Handling HIPAA-Related Security Questionnaires: What Healthcare Prospects Really Want to Know

You've just closed a mid-market healthcare customer. Everyone's excited. Then the compliance team sends you a questionnaire that's different from anything you've seen before.

It's not the standard SIG framework. It's not a generic SOC 2 assessment. It's HIPAA-specific. And the language is different. The questions are about Protected Health Information (PHI), Business Associate Agreements (BAAs), breach notification timelines, and specific controls that only matter if you're handling health data.

If you're not prepared for HIPAA questionnaires, they're overwhelming. If you are prepared, you'll move through them confidently and accelerate your healthcare deals.

Why HIPAA Questionnaires Are Different

HIPAA (Health Insurance Portability and Accountability Act) is a federal regulation that governs how health information is protected and disclosed. If you're a healthcare provider, health plan, or clearinghouse, HIPAA compliance is legally mandatory—not optional.

When a covered entity (like a hospital or insurance company) brings in a third-party vendor like your SaaS product, you become a Business Associate. That means you're now legally bound by HIPAA requirements. The customer has regulatory liability if you mishandle Protected Health Information.

So healthcare procurement teams ask very different questions than typical B2B SaaS buyers. They care about HIPAA-specific controls, not just general security. Their questionnaires reflect that.

The Top Questions Healthcare Prospects Ask

1. Do you sign a Business Associate Agreement (BAA)?

This is the first question on every HIPAA questionnaire. If you don't sign a BAA, the conversation ends. The prospect can't use your product legally.

Answer: "Yes, we sign Business Associate Agreements with all healthcare customers. Our BAA is based on the HIPAA Omnibus Rule and includes all required regulatory language on safeguards, breach notification, subservice organization management, and data use limitations. We will execute a BAA with your organization before any Protected Health Information is processed."

Why this matters: The BAA is a legal contract, not just a checkbox. It creates binding obligations on both sides. Make sure your legal team has drafted and reviewed your standard BAA. Never improvise or say "we can figure it out." Covered entities need a pre-negotiated agreement.

2. How do you encrypt Protected Health Information (PHI)?

HIPAA requires encryption of PHI both at rest and in transit. The regulation is actually flexible on the specific encryption standard—but healthcare buyers often want to see specific choices (usually AES-256) and proof you're using them correctly.

Answer: "We encrypt all Protected Health Information at rest using AES-256 encryption with keys stored in AWS Key Management Service (KMS). All data in transit to and from our systems is encrypted using TLS 1.2 or higher. Encryption keys are rotated on a [monthly/quarterly] basis and are managed with role-based access control. We do not have the ability to decrypt customer PHI—only customers retain the ability to decrypt their own data through key management."

Why this matters: Be specific about the encryption standard and key management. If you use your customer's encryption keys (customer-managed encryption), say so—that's actually even stronger from a compliance perspective because you can never decrypt their data. If you manage keys for them, explain your key rotation and access controls.

3. Where is PHI stored geographically? Can you guarantee US-only storage?

Some healthcare organizations (especially those with government contracts) have strict data residency requirements. They want to know that PHI never leaves the United States. Others are more flexible.

Answer: "All customer PHI is stored in AWS data centers located in the continental United States (us-east-1 and us-west-2 regions). PHI does not replicate outside the United States. We maintain automated failover to a secondary US region for disaster recovery purposes. All subservice organizations that process PHI are located in and operate from the United States. We can discuss custom data residency requirements as part of the BAA if needed."

Why this matters: Be exact about regions. If you use any international backups, data replication, or third-party services with international presence, disclose it. Healthcare buyers will ask follow-up questions if they suspect data goes outside the US. Transparency here builds trust.

4. What is your breach notification timeline? How quickly will you notify us of a PHI breach?

HIPAA requires notification "without unreasonable delay," but the threshold for HIPAA breach notification is high—it requires unauthorized access or acquisition of PHI that compromises confidentiality or integrity. Even so, healthcare buyers want to know your process.

Answer: "We maintain a Security Incident Response Plan that includes breach notification procedures. Upon discovery of a confirmed or suspected HIPAA breach involving Protected Health Information, we will notify you within [24 hours]. Our notification will include: (1) a description of what happened, (2) what PHI was involved, (3) actions we've taken to investigate and remediate, (4) what you should do to protect affected individuals, and (5) contact information for questions. We will work with you to support regulatory notification requirements and HHS reporting."

Why this matters: 24-hour notification is the standard. Some customers will push for faster. Make sure your incident response team can actually do this—it's a legal commitment. If you commit to 24-hour notification, you need processes and on-call coverage to back it up.

5. How do you manage subservice organizations (business associates) that access PHI?

This is critical. If you use AWS, Datadog, or any other vendor that has access to PHI, those vendors are "subservice organizations" under HIPAA. You need to have BAAs with them, and you need to account for them in your customer's compliance posture.

