Is SurveyMonkey HIPAA Compliant for Patient Surveys?

Short answer

Is SurveyMonkey HIPAA compliant for patient surveys? Only on the Enterprise plan with a signed BAA. Standard, Advantage, and Premier plans offer no HIPAA coverage. Patient satisfaction surveys, outcomes measurement tools, and health questionnaires that collect identifiable health information require the Enterprise plan with the BAA executed before the first response comes in. Lower-tier plans used for PHI-bearing patient surveys create an unprotected disclosure.

SurveyMonkey’s HIPAA plan structure

SurveyMonkey publishes its HIPAA compliance information in its billing and compliance documentation. The plan-level structure is clear:

Plan	BAA available
Free	No
Standard	No
Advantage	No
Premier	No
Enterprise	Yes

Enterprise is SurveyMonkey’s organization-level plan. Pricing is negotiated and not published on SurveyMonkey’s public pricing page. The BAA must be executed through SurveyMonkey’s compliance team as part of the Enterprise agreement process.

This creates a significant cost threshold for clinics that want to use SurveyMonkey for patient surveys. A small clinic that needs to send quarterly patient satisfaction surveys faces an enterprise pricing conversation for what may be a modest survey volume.

What constitutes PHI in the patient survey context

Not all patient surveys automatically involve PHI. The determination depends on what information the survey collects and whether it can be linked to an individual.

PHI when surveys include:

• Patient name or patient ID combined with any health-related response
• Email address or other contact information combined with health data (because these identifiers link responses to individuals)
• Date of service combined with provider name and a health-related rating or comment
• Any combination of identifiers + health information as defined under the HIPAA Privacy Rule’s 18 identifiers

Lower risk (but still evaluate carefully):

• Fully anonymous surveys where responses cannot be linked to any individual — no pre-population of names, no email tracking, no response metadata linking back to patient records
• General satisfaction surveys about non-clinical aspects of the visit (parking, wait time, front desk courtesy) that include no health information

“Lower risk” is not “no risk.” Confirm your survey design with your compliance advisor before concluding that anonymous surveys are entirely outside HIPAA scope for your specific use case.

What the clinic must do before deploying patient surveys

If you determine that your patient surveys will collect PHI and you choose SurveyMonkey as your tool:

1. Upgrade to Enterprise. No lower tier provides a path to HIPAA compliance.
2. Execute the BAA. Work with SurveyMonkey’s team to complete the BAA before any survey goes live. Keep signed documentation.
3. Review the survey design. Confirm each question, each pre-populated field, and each response collection setting with your compliance review process. Identify which data fields constitute PHI.
4. Establish data handling procedures. Define who has access to survey results, how results are stored after collection, and how long they are retained.
5. Connect survey data storage to covered systems. If survey results are imported into a practice management or EHR system, that system must also have a BAA.

Alternatives to SurveyMonkey Enterprise for smaller clinics

SurveyMonkey Enterprise pricing is designed for organizations, not individual clinics. Smaller practices that need HIPAA-covered patient surveys have options:

EHR-native patient surveys: Many EHR platforms include patient questionnaire and survey features covered under the EHR’s existing BAA. If your EHR supports it, this is often the most cost-effective path.

Healthcare-specific form tools: Jotform offers a HIPAA plan at lower price points than SurveyMonkey Enterprise. REDCap is a research-focused data capture tool widely available through academic and hospital research programs.

Post-visit check-in via secure patient messaging: For simple satisfaction feedback, a structured follow-up message through a secure patient messaging system (covered by the EHR’s BAA) can replace a survey tool entirely.

Quality improvement programs and HIPAA

Patient satisfaction measurement, CAHPS surveys, and outcomes tracking are valuable for clinical quality improvement. HIPAA does not prohibit these activities. The requirement is that any platform used to collect identifiable patient health information for these purposes has a BAA in place.

Small clinics often run informal quality improvement surveys using convenience tools — a quick Google Form, a SurveyMonkey free tier link in a post-visit message, a simple email reply. These informal approaches create PHI exposure when responses include identifiable health information, even at small scale. OCR does not distinguish between a 500-patient survey program and a 5-patient informal check-in when evaluating whether a BAA was required.

Compliance operations for patient survey programs

Managing the compliance requirements for a patient survey program — BAA tracking, data retention policies, access control documentation — is part of a broader HIPAA compliance program. The decision to run patient surveys should be documented in a risk assessment that addresses tool selection, data handling, and retention.