How to vet a pharmacy delivery vendor: 15 questions
Every pharmacy delivery vendor claims the same four things: HIPAA, SOC 2, real integrations, and reliable drivers. Here is how to tell which of those claims survive a 15-minute procurement conversation.
Every pharmacy delivery vendor says roughly the same four things on their homepage: HIPAA compliant, SOC 2, real PMS integrations, and a reliable driver network. Three of those claims are load-bearing for your pharmacy — if any of them isn’t actually true, the cost lands on you, not the vendor.
The good news: almost every shaky claim falls apart inside a 15-minute procurement conversation, if you know which questions to ask. Here’s the checklist I use when evaluating a pharmacy delivery vendor — or any software vendor who’s going to touch PHI, dispatch your couriers, or bill your patients.
Contracts and legal (questions 1–3)
1. “Can you send me your standard BAA before the first call?”
A real vendor has a standard Business Associate Agreement as a PDF they can email in under an hour. If the answer is “we’ll send one once we’re closer to signing,” that’s a signal the document is either missing, heavily negotiated, or drafted by sales rather than legal. Read what a HIPAA BAA must say before you accept one — the nine mandatory provisions are non-negotiable.
2. “Who pays if a breach is traced to your side?”
You want a written answer, not a verbal one. The BAA should name who bears notification costs, OCR penalties, and downstream patient remediation when the breach root cause is the vendor’s stack. “We’ll work with you” is not an answer. A dollar cap that’s lower than your annual fee is also a red flag.
3. “Where is PHI stored, and can I have the list of subprocessors?”
Any vendor serious about HIPAA can tell you (a) what cloud they run on, (b) what region the data sits in, and (c) every third party that touches PHI on their behalf. If that list isn’t already on a public page, ask for it in writing. Our own list lives on the trust page and we update it when anything changes.
Labor and operations (questions 4–6)
4. “Are drivers W-2 employees of the vendor, or 1099 contractors?”
This isn’t academic. Under federal joint-employer doctrine, a pharmacy that directs, schedules, or disciplines a delivery contractor can end up named on an FLSA wage-and-hour complaint right next to the vendor. The safe structure is a vendor whose drivers are its own W-2 employees — or a software-only vendor like us where the pharmacy employs its own drivers and the software doesn’t direct them on the vendor’s behalf. Full breakdown in our post on FLSA-safe pharmacy delivery.
5. “What happens when a driver no-shows on a morning with 80 deliveries?”
Every vendor has a good answer for this on a sunny day. Ask for the Tuesday-morning-in-August version. You want specifics: who gets called first, how the re-route happens, what the patient sees on their tracking page. “We have redundancy” is not a plan.
6. “What insurance does the driver carry, and who is named as an additional insured?”
If the vendor’s drivers are contractors, you want a certificate of insurance that (a) actually covers commercial delivery (most personal auto policies exclude it), and (b) names your pharmacy as an additional insured. Ask for a sample COI. A real program can produce one.
Security and compliance (questions 7–9)
7. “What’s the status of your SOC 2, and can I see the report?”
There’s a meaningful difference between “in progress,” “Type I complete,” and “Type II complete.” Ask specifically which one, and if they claim Type II, ask for the report under NDA. A vendor that can’t produce the document isn’t actually certified — they’re claiming to be. Our current status and expected Type I date are on the trust page.
8. “If I leave, how do I get my data out, and how long until it’s deleted?”
The answer should be: a self-serve export inside the product (not a ticket), a named format (CSV, JSON), and a deletion SLA with a specific number of days. If data export requires account-manager approval, or if deletion is vague, that’s a vendor whose business model relies on lock-in.
9. “Do you publish an uptime history, or just an SLA?”
An SLA is a promise. An uptime history is evidence. Ask for a link to a status page with 90 days of actual data. If the only uptime number is “99.9%” on a marketing page with no incident log, the number is decorative. Ours lives at scriptrun.app/status.
Technical reality (questions 10–12)
10. “Which PMS integrations are actually live, and which are coming soon?”
Almost every delivery vendor’s website lists a row of logos. Most of those integrations are one of three things: a published partner directory listing (marketing), a manual CSV import workflow (operational, but not real), or a two-way API (actually integrated). Ask the vendor to name the last customer they onboarded for each claimed PMS, and how long the onboarding took. Live integrations answer that question in under a minute.
11. “Can I see your API docs without signing anything?”
If a vendor is technically mature, their API reference, webhook spec, and authentication docs are on a public page. If you need a sales rep’s permission to read the docs, the integration you need will be measured in quarters, not weeks. Ours are on the developer docs page.
12. “Does the tenant get an audit log they can read themselves?”
An immutable audit log that the pharmacy can read, filter, and export is table stakes for anyone handling PHI. If audit logs only exist on the vendor’s side and the pharmacy has to file a ticket to see them, the pharmacy can’t actually respond to an OCR inquiry without the vendor’s cooperation. That’s not a good position.
Business basics (questions 13–15)
13. “What is the list price, and what does it look like at my volume?”
If the first answer involves a discovery call, a custom quote, or anything ending in “let’s talk,” that’s a vendor whose pricing is designed to be opaque. A real answer gives you a monthly number and an overage rate. More on why we think this matters in our post on why we publish pricing.
14. “Can I talk to two pharmacies of my size who’ve been on the product for a year?”
Ask for references that match your size and your PMS — not the vendor’s biggest logo. The reference should use the product daily, not just own a username. Ask the reference how many support tickets they’ve filed in the last 90 days and how fast they got resolved. That’s the real SLA.
15. “Who is the founder, and how do I reach them?”
Vendors at pharmacy-software scale aren’t so big that the founder is unreachable. If nobody on the sales call can tell you who runs the company or how to email them, you’re buying from a brand, not a company. I’m on the about page and my email is on it. That should be standard.
How to actually run the evaluation
Most vendor evaluations fail because the pharmacy tries to run them like a dating app — charming conversations, no documents. The way to keep it honest is to require paper:
- Before the first call: ask for the BAA, the subprocessor list, the API docs, the status page, and the pricing page. A real vendor sends all five within a day. A vendor that sends two and promises the rest later has just told you something about their maturity.
- During the demo:ask questions 4, 5, 7, 10, and 15 live. These are the ones where verbal answers reveal the most. Watch for qualifiers (“largely,” “in progress,” “we’re working toward”) — they’re honest signals.
- Before signing: get the answers to 2, 3, 6, 8, and 12 in writing— in the BAA, in the MSA, or in an email that becomes part of the contract record. A verbal yes doesn’t help you in a compliance audit two years from now.
You don’t need all 15 to be perfect. You need enough of them to be good that you know which ones aren’t, and you’ve accepted the tradeoff knowingly. That’s the whole idea of due diligence.