CONFIDENTIAL — HIPAA PROTECTED  |  Principle Health Systems TPRM Program  |  For Authorized Vendor Use Only
Principle Health Systems
Vendor Security Questionnaire
Version 1.0 · 2026 HIPAA · NIST CSF 2.0 22 Sections · 89 Questions
0 of 89 answered
Navigation
  • —Vendor Info
  • 01Data Governance
  • 02Data Location
  • 03People & Access
  • 04Devices & Endpoints
  • 05Network Security
  • 06DNS & DDoS
  • 07Vulnerability Mgmt
  • 08Application Security
  • 09Monitoring & SOC
  • 10Your Vendor Risk
  • 11Incident Response
  • 12Business Continuity
  • 13Assessments & Audits
  • 14Compliance & Certs
  • 15Governance
  • 16Authentication
  • 17Access Control
  • 18Training
  • 19Data Security
  • 20Insurance
  • 21AI Governance
  • 22Change Notification
  • —Attestation
Answered 0 / 89

Completion Instructions

Complete all fields in the Vendor Information section below.

For each question, select Yes, No, or N/A.

Use the Evidence / Comments field to support your response — especially where explanation or documentation is requested.

Attach supporting documentation where referenced (BAA, SOC 2, pen test report, BCP attestation, etc.).

Questions marked PHI relate specifically to Protected Health Information under HIPAA. All vendors handling PHS PHI must have an executed Business Associate Agreement (BAA) on file prior to engagement.

An authorized representative must complete and submit the Attestation at the end. Return to your designated PHS Information Security contact securely.

Vendor Information

Required

1. Data Governance & Privacy PHI

Q1–5
#  QuestionResponseEvidence / Comments

2. Data Location & Storage PHI

Q6–9
#  QuestionResponseEvidence / Comments

3. People & Access Controls

Q10–14
#  QuestionResponseEvidence / Comments

4. Devices & Endpoint Security

Q15–19
#  QuestionResponseEvidence / Comments

5. Network Security

Q20–25
#  QuestionResponseEvidence / Comments

6. DNS & DDoS Protections

Q26–27
#  QuestionResponseEvidence / Comments

7. Vulnerability Management

Q28–32
#  QuestionResponseEvidence / Comments

8. Application Security

Q33–36
#  QuestionResponseEvidence / Comments

9. Monitoring & SOC

Q37–40
#  QuestionResponseEvidence / Comments

10. Your Vendor Risk (TPRM)

Q41–44
#  QuestionResponseEvidence / Comments

11. Incident Response PHI

Q45–49
#  QuestionResponseEvidence / Comments

12. Business Continuity & DR

Q50–54
#  QuestionResponseEvidence / Comments

13. Assessments & Audits

Q55–58
#  QuestionResponseEvidence / Comments

14. Compliance & Certifications PHI

Q59–61
#  QuestionResponseEvidence / Comments

15. Governance & Program Maturity

Q62–65
#  QuestionResponseEvidence / Comments

16. Authentication & Privileged Access

Q66–68
#  QuestionResponseEvidence / Comments

17. Access Control

Q69–71
#  QuestionResponseEvidence / Comments

18. Security Awareness & Training PHI

Q72–74
#  QuestionResponseEvidence / Comments

19. Prior Security Incidents PHI

Q75–77
#  QuestionResponseEvidence / Comments

20. Insurance

Q78–79
#  QuestionResponseEvidence / Comments

21. Artificial Intelligence (AI) Governance PHI

Q80–86
#  QuestionResponseEvidence / Comments

22. Material Change Notification PHI

Q87–89
#  QuestionResponseEvidence / Comments

Vendor Attestation & Signature

By signing below, the authorized representative of the vendor organization attests that the information provided in this questionnaire is accurate and complete to the best of their knowledge, that the vendor organization will promptly notify Principle Health Systems of any material changes to the information provided, and that the vendor understands its obligations under any executed Business Associate Agreement (BAA) with Principle Health Systems.
  • The information provided in this questionnaire is true, accurate, and complete to the best of my knowledge.
  • I am authorized to provide this information on behalf of my organization.
  • My organization will notify Principle Health Systems within 24 hours of any confirmed or suspected incident affecting PHS patient data, PHI, or PHS systems.
  • My organization acknowledges its obligations under any executed HIPAA Business Associate Agreement (BAA) with Principle Health Systems.
  • My organization will notify Principle Health Systems of material changes to this questionnaire's responses within 30 days of such change.
Principle Health Systems — Third-Party Risk Management Program
Return completed form securely to your designated PHS Information Security contact. Version 1.0 · 2026. Questions: infosecurity@principlehealth.com
✓
Principle Health Systems TPRM
Third-Party Risk Management Program

Questionnaire Submitted

Thank you — your Vendor Security Questionnaire has been received by Principle Health Systems Information Security. A member of our TPRM team will review your responses and contact you within 5 business days. If a Business Associate Agreement is required, our Privacy Officer will reach out separately.

Submission Summary
Vendor
—
Submitted
—
Representative
—
Questions Answered
—
0

Modern Solutions. Secure Foundations. Smarter Growth.

(800) 881-5694

Copyright © 2026 Reactforce, LLC - All Rights Reserved

Privacy Policy