Business associate rfp template questions should establish whether a vendor will create, receive, maintain, or transmit electronic protected health information (ePHI); whether it can provide the required written assurances; and whether its technical, operational, and subcontractor controls support those assurances. The questionnaire should request evidence—not only policy statements—covering security safeguards, incident reporting, access controls, encryption, subcontractors, and willingness to sign a HIPAA-compliant business associate agreement (BAA). For HIPAA 164.308(b)(1), the RFP is the due-diligence record that helps an SMB customer determine whether the vendor can provide satisfactory assurances before ePHI is shared.
When should an MSSP issue an RFP for a business associate relationship?
Issue an RFP or structured vendor questionnaire before onboarding a service provider that may handle ePHI on behalf of a covered entity or another business associate. This includes cloud hosting providers, managed backup vendors, help desk platforms, security information and event management providers, managed detection and response vendors, document-sharing platforms, billing services, and outsourced IT providers with administrative access to systems containing ePHI.
For an MSSP supporting SMB healthcare customers, the trigger is not whether a vendor markets itself as “HIPAA compliant.” The trigger is the proposed data flow and access model. If the provider can view patient information, store backups containing ePHI, collect logs with ePHI fields, or hold privileged credentials to systems where ePHI resides, treat the engagement as potentially requiring a BAA and documented due diligence.
- New procurement: Send the questionnaire before technical selection, pilot deployment, or production data migration.
- Contract renewal: Reassess vendors when the BAA, statement of work, or security addendum is renewed or materially amended.
- Scope expansion: Reissue relevant questions when a vendor gains administrative access, begins hosting backups, adds a new analytics feature, or begins using ePHI for support or troubleshooting.
- Security event or audit finding: Reevaluate assurances when an incident, breach, control failure, or unresolved customer audit issue affects the vendor.
- Subcontractor change: Review the relationship when the vendor introduces a new hosting, support, monitoring, or data-processing subcontractor.
HIPAA 164.308(b)(4) requires the covered entity to document the satisfactory assurances required by 164.308(b)(1) through a written contract or other arrangement meeting 164.314(a). An RFP response does not replace the BAA. It supports the decision to proceed, identifies contract terms that must be negotiated, and provides a defensible record of why the customer concluded the vendor’s assurances were satisfactory.
Which business associate rfp template questions should be included?
Use the following question bank as a reusable baseline. Ask vendors to identify the applicable service, attach supporting evidence where requested, and state whether a control is standard, optional, or unavailable. Tailor the questions to the actual service rather than asking every supplier the same set of irrelevant questions.
What should the RFP ask about ePHI scope and data handling?
- Describe every category of ePHI the service may create, receive, maintain, or transmit, including data contained in backups, tickets, logs, screenshots, and support attachments.
- Identify where ePHI is stored, processed, replicated, and accessed, including primary regions, disaster-recovery regions, and support locations.
- Provide a data-flow diagram showing customer systems, vendor services, administrative access paths, APIs, and third-party integrations.
- State the retention period for production data, backups, audit logs, deleted records, and support artifacts containing customer data.
- Explain the process and timeline for returning ePHI to the customer and securely destroying remaining copies at contract termination.
What safeguards should a business associate questionnaire assess?
- Describe the administrative, physical, and technical safeguards used to protect ePHI under the HIPAA Security Rule.
- Is multi-factor authentication required for workforce members with administrative or remote access to systems processing ePHI? Identify the authentication methods supported, such as Microsoft Entra ID MFA, FIDO2 security keys, or Duo MFA.
- Describe privileged-access management controls, including separate administrator accounts, approval workflows, session logging, and periodic access reviews.
- State encryption standards used for ePHI in transit and at rest. Confirm whether TLS 1.2 or higher is required and identify encryption approaches such as AES-256 storage encryption and customer-managed keys.
- Explain vulnerability management practices, including authenticated scanning, patching service-level targets, penetration-test frequency, and remediation tracking for critical findings.
- Describe logging and monitoring controls. Specify log retention, security alert coverage, time synchronization, and whether customer administrators can obtain relevant audit records.
- Provide the most recent independent assurance report or certification available, such as a SOC 2 Type II report, ISO/IEC 27001 certificate, penetration-test executive summary, or HIPAA security assessment.
How should the RFP address incidents and breach reporting?
- Define the vendor’s process for identifying, investigating, containing, documenting, and remediating suspected security incidents involving customer ePHI.
- State the contractual notification timeline for a suspected incident, confirmed incident, and breach. A response such as “we notify customers as required by law” is insufficient; require a measurable timeline.
- Identify the information the vendor will provide during notification, including affected systems, dates, data elements, known individuals affected, containment actions, and indicators of compromise.
- Confirm that the vendor will cooperate with the covered entity’s breach assessment, notification obligations, evidence preservation, and regulatory inquiry response.
- Provide the vendor’s 24/7 incident contact method and escalation path for customer security teams and the MSSP.
What subcontractor and workforce questions are necessary?
- List all subcontractors that may create, receive, maintain, or transmit ePHI or receive privileged access to systems containing ePHI.
