HIPAA & BAA ยท Surveys / forms
Is SurveyMonkey HIPAA compliant?
Conditionally. SurveyMonkey signs a BAA and offers HIPAA features, but only on Enterprise plans, not on self-service plans.
Key facts
- BAA available: Conditionally โ on specific plans
- What it takes: Enterprise plan only (HIPAA features enabled by SurveyMonkey)
- Official source: SurveyMonkey Help: HIPAA Compliance and SurveyMonkey โ https://help.surveymonkey.com/en/surveymonkey/policy/hipaa/ (verified 2026-06)
How to use SurveyMonkey in a HIPAA-compliant way
- Obtain a SurveyMonkey Enterprise plan.
- Contact SurveyMonkey to request HIPAA features be enabled on your account/team.
- Request and sign SurveyMonkey's standard BAA (custom BAA available for a fee).
- Confirm HIPAA features are active (security reminders, 30-min auto-logoff, access logging).
- Train users, noting the HIPAA-enabled state cannot be reverted.
Important caveats
- HIPAA/BAA is not available on any self-service (non-Enterprise) plan.
- Once HIPAA features are enabled, the account cannot revert to non-HIPAA.
- A custom BAA may incur an additional fee.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring SurveyMonkey correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with SurveyMonkey.
Frequently asked questions
Does SurveyMonkey sign a BAA?
On specific plans. Enterprise plan only (HIPAA features enabled by SurveyMonkey) A signed BAA is required before any PHI is involved.
Is SurveyMonkey HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when SurveyMonkey offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using SurveyMonkey with PHI?
HIPAA/BAA is not available on any self-service (non-Enterprise) plan.