Answer: "We maintain a list of all subservice organizations that may access or process Protected Health Information. For our platform, this includes: [AWS for infrastructure/storage], [Datadog for monitoring/logging], [other vendors]. Each subservice organization has executed a Business Associate Agreement with us that includes all HIPAA safeguard requirements. We are contractually liable for their compliance. We maintain a current list of all subservice organizations and provide updates to customers when subservice organizations change. Customers have the right to request removal of subservice organizations, which we will accommodate if operationally feasible."

Why this matters: Subservice organization management is one of the most common reasons HIPAA assessments fail. You need to know exactly which vendors touch PHI, have BAAs with all of them, and be able to explain it clearly. If you can't remove a subservice organization, be honest about it—but explain why.

6. Do you perform access logs and audit trails for PHI access? Can you provide access logs to us?

HIPAA requires logging of access to PHI. Healthcare buyers often want to see these logs themselves to verify compliance.

Answer: "We maintain comprehensive audit logs of all access to Protected Health Information, including: user identity, action performed (view, edit, download, etc.), timestamp, IP address, and success/failure of the action. Audit logs are retained for [90 days minimum, typically longer], encrypted, and tamper-protected. Customers can request and download their audit logs through the [portal/dashboard]. We also perform quarterly access reviews to verify that only authorized users have access to PHI, and we notify customers of any access anomalies or policy violations."

Why this matters: The ability to produce audit logs on demand is a table-stakes requirement. Make sure your system actually logs this level of detail. Vague answers like "we log access" aren't sufficient—customers will ask for specific evidence.

7. What authentication and access controls do you use to prevent unauthorized PHI access?

HIPAA requires access controls "to ensure that all members of [your] workforce have appropriate access to electronic protected health information, as needed to perform their functions." In practice, this means least-privilege access, strong authentication, and documented access reviews.

Answer: "We implement least-privilege access controls: employees only have access to PHI required for their specific job function. All access is authenticated via single sign-on (SSO) with multi-factor authentication (MFA) enforced for all users. Administrative access (including database access) requires additional approval and is limited to [title/role]. All access changes are logged and reviewed. We conduct quarterly access reviews to ensure access remains appropriate. Terminated employees' access is revoked within [timeframe—ideally same day]."

Why this matters: MFA is becoming expected even for non-regulated industries, but it's absolutely required for HIPAA. Explain how you implement it. If different roles have different access levels, document that clearly.

8. What disaster recovery and business continuity plans do you have for PHI?

HIPAA requires business continuity and disaster recovery plans. Healthcare customers want to know that if something happens to you, their PHI is still protected and they can recover their data.

Answer: "We maintain a Business Continuity and Disaster Recovery Plan with a Recovery Time Objective (RTO) of [4 hours] and Recovery Point Objective (RPO) of [1 hour]. Our infrastructure is deployed across multiple AWS availability zones with automatic failover. PHI is backed up continuously to a geographically separate US region. We test disaster recovery procedures quarterly and maintain detailed recovery runbooks. In the event of a disaster affecting our ability to serve customers, we have procedures to securely transfer all PHI to the customer or a trusted third party."

Why this matters: Customers want confidence that your disaster recovery actually works and has been tested. Annual testing of disaster recovery is the standard—quarterly or more frequent is stronger.

How to Prepare for HIPAA Questionnaires

If you're selling into healthcare, don't wait for the first questionnaire to figure out your answers. Start now:

• Get your BAA drafted and reviewed: Work with a healthcare attorney or a vendor who specializes in BAAs. A standard BAA should cover all required elements. Have it ready to sign quickly—this is usually the gating item.
• Document your encryption, data residency, and access controls: Write down exactly how you handle PHI. Where is it stored? Who can access it? How is it encrypted? Get this reviewed by your security and legal teams.
• Implement audit logging: Make sure your system logs all access to customer data with enough detail (timestamp, user, action) to satisfy regulatory requirements. You'll need to produce these logs on demand.
• Create your incident response plan: Document what you'll do if there's a breach. Include notification timelines, investigation process, and customer communication.
• Map your subservice organizations: List every vendor that touches or could touch PHI. Get BAAs with all of them. Communicate this list to customers proactively.
• Document your access controls: Explain your MFA requirement, access approval process, and quarterly reviews. Back it up with actual policies and procedures.

The Competitive Advantage

Most SaaS vendors aren't prepared for healthcare. They say "We can be HIPAA-compliant" but haven't actually implemented the controls or signed BAAs. When a healthcare prospect issues a questionnaire, these vendors scramble.

If you're ready with documented controls, a signed BAA, and confident answers to HIPAA questions, you move through security review faster. That's a competitive advantage that directly translates to won deals and faster revenue.