← All questionnaires
MAPS TO 45 CFR §164 · 23 QUESTIONS · FREE TEMPLATE

HIPAA Business Associate Security Assessment — 30 questions covered entities require

Before a covered entity signs a BAA, they send this assessment. The questions track directly to the HIPAA Security Rule safeguards — 45 CFR §§164.308, 164.310, 164.312, 164.316 — plus Breach Notification Rule timing.

Total questions
23
Categories
6
Typical timeline
5–10 business days
Effort
10–20 hours
Who requests it
  • Covered entities (hospitals, health plans, healthcare clearinghouses) and their privacy officers
  • Larger BAs onboarding subcontractor BAs
  • Health-tech procurement and InfoSec teams
Who fills it out
  • Your HIPAA Security Officer (often the CISO)
  • Privacy Officer co-signs on §164.502 / §164.504 questions

The questionnaire — every question, inline

1. Administrative Safeguards (§164.308)

6 questions
Policies, workforce, training, risk analysis.
  1. 1.1
    Have you conducted a HIPAA Security Risk Analysis (§164.308(a)(1)(ii)(A)) in the past 12 months? Provide the executive summary.
    Critical
  2. 1.2
    Do you have a designated Security Official (§164.308(a)(2))? Provide name and title.
    Critical
  3. 1.3
    Describe your workforce sanction policy for HIPAA violations (§164.308(a)(1)(ii)(C)).
    High
  4. 1.4
    What is the frequency and content of mandatory HIPAA training for the workforce (§164.308(a)(5))? Last completion rate?
    High
  5. 1.5
    Describe your contingency plan: data backup, disaster recovery, and emergency-mode operation procedures (§164.308(a)(7)).
    Critical
  6. 1.6
    How are subcontractor BAs identified, vetted, and bound by downstream BAAs (§164.308(b))?
    Critical

2. Physical Safeguards (§164.310)

3 questions
Facility, workstation, device controls.
  1. 2.1
    Describe facility-access controls for any location that hosts ePHI (§164.310(a)(1)). Include badge, visitor, and cleaning-crew handling.
    High
  2. 2.2
    Workstation security policy — are screens auto-locked, encrypted, and unable to store local ePHI (§164.310(c))?
    High
  3. 2.3
    Device and media disposal — describe sanitisation method (NIST SP 800-88) and chain-of-custody records (§164.310(d)).
    Critical

3. Technical Safeguards (§164.312)

5 questions
Access, audit, integrity, transmission.
  1. 3.1
    Unique-user IDs and automatic logoff configured for all systems handling ePHI (§164.312(a))?
    Critical
  2. 3.2
    Is ePHI encrypted at rest using FIPS 140-2/3 validated modules (addressable §164.312(a)(2)(iv))? Specify algorithms.
    Critical
  3. 3.3
    Is ePHI encrypted in transit (§164.312(e)(1))? Minimum TLS version?
    Critical
  4. 3.4
    Audit-log retention and review cadence for ePHI access (§164.312(b))? Minimum 6-year retention recommended.
    High
  5. 3.5
    Integrity controls in place to prevent improper alteration or destruction of ePHI (§164.312(c))?
    High

4. Organizational & BAA Requirements (§164.314, §164.502)

3 questions
Contract obligations and minimum necessary.
  1. 4.1
    Will you sign the covered entity's standard BAA with downstream subcontractor flow-through (§164.314(a))? Provide your standard BAA template.
    Critical
  2. 4.2
    Describe how you enforce minimum-necessary access for workforce members handling ePHI (§164.502(b)).
    High
  3. 4.3
    How do you handle Right of Access requests forwarded from a covered entity (§164.524)? Maximum response time?
    High

5. Breach Notification Rule (§164.400–414)

3 questions
Timing, content, and process for breach response.
  1. 5.1
    Commit to a written breach-notification SLA to the covered entity. The Rule requires 'without unreasonable delay, no later than 60 days' — most CEs negotiate to 24–72 hours.
    Critical
  2. 5.2
    Describe your breach risk-assessment methodology — factors evaluated to determine notification-triggering breach vs low-probability of compromise (§164.402).
    Critical
  3. 5.3
    Provide a sample breach notification letter you would send to the CE.
    High

6. Policies & Procedures (§164.316)

3 questions
Documentation requirements.
  1. 6.1
    How long are HIPAA-related policies, procedures, and audit records retained? Rule requires minimum 6 years (§164.316(b)(2)(i)).
    Critical
  2. 6.2
    What is the review cycle for HIPAA security policies? Last update date?
    Medium
  3. 6.3
    Are all policy acknowledgments by workforce members tracked and available on request?
    Medium
Email me a clean copy of this questionnaire
Polished HTML — paste into Word, Sheets, or a Notion page. We'll send one delivery email plus one invitation to build an auto-answered version from your audit. No drip spam.
We'll send the questionnaire + one audit-invitation follow-up. Unsubscribe anytime.

Common pitfalls

Want this pre-filled with YOUR controls?

Run a free HIPAA Security Rule audit. ComplianceIQ uses your audit responses and generated policies to populate an answer pack you can paste into any SIG, CAIQ, or custom enterprise questionnaire — in minutes, not days.

Run free HIPAA audit See answer-pack plans

FAQ

Do I need this assessment if I already have a SOC 2 Type II?
Yes. SOC 2 covers a lot but is not a HIPAA control map. Covered entities must perform HIPAA-specific due diligence on every BA — your SOC 2 is supporting evidence, not a substitute.
What if I don't host ePHI directly but my subprocessor does?
You are still a BA under §160.103. Document the flow-down BAA, your subprocessor's HIPAA posture, and your monitoring controls.
How does HHS 'right of access' apply to me as a BA?
BAs generally route Right-of-Access requests back to the covered entity unless the BAA delegates them. Document your process either way.
Are HIPAA penalties really that high?
Yes. 2024 schedule: $137–$2,067,813 per violation tier, annual cap $2,067,813 per identical-provision violation. Anthem paid $16M. Premera paid $6.85M. See our HIPAA penalty calculator.

Related free policy templates

HIPAA Business Associate Agreement (BAA)

What happens when these answers are wrong

Anthem Inc.
$16M
Largest HIPAA settlement in history — 78.8M records breached
Premera Blue Cross
$6.85M
11M-record breach + risk-analysis + access-controls failures

More questionnaires

SaaS VendorCloud ProviderSOC 2 SubserviceGDPR Art. 28PCI DSS SP