12 Questions to Ask Before Hiring a Virtual Medical Assistant Company

Choosing a virtual medical assistant company is not like hiring a freelancer or subscribing to a software tool. The company you choose will have access to your patients' protected health information, will represent your practice to patients on the phone, and will be embedded in your clinical workflows on a daily basis. A bad choice creates HIPAA liability, workflow disruption, and replacement costs that take months to recover from. A good choice compounds returns over time.

The market for virtual medical staffing has grown significantly, and the quality variance between providers is wide. Some are HIPAA-compliant, specialty-trained, and operationally disciplined. Others are general VA marketplaces that added a healthcare category without building the compliance infrastructure to support it. The 12 questions below separate the two.

Questions 1–4: HIPAA and compliance

Question 1: Do you sign a Business Associate Agreement at the company level, and do you provide your HIPAA training documentation on request? A BAA is legally required before any staff member accesses your patient records. Any provider who hedges on this question, or who says the individual VA signs the BAA rather than the company, is a compliance risk. The company must sign the BAA as the business associate. Request a sample BAA before you are in a contract conversation.

Question 2: How are your assistants HIPAA trained and how often is training renewed? Look for specifics: what curriculum, what duration, what format, and what happens if a VA fails the training or their certification lapses. Annual training renewal is the minimum acceptable standard. Providers with a proprietary HIPAA training program tailored to healthcare workflows are preferable to those using generic online compliance courses.

Question 3: How is EHR access provisioned and audited? The answer should be: the practice issues named EHR credentials with role-based permissions, the VA never shares credentials with other staff, and access is revoked at the end of the engagement. Ask who monitors EHR activity logs and what the escalation process is if unusual access patterns are detected. Question 4: What is your breach response protocol and what is your notification timeline? The HIPAA Breach Notification Rule requires notification to affected individuals, to HHS, and in some cases to media within specific timeframes. The provider should have a documented breach response plan and be able to describe it clearly.

Questions 5–8: Vetting and quality

Question 5: What background checks do you run? At minimum, you want a criminal background check and identity verification. For roles involving any financial function, a credit check is appropriate. For roles involving controlled substance workflows, a DEA-excluded party screen is appropriate. Ask specifically what is checked, how recently, and whether background checks are repeated periodically for existing staff.

Question 6: How do you assess specialty-specific knowledge before placement? A general VA who claims to know your EHR is not the same as a VA who has demonstrably worked in your specialty with your payer mix. Ask how the provider tests knowledge: are there specialty-specific assessments, supervised practical tests in the EHR, or a period of supervised work before independent placement?

Question 7: What is your quality assurance process during an active placement? The answer you want: recorded call monitoring, EHR audit log review, regular performance check-ins with both the VA and the practice, and a defined escalation path when quality issues are identified. Question 8: What happens if the VA underperforms? This is a direct question about the replacement process. How quickly can you provide a replacement, how is the transition managed, and what does the practice pay during the gap? Providers confident in their quality answer this question specifically and without defensiveness.

Questions 9–10: Contract and pricing

Question 9: Is there a long-term contract requirement, and what are the termination terms? Month-to-month arrangements are the most practice-friendly, but some providers require three- or six-month minimums for specialty placements. Understand what you are committing to before you sign. Termination clauses should specify notice period, what happens to any pre-paid amounts, and what the process is if the placement fails.

Question 10: What is the all-in pricing and what is included? Hourly rate quotes vary widely, and the difference between providers is often what is included. A $14 per hour rate that includes HIPAA training, BAA, background checks, replacement guarantee, and ongoing QA is a different product from a $12 per hour rate where training and compliance are billed separately or not provided. Calculate the true cost including all fees before comparing providers.

Questions 11–12: Support and replacement

Question 11: What is your replacement guarantee and how quickly does it take effect? A replacement guarantee is your primary protection against placement failure. The guarantee should cover: what conditions trigger it (underperformance, resignation, prolonged absence), how quickly the replacement is placed, whether there is an additional charge, and how long the guarantee period lasts. Thirty-day guarantees are table stakes; providers confident in their placements offer longer windows.

Question 12: Who is my point of contact when something goes wrong, and what is the response time expectation? A dedicated account manager who knows your practice and can escalate issues internally is meaningfully different from a generic support email queue. Ask for the name of the person who will own your account and their direct contact information before you sign.

Red flags to watch for

Vague BAA language: any BAA that does not specifically address HIPAA Security Rule requirements, breach notification timelines, and permitted uses and disclosures of PHI is insufficient. Have your compliance person or attorney review it. No specialty training documentation: if the provider cannot describe their specialty training process in specific terms, assume there is none. A VA who learned your EHR from YouTube videos is not the same as one who trained on it in a supervised clinical workflow.

Offshore-only with no US oversight: offshore VAs are not inherently a compliance risk, but a model with no US-based quality oversight, no US-licensed supervisor, and no in-country escalation path for clinical questions creates accountability gaps. Ask specifically how offshore staff are supervised and whether there is a US-based operations team. Hidden fees are another common issue: setup fees, technology fees, training fees, and replacement fees that were not in the initial quote. Get a complete fee schedule in writing before committing.

No references from practices in your specialty: a provider with genuine specialty depth should be able to provide references from practices similar to yours - same specialty, similar EHR, similar payer mix. Generic references from any type of healthcare organization are not the same as a reference from a practice that looks like yours. Ask for specialty-specific references and follow up with them directly.