Signing a medical courier contract without first verifying HIPAA compliance is a common mistake — and one that typically surfaces only when a regulatory auditor or an adverse event demands documentation that was never created. This guide gives procurement managers, compliance officers, and laboratory administrators a practical framework for evaluating a prospective medical courier before committing to a service agreement.
Step 1: Request the Business Associate Agreement Before the Sales Conversation Ends
Any legitimate HIPAA-compliant courier maintains a standard BAA template and can produce it within 24 hours of request. If a potential vendor cannot produce a BAA or tries to defer this conversation until after contract signing, that is a red flag. Review the BAA for: permitted and prohibited uses of PHI, safeguard obligations, breach-notification timeline (must be 60 days or less from discovery), sub-contractor data-flow disclosures, and termination and return/destruction of PHI provisions.
Step 2: Verify Driver Training on PHI Handling
Ask for documentation of workforce HIPAA training. Acceptable evidence includes dated training certificates with driver names, a training policy that specifies frequency (annual at minimum), and training content that covers minimum-necessary PHI handling, tamper-evident packaging protocols, and what to do in the event of a lost or damaged shipment. Verbal assurances are not sufficient.
Step 3: Inspect Their Chain-of-Custody Process
Ask for a sample COC record from a recent run (redacted). This tells you whether their documentation is contemporaneous and complete, how they identify drivers and recipients, whether temperature data is captured for cold-chain runs, and how long records are retained. If they cannot produce a sample record, they likely do not have a meaningful COC program.
Step 4: Evaluate Their Packaging Standards
Ask to see the tamper-evident bags, coolers, or containers they use. Adequate specimen packaging includes biohazard-labeled outer bags, absorbent material between primary and secondary containers, and leak-proof sealing. Cold-chain packaging should include validated insulated containers and refrigerant appropriate to the required temperature range, with temperature indicators or data loggers.
Step 5: Understand Their Breach-Response Protocol
A courier that has not thought through its breach-response process is a liability. Ask: “What happens if a package with labeled specimens is lost?” A compliant answer includes immediate notification to your facility, incident documentation, assessment of PHI exposure risk, and reporting to you within the contractually defined window. Vague answers about “doing their best” are not acceptable.
Step 6: Check Insurance and Credentials
A professional medical courier should carry commercial auto liability, general liability, and cargo insurance. Request a certificate of insurance (COI) naming your organization as an additional insured for the term of the contract. Also verify any applicable state licenses, OSHA bloodborne pathogen training documentation for drivers, and any industry certifications they claim.
Step 7: Conduct a Reference Check with a Similar Facility
Ask for references from current clients with similar volume, specimen type, and service-level requirements to yours. Speak directly with the laboratory manager or compliance officer at the reference site — not the operations contact. Ask specifically about COC documentation quality, STAT reliability, and whether the courier has ever had a reportable incident and how they handled it.
Red Fox Medical Courier: Ready for Your Due Diligence
Red Fox Medical Courier can provide a BAA for review, sample COC documentation, driver training records, and a certificate of insurance on request. Our credentials package is available to prospective clients prior to contract execution. We welcome rigorous procurement vetting — it is how lasting healthcare partnerships are built.
Start your evaluation: review our credentials or schedule a discovery call.