SOC 2. Roughly 84% of hospitals use the HITRUST CSF, which is not the same as requiring certification of their vendors. Match the evidence to what your specific buyer asks for.

Is a BAA required to put an app on Epic?

Yes. A signed Business Associate Agreement is non-negotiable before any PHI moves, and it's signed with each hospital, not once. It must flow down to every subprocessor that touches PHI (45 CFR §164.504(e)). Reconciling your subprocessor list against your BAA coverage is the single most common thing that stalls a review.

What stalls an Epic security review the most?

Two gaps. First, a subprocessor list that doesn't reconcile to your BAA — any PHI-touching tool (logging, analytics, email) not listed and BAA-covered gets flagged. Second, incomplete application-level PHI access audit logs, which is a HIPAA control failure, not just a SOC 2 gap. Behind those: SOC 2 scope mismatch, a missing bridge letter, no enforced MFA, and undocumented policies.

Can an offshore or global team pass a hospital's security review?

Yes, with the right safeguards. HIPAA applies regardless of geography, so the constraint is handling, not location. Keep offshore engineers on de-identified data in development, grant production-PHI access only through scoped, logged, MFA-gated paths, list the offshore entity as a subprocessor, and keep a BAA in the chain. Disclose offshore arrangements and show the controls rather than hiding them.

What's the difference between Epic's review and the hospital's review?

Epic's review gets you listed on Showroom / Connection Hub — it's about discoverability and basic technical/security validation. Each hospital's own review is the gate that controls go-live in their environment, run by their CISO, privacy officer and vendor-management teams, and it's where the BAA is signed. The hospital review repeats for every customer because Epic is federated.

Mirth Connect + Epic Integration: The Production Playbook

EpicMirth Connect