HIPAA BAAs and security questionnaires: what a business associate actually commits to

A healthcare customer wants to buy your product, and two documents have arrived together: a Business Associate Agreement to sign and a security questionnaire to complete. They look like separate chores. They aren't — the questionnaire is the buyer checking whether you can keep the promises the BAA is about to make legally binding. This guide covers how the two documents relate, how HIPAA's structure shapes the questions, and the order to work in so you don't sign commitments your team can't execute.

A BAA is a contract, not a questionnaire — but they travel together

HIPAA requires a covered entity (the hospital, insurer, or provider) to execute a Business Associate Agreement with any vendor that creates, receives, maintains, or transmits protected health information on its behalf. The BAA is not an assessment; it is a contract that makes you directly liable under HIPAA for safeguarding PHI, reporting breaches on a defined clock, and flowing the same obligations down to your own subcontractors.

The questionnaire that arrives in the same email is the covered entity's due diligence on whether those promises are realistic. This changes how you should read it: your questionnaire answers describe the posture the BAA then binds you to. An optimistic answer about encryption or incident response isn't just a credibility risk here — it's a description of a contractual obligation you may not be meeting on day one.

The Security Rule triad is the table of contents

HIPAA's Security Rule organizes its requirements into three safeguard categories, and nearly every HIPAA questionnaire mirrors them as its section structure:

• Administrative safeguards — the process layer: a documented risk analysis, workforce training, a security officer designation, access authorization procedures, and incident response procedures. This is usually the longest section and the one engineering teams underestimate, because the controls are documents and processes rather than configurations.
• Physical safeguards — facility access controls, workstation security, device and media disposal. For a cloud-native vendor, most of this is inherited from your hosting provider — say so explicitly and cite their attestation rather than describing data centers you've never entered.
• Technical safeguards — unique user identification, automatic logoff, audit logging, integrity controls, and encryption in transit and at rest. This is where your actual stack gets examined, and where "addressable" specifications like encryption are, in practice, expected by every covered entity.

Answering in this structure — even when the buyer's spreadsheet scrambles it — keeps your answers consistent, because each control gets stated once per safeguard rather than re-improvised per question.

The breach-notification clock you're signing up to

The regulation gives a business associate up to 60 days from discovery to notify the covered entity of a breach of unsecured PHI. Almost no negotiated BAA leaves it there. Real agreements specify 10 business days, 5 days, 72 hours — sometimes 24 — and "discovery" is defined to include the moment any employee of yours should reasonably have known.

Before answering any questionnaire row about incident response, read the BAA's notification clause and ask the only question that matters: can our on-call rotation, as it exists today, detect an incident, assess whether PHI was involved, and produce a customer notification inside that window? If the honest answer is no, the time to say so is now — as a redline on the BAA or a stated limitation in the questionnaire — not during your first real incident.

Subcontractor flow-down: your vendors become part of your answer

HIPAA's obligations cascade. Every subcontractor that touches PHI on your behalf needs a BAA with you, with terms at least as protective as the ones you signed upstream. Questionnaires probe this directly: which subprocessors handle PHI, do you hold BAAs with each, how do you assess them.

The list is usually longer than teams first think: hosting (AWS, GCP, and Azure all offer BAAs, but only for designated services and only once you've executed one), log aggregation, error tracking, analytics, customer support tooling, transactional email. A crash reporter that captures request bodies is a PHI subprocessor whether you intended it or not. Auditing this honestly is most of the real work of the questionnaire.

How to answer the HIPAA security questionnaire, step by step

1. Inventory your PHI touchpoints before answering anything. Trace where PHI enters your system, every store and service it lands in, every place it leaves — including logs, backups, error trackers, and support tools. Every subsequent answer depends on this map being honest, and most HIPAA answer failures are really inventory failures.
2. Set up an answer library organized by safeguard. Start from our free answer-library template and section it administrative / physical / technical. Healthcare buyers send near-identical questionnaires, because they're all paraphrasing the same Security Rule — the reuse rate on this library is the highest of any format.
3. Answer the administrative safeguards from your actual documents. Risk analysis, training records, security officer, IR procedures — cite each by name and date. If a document doesn't exist yet, the answer is "in development, target date X," not a description of the document you intend to write.
4. Answer physical and technical safeguards, separating inherited from owned. Physical controls: cite your cloud provider's BAA and attestations. Technical controls: name the mechanism — the encryption standard, the logging pipeline, the access-control model — for your own stack.
5. Reconcile every incident-response answer against the BAA's notification clause. Put the BAA and the questionnaire side by side. The detection, escalation, and notification capabilities you claim must add up to hitting the contractual clock. Never describe an IR capability in the questionnaire that the team on call couldn't execute this weekend.
6. Document subcontractor flow-down before submitting. List every PHI-touching subprocessor, confirm an executed BAA with each, and attach the list. A gap found here by you is a remediation item; found by the buyer, it's a deal problem.

When the answer is no: closing HIPAA-specific gaps

Security Rule gaps map cleanly onto deployable controls — and because the components are open source, the covered entity's auditors can inspect exactly what protects their PHI:

• Audit controls — §164.312(b): Managed Wazuh — the record-and-examine-activity capability the technical safeguards require.
• Access control — §164.312(a): Managed Teleport — unique accountability and recorded sessions on systems touching PHI.
• Person/entity authentication — §164.312(d): Managed Keycloak — MFA and centralised identity in front of PHI-adjacent applications.

The general questionnaire discipline — triage, honesty, building the library once — is in our security questionnaire guide; this page covers what HIPAA adds on top, which is mostly contractual stakes. If the BAA is sitting unsigned because nobody can confidently complete the questionnaire, ThinSky's Questionnaire Rescue maps your PHI surface and drafts defensible answers in about 3 days.