HIPAA Vendor Risk Assessment Questionnaire: What to Ask Every Business Associate in 2026

Every healthcare organization depends on outside vendors — billing companies, cloud hosts, analytics platforms, AI scribes, e-fax providers, managed IT. The moment one of them creates, receives, maintains, or transmits protected health information (PHI) on your behalf, they become a business associate, and their security posture becomes your liability. A signed Business Associate Agreement (BAA) is the contractual floor, not proof that a vendor actually safeguards data. The instrument that closes that gap is a structured HIPAA vendor risk assessment questionnaire.

This guide explains what a HIPAA vendor risk questionnaire is, the questions every business associate should answer before they touch PHI, and how to operationalize vendor due diligence so it survives an OCR investigation. It pairs naturally with a current BAA inventory checklist and your broader HIPAA risk assessment program.

Why a Vendor Questionnaire Is Not Optional

The HIPAA Security Rule requires covered entities and business associates to obtain “satisfactory assurances” that each downstream party will appropriately safeguard PHI (45 CFR §164.308(b) and §164.502(e)). “Satisfactory assurances” is not defined as a signature — it is a documented, defensible judgment that the vendor has reasonable administrative, physical, and technical safeguards in place. A questionnaire is how you collect the evidence behind that judgment.

The stakes are rising. The HHS Office for Civil Rights’ proposed 2026 update to the Security Rule (published in the Federal Register in January 2025 and still proposed, not final, as of mid-2026) would, if adopted, require covered entities to obtain written verification at least once every 12 months that each business associate has deployed the required technical safeguards — verification backed by analysis from a subject-matter expert. Whether or not that provision is finalized, it signals the direction of enforcement: periodic, evidence-based vendor verification rather than a one-time contract. Building a repeatable questionnaire now means you are ready either way.

The Core HIPAA Vendor Risk Assessment Questionnaire

Group your questions so a reviewer can score each domain and flag gaps. The following set covers the areas OCR and cyber-insurers consistently probe.

Administrative Safeguards

• Do you have a designated HIPAA Security Officer and a current written information security policy?
• Have you completed a HIPAA Security Risk Analysis in the last 12 months, and can you share the date and scope?
• How often is your workforce trained on HIPAA and security awareness, and how is completion tracked?
• Do you maintain a documented sanction policy for workforce members who violate security policy?

Technical Safeguards

• Is PHI encrypted at rest and in transit (and to what standard, e.g., AES-256 / TLS 1.2+)?
• Do you enforce unique user IDs, role-based access, and multi-factor authentication for systems that touch PHI?
• Are audit logs enabled, retained, and reviewed for access to PHI?
• How do you patch and remediate known vulnerabilities, and on what timeline?

Physical and Operational Safeguards

• Where is PHI physically stored or processed, and which subcontractors or cloud regions are involved?
• Do you have an incident response and breach notification plan, and what is your notification timeline to us?
• Have you had a reportable breach or OCR action in the past three years?

Documentation and Subcontractors

• Will you sign our BAA, and do you flow equivalent terms down to every subcontractor that handles our PHI?
• Can you provide a recent independent attestation (SOC 2 Type II, HITRUST, or equivalent) or the results of your most recent penetration test?

A vendor that cannot answer the technical and documentation questions clearly is not necessarily disqualified — but the gaps become risks you must accept, mitigate, or decline in writing. That written decision is exactly what an investigator wants to see.

Turning Answers Into a Risk Decision

Score each response (for example: meets / partially meets / does not meet), weight the high-impact domains (encryption, access control, breach history, subcontractor flow-down) more heavily, and assign each vendor a tier. High-risk vendors handling large volumes of PHI warrant the full questionnaire plus supporting evidence and annual re-verification; low-risk vendors with incidental PHI exposure may warrant a lighter touch. Record the rationale. Vendor risk management is a continuous control, not a procurement formality — re-run the questionnaire on renewal, after a vendor’s reported incident, or when their service materially changes.

This is the same evidence trail you will lean on during HIPAA audit preparation and, if it ever comes to it, an OCR investigation response.

How Medcurity Helps

Medcurity’s Vendor Risk module lets you send questionnaires by link, collect and store responses alongside the signed BAA, risk-rate each business associate, and keep the whole inventory audit-ready — without spreadsheets. It is built healthcare-native and SRA-first, and it is part of the Medcurity platform at $499/year. If you want to see how vendor questionnaires, BAAs, and your Security Risk Analysis live in one place, explore Medcurity solutions. You can also compare approaches in our overview of the best HIPAA SRA software.

Frequently Asked Questions

What is a HIPAA vendor risk assessment questionnaire?

It is a structured set of security and compliance questions a healthcare organization sends to a vendor or business associate to gather the “satisfactory assurances” HIPAA requires before that vendor handles PHI. It documents the vendor’s administrative, physical, and technical safeguards so you can make and record a defensible risk decision.

Is a Business Associate Agreement enough on its own?

No. A BAA is a required contract that establishes obligations, but it does not verify that a vendor actually implements safeguards. HIPAA expects covered entities to obtain satisfactory assurances; a completed questionnaire plus supporting evidence (such as a SOC 2 report or recent risk analysis) is how you demonstrate genuine due diligence.

How often should we reassess our vendors?

At minimum annually for higher-risk business associates, and again on contract renewal, after a vendor reports a security incident, or when their service materially changes. The proposed 2026 Security Rule update would, if finalized, require written verification of technical safeguards at least every 12 months — so an annual cadence is a sound baseline today.

Which vendors need a questionnaire?

Any vendor that creates, receives, maintains, or transmits PHI on your behalf — including cloud hosts, billing and RCM companies, IT providers, e-fax and messaging tools, analytics platforms, and AI tools. Vendors with no access to PHI generally do not require a BAA or a full questionnaire, but document that determination.