- Explain how the vendor obtains satisfactory assurances from subcontractors and how it flows HIPAA-required restrictions and conditions down to them.
- Describe workforce screening, confidentiality agreements, security awareness training, HIPAA training where applicable, and sanctions for policy violations.
- State whether offshore personnel can access ePHI, support environments, backups, or privileged administration tools, and identify the applicable access restrictions.
- Describe the notification process for material changes to subcontractors, hosting regions, security architecture, or services that affect ePHI.
What contract-readiness questions should be asked?
- Will the vendor execute the customer’s BAA or provide a BAA that meets the applicable requirements of 45 CFR 164.314(a)?
- Does the proposed BAA require the vendor to safeguard ePHI, report security incidents and breaches, ensure subcontractor assurances, support access and amendment obligations where applicable, and return or destroy ePHI at termination?
- Identify any requested BAA exceptions, liability limitations, incident-notification limits, or service exclusions that could prevent the covered entity from obtaining satisfactory assurances.
- Will the vendor permit reasonable documentation review, such as review of a SOC 2 report under NDA, security questionnaire responses, and remediation status for material findings?
How should an MSSP score vendor responses?
Score control evidence separately from contractual acceptance. A vendor with strong technical controls but a refusal to sign an acceptable BAA should not be selected for a service involving ePHI. Likewise, a signed BAA should not erase material concerns such as no MFA for administrators or undefined incident-notification timing.
| Score | Meaning | Evidence standard | Disposition |
|---|---|---|---|
| 5 | Meets or exceeds requirement | Specific answer, current evidence, named control owner, and contractual commitment | Accept |
| 4 | Meets requirement with minor clarification | Documented control and evidence; limited follow-up needed | Accept with follow-up |
| 3 | Partially meets requirement | Control exists but lacks evidence, consistency, or full scope | Conditional remediation |
| 2 | Material control gap | Informal practice, future roadmap item, or unsupported assertion | Escalate for risk acceptance |
| 1 | Does not meet requirement | Refusal, unavailable control, or unacceptable contract term | Reject for ePHI scope |
Weight contract and ePHI-handling categories heavily. For an SMB client, a practical threshold is a weighted score of at least 4.0 out of 5, no score below 3 in incident response, access control, or subcontractor management, and no unresolved BAA exception. Preserve the completed questionnaire, evidence reviewed, reviewer notes, risk decisions, and final BAA with the vendor record.
Which vendor answers are red flags?
- “We are HIPAA compliant, so no BAA is necessary.” HIPAA does not allow a vendor’s marketing statement to substitute for the written satisfactory assurances required for a business associate relationship.
- “We notify customers after our investigation is complete.” This creates an open-ended notification commitment and can prevent timely breach assessment by the covered entity.
- “MFA is available upon request.” Optional MFA for privileged accounts is weaker than enforced MFA; request configuration evidence and implementation responsibility.
- “Our cloud provider handles security.” Shared-responsibility models do not answer who controls identities, encryption keys, logs, patches, backups, and application vulnerabilities.
- “Subcontractors are confidential.” The vendor need not disclose every proprietary detail, but it must provide enough information to establish how subcontractor assurances and ePHI protections are maintained.
- “We cannot provide audit evidence.” A vendor may protect confidential reports through an NDA, but complete refusal to provide meaningful assurance evidence should lower its score.
- “Data is deleted when the account closes.” Ask for deletion timelines, backup expiration periods, certificate-of-destruction availability, and treatment of retained legal or security logs.
What does a sample business associate vendor evaluation matrix look like?
The following illustrative matrix shows how an MSSP analyst can translate RFP answers into a procurement recommendation. Scores reflect the documented response and evidence reviewed, not brand reputation.
| Evaluation area | Weight | AWS workload hosting | Microsoft Azure workload hosting | Google Cloud workload hosting |
|---|---|---|---|---|
| BAA and contract terms | 30% | 5 — BAA accepted; eligible services confirmed | 5 — BAA accepted; service scope confirmed | 5 — BAA accepted; service scope confirmed |
| Identity and privileged access | 20% | 4 — IAM MFA and CloudTrail required by customer baseline | 5 — Entra Conditional Access MFA and Privileged Identity Management documented | 4 — 2-Step Verification and Cloud Audit Logs documented |
| Encryption and key management | 15% | 5 — AES-256 encryption with AWS KMS customer-managed keys | 5 — Azure Key Vault customer-managed keys available | 4 — Cloud KMS documented; customer key process needs clarification |
| Incident and subcontractor assurance | 20% | 4 — escalation terms require legal review | 4 — incident timeline accepted; subcontractor list reviewed | 3 — notification language requires amendment |
| Evidence and audit support | 15% | 5 — SOC 2 Type II and configuration evidence reviewed | 5 — SOC 2 Type II and control documentation reviewed | 4 — assurance report reviewed; retention evidence pending |
| Weighted result | 100% | 4.55 — approved with contract review | 4.70 — approved | 4.05 — conditional approval |
Before sending the next vendor package, map the customer’s actual ePHI flows and use this question set to obtain written, reviewable assurances before access or data transfer begins.