Is SurveyMonkey HIPAA Compliant? What You Need to Know

SurveyMonkey Enterprise HIPAA Features

SurveyMonkey can support HIPAA compliance when you use SurveyMonkey Enterprise with HIPAA features enabled and an executed Business Associate Agreement. In this configuration, you can collect and manage Protected Health Information (PHI) within a governed environment designed for regulated data.

What the Enterprise HIPAA setup typically provides

• Administrative controls to centrally manage users, permissions, and content access using least‑privilege principles.
• Security capabilities aligned to PHI Security Controls, including encryption in transit and at rest, account security policies, and activity logging.
• Governance options to standardize templates, enforce settings, and reduce configuration drift across teams handling PHI.
• Support for identity integrations (such as SSO/SCIM) to streamline provisioning and deprovisioning of workforce members.

Your responsibilities don’t disappear

HIPAA compliance is shared. You still decide what PHI to collect, control who can access it, and configure security settings. You also remain responsible for workforce training, device and network security, and honoring patient privacy rights.

Business Associate Agreement Requirements

A Business Associate Agreement (BAA) is mandatory before you collect PHI in SurveyMonkey. The BAA defines how PHI is protected, how it may be used or disclosed, and what happens in the event of a security incident.

Key elements to confirm in the BAA

• Scope and covered services: which accounts, features, and data flows are in scope for PHI.
• Security safeguards: administrative, physical, and technical protections the parties must maintain.
• Breach notification: timelines, responsibilities, and cooperation requirements for incident response.
• Subprocessors: oversight and contractual obligations for any subcontractors handling PHI.
• Minimum necessary: commitments to collect and access only what is necessary for your stated purpose.
• Return or destruction of PHI upon HIPAA Account Termination, including timelines and verification mechanisms.

How to obtain and activate HIPAA coverage

• Engage Sales for SurveyMonkey Enterprise and request HIPAA capabilities.
• Complete due diligence and legal review of the BAA; execute the agreement.
• Have HIPAA features enabled on your Enterprise team; verify enforcement settings before collecting PHI.
• Document your internal controls and assign an owner for ongoing compliance operations.

Security Measures for PHI Protection

Security for PHI is multilayered. Combine platform safeguards with your organizational controls to meet HIPAA’s Security Rule.

Data protection controls

• Data Encryption: ensure encryption in transit and at rest is enabled for survey content, responses, and file uploads.
• Access control: use role‑based permissions, SSO, and multifactor authentication to restrict PHI access.
• Auditability: retain activity logs that show who accessed, exported, modified, or deleted PHI.
• Data minimization: collect only the minimum necessary PHI and limit fields that capture direct identifiers.

Collector and survey configuration

• Prefer the Web Link Collector configured for anonymous responses when feasible; avoid capturing email addresses or IP data unless necessary.
• Use survey logic to conditionally request PHI and keep identifiers separate from clinical responses when possible.
• Display clear notices and consent language that describe your purpose and how PHI will be used.
• Protect downloads and exports by storing them in approved, encrypted locations with access controls.

Operational safeguards

• Backup and retention policies that align to your legal, clinical, and business needs.
• Incident response runbooks covering containment, assessment, notification, and post‑incident review.
• Vendor oversight for any downstream tools or subprocessors connected to your surveys.

HIPAA Account Limitations and Restrictions

HIPAA features apply to designated Enterprise teams covered by your BAA. Personal, free, or non‑HIPAA plans aren’t authorized for PHI. Expect targeted restrictions that prioritize privacy and security.

Common restrictions to anticipate

• Admin‑enforced settings that limit who can create, view, export, or share surveys containing PHI.
• Guardrails around third‑party integrations unless appropriate agreements and controls are in place.
• Controls that reduce collection of unnecessary identifiers and disable risky configurations by default.

Downgrades and offboarding

• Ending HIPAA coverage triggers HIPAA Account Termination obligations, including PHI return or destruction.
• Before any downgrade, export required records, document retention decisions, and verify deletion of residual PHI.
• Coordinate timelines with stakeholders so clinical operations and compliance records remain intact.

SurveyMonkey HIPAA Compliance Best Practices

Strong configuration and disciplined operations make the difference between theoretical and practical compliance. Use these practices to harden your environment.

Plan and design

• Define your PHI data model and label questions that collect identifiers versus clinical content.
• Apply the minimum necessary standard; where possible, use de‑identification or pseudonymization.
• Use the Web Link Collector with anonymous settings for general data capture; reserve identified workflows for cases that genuinely require them.

Secure and govern

• Enforce SSO, MFA, and least‑privilege roles; routinely review access for appropriateness.
• Enable PHI Security Controls such as encryption defaults, export restrictions, and logging.
• Establish retention rules and automate deletion schedules for surveys and responses containing PHI.

Operate and educate

• Provide recurring Compliance Training so staff understand HIPAA duties, safe handling, and incident reporting.
• Control exports; require approved storage locations and prohibit emailing PHI attachments.
• Run periodic audits of surveys, collectors, and admin settings; remediate gaps quickly.

Contacting SurveyMonkey for HIPAA Plans

To enable HIPAA features, contact Sales and request an Enterprise proposal that includes a Business Associate Agreement. Be ready to share your PHI use cases, number of seats, identity requirements, and any integration needs.

What to ask during your outreach

• BAA scope, subprocessors, breach notification timelines, and data return/destruction processes.
• Security capabilities: Data Encryption details, logging, SSO/SCIM, and export controls.
• Administrative options for enforcing policies at team level and restricting risky features.
• Implementation timeline, onboarding support, and training resources for admins and creators.

Bottom line: SurveyMonkey can fit into a HIPAA‑compliant workflow when you use Enterprise with HIPAA features, execute a BAA, configure strong security, and operate with disciplined governance. Your controls—especially around PHI minimization, access, retention, and training—are essential to achieving compliance.

FAQs.

What is required to make SurveyMonkey HIPAA compliant?

You need SurveyMonkey Enterprise with HIPAA features enabled, a signed Business Associate Agreement, and properly configured security and governance. Enable SSO/MFA, apply least‑privilege access, use collectors configured to minimize identifiers, enforce Data Encryption, set retention rules, and train your workforce on PHI handling. Compliance comes from this combination of platform controls and your operational safeguards.

Can SurveyMonkey accounts be converted back from HIPAA compliance?

It depends on your contract and risk posture. If you plan to end HIPAA coverage, treat it as HIPAA Account Termination: export any required records, verify PHI deletion or return per the BAA, and confirm that users no longer create or store PHI in the environment. Coordinate the change with legal, security, and operations to avoid gaps.

What security measures does SurveyMonkey implement for PHI?

HIPAA‑enabled Enterprise environments support encryption in transit and at rest, role‑based access, identity integrations (such as SSO), activity logging, and administrative controls to enforce PHI Security Controls. You should also configure collectors and exports to minimize identifiers and keep PHI in approved, encrypted storage locations.

Who is eligible for SurveyMonkey HIPAA-compliant accounts?

Organizations that qualify as HIPAA covered entities or business associates—and that require handling of Protected Health Information—are candidates for Enterprise with HIPAA features. Eligibility typically includes signing a Business Associate Agreement, defining approved use cases, and assigning admins to manage configuration, retention, and Compliance Training.