You found a survey tool that looks perfect. Clean interface, easy setup, patients can complete assessments on their phones. But before you send your first PHQ-9, you need to answer one question: is this tool actually HIPAA compliant?
If your survey collects any information that could identify a patient and relates to their health (clinical assessments like the GAD-7, intake forms, symptom trackers) you need HIPAA compliance. Even anonymous surveys may need protection if responses could be linked back to specific patients through dates, appointment times, or contextual information.
The compliance checklist
Business Associate Agreement (BAA)
A BAA is legally required when a third party handles PHI on your behalf. If a vendor won't sign one, they're either not HIPAA compliant or don't understand healthcare compliance. Verify the BAA clearly defines each party's responsibilities, specifies breach handling procedures, and addresses data retention and destruction. Keep your signed copy on file.
Red flag: Vendors who claim "HIPAA compliance" but won't sign a BAA, or who charge significant extra fees for BAA coverage.
Data encryption
Ask for encryption specifications in writing. Legitimate vendors provide this easily. Look for TLS 1.2 or higher for data transmission and AES-256 encryption for stored data (the strongest standard per NIST guidelines). Backups should also be encrypted, and encryption keys should be properly managed.
Encryption is your primary defense against data breaches. If encrypted data is exposed, it's unreadable without the keys and may not even constitute a reportable breach under HIPAA.
Access controls
The minimum necessary standard requires limiting PHI access to what each person needs for their job. Check for unique user accounts (no shared logins), role-based access controls, multi-factor authentication, automatic session timeouts, and account lockout after failed login attempts.
Test it: Can you create users with different permission levels? Can you prevent certain staff from viewing assessment results while allowing others full access?
Audit logging
All PHI access should be logged automatically with user identity, timestamp, and action. Logs must be tamper-evident, retained for at least six years, and exportable for audits. If you can't demonstrate who accessed patient data and when, you can't prove compliance or investigate incidents.
Test it: Access a test patient record, then check if you can find that access in the audit log.
Data residency and hosting
Know where your patients' information lives. Data should be stored in the United States (unless you have specific international requirements), hosted in HIPAA-compliant data centers with certifications like SOC 2 or HITRUST. Major cloud providers (AWS, Google Cloud, Azure) meet physical security requirements. Verify your vendor uses reputable infrastructure.
Breach notification
Under HIPAA, business associates must notify covered entities within 60 days of discovering a breach, and covered entities must then notify affected patients within 60 days of their discovery. In practice, look for vendors who commit to notification within 24-72 hours, which gives you time to respond appropriately. The BAA should specify exact breach notification timeframes and investigation procedures.
Administrative safeguards
Technical controls are only part of the picture. Ask for the vendor's security whitepaper or compliance documentation. Legitimate vendors have this prepared. Look for written security policies, regular employee HIPAA training, a designated security officer, and documented incident response procedures.
Mental health-specific considerations
Mental health assessments carry unique sensitivity. HIPAA provides extra protection for psychotherapy notes, so your tool should support separation between assessment scores and clinical notes with different access controls for each.
Look for platforms that flag self-harm or suicide-related responses with appropriate clinician alerts. Assessments like the PHQ-9 and PHQ-8 include questions about self-harm that need special handling. Patient-facing security also matters: secure links (HTTPS), session timeouts, and results that aren't accessible by re-using a link protect patients who complete assessments on shared devices.
Red flags that disqualify a tool
These issues should immediately eliminate a vendor from consideration:
No BAA available: Non-negotiable. Walk away.
Free tier with PHI: If a vendor offers free accounts that can handle PHI, their business model probably doesn't support proper security. Healthcare plans cost more because compliance costs more.
No encryption specifics: Vague statements like "your data is secure" without technical details suggest the vendor doesn't understand healthcare compliance.
Consumer-grade tools: Google Forms, Typeform, basic SurveyMonkey, Airtable. Excellent products, but not designed for healthcare. Don't use them for patient data.
No independent verification: Vendors should point to third-party audits, certifications, or assessments. Self-attestation alone isn't enough.
Questions to ask vendors
Before committing, get clear answers and document them. They become part of your compliance record.
Security: Can you provide a signed BAA? What encryption standards do you use for data in transit and at rest? Where is data physically stored, and which cloud provider? Do you have SOC 2 Type II certification?
Access and audit: Can I create users with different permission levels? Does the system log all PHI access? Can I export audit logs, and how long are they retained?
Data management: What happens to patient data when I cancel my account? Can I export my data in standard formats? What's your backup and disaster recovery process?
Operations: What's your uptime SLA? Who at your company can access my patients' data?
Auditing your current tool
Already using a survey tool? Take immediate action if you have no signed BAA on file, encryption status is unknown, shared logins are in use, or audit logging isn't enabled. For less urgent gaps, like suboptimal access controls or missing vendor documentation, create a plan to address them.
For each survey tool handling PHI, maintain a compliance file: signed BAA, vendor security documentation, encryption specifications, evidence of your access control configuration, and audit log review records. This demonstrates due diligence if you're ever audited.
"HIPAA compliant" doesn't guarantee compliance
No software is inherently HIPAA compliant. Compliance depends on the vendor's security practices (their responsibility), your configuration and use (your responsibility), and the BAA connecting both (shared). A tool can have all the right features and still be non-compliant if configured poorly.
There's no official HIPAA certification. Vendors self-attest, and some overstate their compliance. Verify claims independently. HITRUST certification is a strong indicator of mature security practices, but it's a framework, not a regulation. Still verify they'll sign a BAA.
The cost of getting it wrong
HIPAA violations carry fines from $141 to over $2 million per violation, depending on negligence level. Average healthcare breach costs exceed $10 million including notification, investigation, and remediation. State licensing boards may take action against providers with significant compliance failures. Re-evaluate your tools at least annually, or whenever the vendor announces significant changes or you learn of security incidents.
If something feels wrong, if the vendor is evasive, if the pricing seems too good to be true, if the product wasn't built for healthcare, trust that instinct. Your patients handed you their most sensitive information. Choose tools that protect it.