With its whimsical name and easy-to-use survey and data-gathering tools, SurveyMonkey is one of the best-known and most widely used tools of its kind. But is it an appropriate tool in situations where patients’ protected health information is involved?

What Makes a Software Tool HIPAA Compliant?

When it comes to software, there are specific indications of the tool’s HIPAA compliance. Software HIPAA compliance boils down to two things. Does the software have safeguards to keep patient data private and secure? Does the software provider sign business associate agreements?

When the answer to both of these questions is “yes,” the tool is likely HIPAA compliant. If the answer to either is “no,” the software tool is not HIPAA compliant.

What Are HIPAA Safeguards?

HIPAA safeguards are measures that a healthcare organization puts into place to protect the confidentiality, integrity, and availability of protected health information (PHI). HIPAA categorizes safeguards into three groups – administrative, physical, and technical. 

Administrative safeguards are written policies and procedures that dictate PHI’s proper uses and disclosures.

Physical safeguards, such as locks and alarm systems, protect an organization’s physical location.

Technical safeguards are measures that protect electronic PHI (ePHI).

While administrative and physical safeguards are essential, technical safeguards are generally the determining factor of a software provider’s HIPAA compliance. Technical safeguards should include encryption, user authentication, access controls, and audit controls.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

G2 Easiest to Do Business With

Why is a Business Associate Agreement Important?

Business associate agreements are a crucial determinant of HIPAA compliance. Even the most secure software platform is NOT HIPAA compliant if it will not sign a business associate agreement (BAA). 


A BAA is a legal agreement that requires each signing party to be HIPAA-compliant and be responsible for maintaining compliance. As such, a BAA limits the liability for both signing parties in case of a breach or OCR audit, as only the negligent party would be held culpable. 

Is SurveyMonkey HIPAA Compliant?

So, is SurveyMonkey HIPAA compliant? Users of SurveyMonkey’s Enterprise edition will find a robust set of security controls to protect data that appear to meet the standards required by HIPAA. There are also features designed to enhance security for end-users, including warnings when transferring PHI data, automatic logout of users, and access logging that features time stamping, identity, and event type.

SurveyMonkey also offers a Business Associate Agreement for Enterprise customers, which is available to review on its website. All of these features are only available for Enterprise users. Based on this information, it appears that the Enterprise version of SurveyMonkey is HIPAA compliant.

Are you using HIPAA compliant tools?

Make sure you’re following all of the HIPAA rules.