HIPAA Vendor Security Questionnaire

A structured 30-question security questionnaire to send to potential business associates before sharing PHI. Covers BAA terms, security certifications, subprocessors, data handling, access controls, incident response, and termination. Includes scoring rubric and guidance on BAA negotiation.

Short answer

A 30-question vendor security questionnaire for HIPAA-covered entities: BAA terms, security certifications, subprocessor disclosure, data handling and encryption, access controls, incident response procedures, and termination and deletion terms — with a scoring rubric.

What is inside

BAA terms evaluation: 8 questions covering BAA availability, who signs, what the BAA covers, breach notification timeline commitment, audit rights, and termination and data deletion terms
Security certifications: SOC 2 Type II, HITRUST CSF, ISO 27001 — what certifications the vendor holds, whether the certificate covers the specific product you are evaluating, and when the most recent audit was conducted
Subprocessor transparency: does the vendor maintain and publish a subprocessor list, are subprocessors bound by HIPAA-equivalent contractual obligations, and does the vendor notify customers before adding new subprocessors
Data handling specifics: encryption at rest and in transit, key management (who holds the keys), data residency (U.S. servers required for most covered entities), and data minimization practices
Incident response evaluation: the vendor's contractual notification timeline, what their incident response plan looks like, how they classify and triage incidents, and who on their team you would hear from in a breach scenario

We publish the same practical templates and decision tools that clinics use to structure recurring HIPAA work. No enterprise gate. No resource-library gimmicks. Just practical material delivered quickly.

Editorial details

Written by: Angel Campa

Reviewed by: PHIGuard Compliance Research

Updated: April 28, 2026

Best next step: Open the matching product path

Sources

45 CFR § 164.308(b) — Business Associate Contracts and Other Arrangements | eCFR
Business Associate Guidance | HHS
NIST SP 800-66 Rev. 2 | NIST

Download the PDF

Ask these 30 questions before signing a BAA or sharing PHI with any vendor

Enter your email and we will send the PDF.

Questions

When should we send this questionnaire to a vendor?

Before any PHI is shared and before a BAA is signed. The questionnaire responses should inform your BAA negotiation — if the vendor's answers reveal gaps in their security program, those gaps can be addressed through BAA terms or additional contractual requirements. If the gaps are fundamental (no BAA available, no SOC 2, trains on customer data), the questionnaire outcome is a decision not to proceed.

The vendor we want to use refuses to answer the questionnaire. What should we do?

A vendor's refusal to respond to a standard security questionnaire is itself a meaningful signal. It may indicate that they have not invested in the security program that would allow them to answer confidently, or that they are accustomed to selling to organizations that do not conduct vendor due diligence. You can escalate to the vendor's enterprise or compliance team, request their SOC 2 report directly as an alternative to the questionnaire, or proceed to the BAA negotiation and use BAA terms to establish the security requirements contractually. If the vendor refuses both the questionnaire and contractual security obligations, they are not HIPAA-eligible.

Can we use this questionnaire for BAA renewals and annual vendor reviews?

Yes, with adaptation. For annual vendor reviews, a subset of the 30 questions is appropriate — specifically the sections on certifications (has the SOC 2 been renewed?), subprocessors (have new subprocessors been added?), and incident response (have any incidents occurred in the past year?). The template notes which questions are most relevant for renewal reviews vs. initial onboarding.

Is this free?

Yes. Enter your email and we will send the full resource to your inbox.

Why do you need my email?

We send the resource directly to your inbox. We will not add you to a marketing list without your consent.