Practice Name

Cloud Service Provider Questionnaire

Cloud Provider
Business Associate
Date completed
Address:

Phone:
email:
Completed by

You are providing this service to us as a ☐ direct provider or as a ☐ reseller of the cloud service
provider.

Type of cloud service: ☐ IaaS ☐ SaaS ☐ PaaS

GENERAL SECURITY
☐ The service we are requesting involves electronic protected health information (ePHI) as well as
other personally identifiable information protected by various regulations.
☐ We will require you sign our Business Associate Agreement (BAA) as required by HIPAA.
☐ We will require verification of your established security program policies and procedures and we will
require that the policies and procedures meet the specific requirements of the HIPAA regulations. We
will also need a copy of your Disaster Recovery Plan to ensure alignment with ours.
☐ You must have full-time staff on-site at the host facility. All administrators and users must be
individually identified. All staff must be fully vetted by background screening and fully trained in HIPAA
prior to involvement with our account. We must be notified when any staff member working on our
account is terminated.
☐ We require that our data is on a private cloud segmented from any other customer that you may
have and we require that our service environment is using separate hosts, separate infrastructure or
other appropriate security controls to maintain segmentation. Please submit a full network diagram of
the Service Environment that clearly illustrates the relationship between our environment and any other
relevant networks. Please include a full data flowchart that details where our data resides.
☐ Please submit a diagram of the backup processes if you are conducting these on our behalf. Please
include details of the servers, location, encryption and media used. Log files of the backups will need to
be available to us upon request. Testing of the backups will be required on occasion.
☐ All vendor managed accounts will include strong password/passphrase and account controls,
including password/passphrase complexity requirements, change intervals and account
enabling/disabling processes in line with our password policy which we will make available to you.
☐ All data in transit and at rest must be encrypted using 256bit AES or better. The keys will be provided
to us in a secure manner upon inception.

☐ At the end of our contract, all data will be returned to us in a manner we agree upon. All media
containing our data must be destroyed prior to disposal. We will require a written destruction
certification if this service is provided by you.

March 2017
 Practice Name
Cloud Service Provider Questionnaire

☐ You must have security incident response and breach notification policies and processes in place. In
the event of a security breach, we will require notification within 24 hours. This may change according
to specific state breach notification requirements.

PHYSICAL SECURITY
What type of certification has the data center obtained?
☐ SSAE16 ☐ SOC2 ☐ Other Date attained: _______________ ☐ None
Location of the primary site: ____________________ Secondary site: __________________________
☐ You must have policies and procedures in place to limit and log physical access to the data center.
We may require a copy for our records.

NETWORK SECURITY
☐ You must have current firewall technology in place to control access. We will require access to the
logs on occasion for auditing purposes.
☐ You must have IPS or IDS (Intrusion Prevention or Detection) in place systems in place. We will
require access to the logs on occasion for auditing purposes.
☐ The hosts and devices our data resides on must be hardened against attack and must be reviewed
for potential security enhancements on a regularly scheduled basis. We will require access to the logs
on occasion for auditing purposes.

☐ You must have a published security vulnerability and patch management program in place. We will
require access to the logs on occasion for auditing purposes.
☐ We reserve the right to perform external vulnerability scans without prior notice to ensure
compliance with these standards. The results of your most current security audits will also be requested.

☐ You must have current Anti-Malware software in use. We will require access to the logs on occasion
for auditing purposes.
☐ All vendor access must be authenticated using a published process that we agree to. Every access
must be individually identifiable. Log files of all access will be available to us upon request.
☐ Internal and external vulnerability assessments will be performed for the explicit purposes of finding
and remediating security vulnerabilities. We will require access to the logs on occasion for auditing
purposes.

Signed and acknowledged: ______________________________________Date: ____________________

March 2017