The 2026 buyer’s guide to AI healthcare vendors.

Most demos show the obvious workflows: ambient scribing, inbound voice, fax intake. Useful, but not differentiating — every vendor in this category has those.

A vendor that has actually sat in a medical practice can name a workflow you’d recognize as a pain — but one your team has stopped seeing because they work around it. Annual-wellness-visit risk-adjustment capture at a primary care group. Device-clinic cadence at a cardiology group. CPAP compliance windows at a pulmonology practice. The post-discharge medication-reconciliation tail at a hospitalist group. The MIPS measure that drifted out of compliance between quarterly reviews.

If they can only show you the demos every other vendor shows you, they’re operating at the surface of your practice.

A vendor with a clear answer to “what we don’t do” has an actual product. A vendor without one is selling a deck.

Examples of good answers: “We don’t make clinical decisions; the clinician approves every order.” “We don’t bridge to Epic via a custom integration; we use the published API surface.” “We don’t do behavioral-health ambient documentation, because the consent model isn’t worked out yet.” Each of those is a real boundary, defended for a real reason.

Vague answers — “we customize to your needs,” “we can do anything you need” — are a tell. Either the vendor doesn’t know their own product yet, or they’re willing to oversell it. Neither is a partner you want for the next three years.

“Works with Epic” can mean anything from a published API integration to a screen-scraping bot pretending to be a user. Both can be defensible — but you should know which one you’re getting and price it accordingly.

Specifically ask: native API connector, HL7 / FHIR, or RPA bridge? What gets read, what gets written, and what gets logged? How often is the connector updated when the EHR updates? What happens during a payer-portal change — does the vendor patch within hours or within weeks?

The honest answer for most vendors will be a mix — FHIR where it exists, HL7 where it doesn’t, RPA where neither does. That’s fine. The dishonest answer is a single yes/no.

Apply the same question to your RCM stack. Where does the vendor sit relative to your clearinghouse, your existing RCM platform, your patient-billing tool? “We replace everything” and “we plug into what you have” are different products, priced differently. Make the vendor say which one they are.

The covered entity owns the PHI under the BAA. That is settled law. The harder question is what happens to the derivative data — the structured outputs, the audit logs, the model weights your data may have shaped.

Get specific. Export formats: standards-compliant or proprietary? Deletion schedule: documented or discretionary? Indemnification on residual model state? Does the vendor retain de-identified copies of anything for product improvement, and under what consent? What does the runbook look like in week one of an exit?

A vendor whose answer to this is “let our legal team handle that” is a vendor planning lock-in. A vendor with a one-page exit document already written has thought about it because their previous customers made them.

Any vendor making clinical-adjacent decisions should be running offline test sets graded by clinicians, online quality telemetry, and structured regression tracking. Ask to see the actual artifact: the test bank, the rubric, the dashboard.

“We do extensive testing” is not an evaluation harness. “Here’s our weekly clinician review of 200 graded cases against last week’s 200 to track regressions, and here’s the rubric we use, and here’s last quarter’s top three regressions and what we shipped to fix them” is.

For agentic systems specifically, ask how the vendor evaluates multi-step workflows — not just single-prompt accuracy. The hardest failure modes in production live at the seams between steps, and most evaluation harnesses don’t test seams.

Silent failures are the single highest-cost failure mode in clinical AI. A wrong prior authorization that the practice never sees until the denial arrives six weeks later costs more than ten loud failures the system flagged for human review on the same day.

Ask: what is escalated to a human, on what threshold, with what context? What does the audit log look like for an action the system took unilaterally? What did the last three failures look like, and what changed in the system afterward?

A vendor who can’t answer the last question hasn’t watched their own product in production. That doesn’t make them malicious; it makes them young. Decide whether you want to be the practice that teaches them.

Per-claim fees, per-seat fees, per-call fees, per-API-token fees, per-payer-portal fees, per-faxed-page fees, overage-bucket fees. Each one is defensible in isolation. In aggregate, they make the published price irrelevant.Per-claim fees in particular tend to scale linearly with the practice’s billed revenue — check what that becomes at month thirteen.

Get specific: at the volume your practice runs, what is the all-in monthly cost — the published number plus every line item that’s metered? What’s the cost of a single high-volume month above the contract baseline? What’s the price next year, in writing?

A flat-fee vendor isn’t necessarily cheaper. But a vendor with five metering dimensions has a different incentive than a vendor with one — and the incentive shows up in month seven, not month one.

Specialty practices don’t run 9-to-5 — the inbox doesn’t pause for the weekend, and the after-hours voicemail keeps filling. When the system fails, the failure tends to happen overnight or on a holiday more often than during business hours, because that’s when the exception cases land.

Ask: what is the on-call rotation? Who actually pages — a tier-1 outsourced support desk, or an engineer with commit access to the system? What’s the response SLA? What does a recent post-incident artifact look like?

A vendor whose support page reads “Mon–Fri, 9–5 ET” is selling a tool, not running a layer. That distinction will matter on the first Saturday a fax triage goes wrong.

Every vendor has churned accounts. Pretending otherwise is a tell. The question is whether the vendor knows why they churned and is willing to tell you.

Ask the question directly. A vendor with a credible answer — “we onboarded a multi-site group too quickly and the configuration didn’t fit; we now require X before signing” — is a vendor that learns from churn. A vendor who deflects, or who blames the customer, is a vendor whose churn pattern you will learn about by being it.

Reference calls with happy customers are useful. Reference calls with departed customers, when the vendor will arrange them, are more useful.

The vendor doesn’t need to recite the regulations. But they should be able to articulate what each one means for their product roadmap, and what they’re shipping in response.

A vendor who has never heard of CMS-0057-F is not building for clinical practice in 2026. A vendor who has, but says “we’ll handle that when the deadline gets closer,” is operating at the wrong tempo. A vendor who can explain how the FHIR Prior Authorization API changes their backend, with a target ship date, is operating at yours.

Bonus question: ask what they think about the next regulation, the one that hasn’t been finalized yet. The honest “we don’t know yet” is fine. The empty smile is not.