Various industries, including healthcare, use SurveyMonkey, a popular tool for data collection. However, using online surveys and forms tools like SurveyMonkey exposes highly sensitive health information to data privacy risks. Thus, it’s crucial to determine its compliance status before utilizing it for healthcare data collection.
Is SurveyMonkey HIPAA-compliant? It’s time to determine whether this online survey software can protect patient confidentiality.
Table of Contents
Why Data Collection Tools Need to Be HIPAA-Compliant
Data collection in healthcare serves different purposes, including patient registration, satisfaction surveys, research studies, and clinical assessments. The data collected from patients help contribute to the advancements in healthcare practices. It also allows healthcare professionals to come up with data-driven medical decisions.
However, the increasing reliance on digital tools like SurveyMonkey for data collection has led to an equally pressing need for strict compliance with regulations like HIPAA.
The Health Insurance Portability and Accountability Act of 1996, or HIPAA, is a US law regulating protected health information (PHI). Covered entities and their business associates should adhere to HIPAA guidelines, risking legal consequences if they don’t. These legal repercussions include massive fines, criminal penalties, lawsuits, and corrective action plans.
Is SurveyMonkey HIPAA-Compliant?
Yes, SurveyMonkey provides features that enable HIPAA compliance. SurveyMonkey asserts its role as a business associate to covered entities, with its Enterprise plan aligning with HIPAA regulations. Moreover, it offers a Business Associate Agreement (BAA), further signifying its commitment to keeping PHI secure and private.
However, achieving HIPAA compliance also depends on your SurveyMonkey usage. Above anything, you must include the Enterprise add-on to your Enterprise account. You need this type of account in SurveyMonkey to achieve compliance. Those with existing Enterprise accounts may contact the survey tool’s Customer Success Manager (CSM) for the add-in. Non-Enterprise users must contact SurveyMonkey’s sales team first.
Remember, the forms and survey tool emphasize that compliance only applies to using their platform if you are a covered entity under HIPAA, primarily when you use it to collect or store PHI. As per HIPAA, the definition of a covered entity includes doctors, nurses, health plans, and healthcare clearinghouses. Therefore, if your organization falls into these categories and you are using SurveyMonkey for healthcare data collection, you should learn how to use the platform in a way that won’t violate any of its regulations. The same rule applies to businesses handling or processing PHI on behalf of a covered entity, including accounting firms and medical billing companies.
Important Reminders for SurveyMonkey Enterprise Users
If you want to subscribe to the HIPAA-compliant Enterprise plan, make sure that you understand the following conditions about SurveyMonkey and HIPAA compliance:
- Account limitations: Once a SurveyMonkey account is HIPAA-enabled, it cannot be reverted to a non-HIPAA-enabled status. Consider this aspect of permanence if you need flexibility in your account status.
- Downgrading plans: Downgrading a HIPAA-enabled account to a lower plan type is not possible. If users wish to remove HIPAA-compliant features or switch to a lower plan, they must open a new account.
- Account suspensions and terminations: Failure to renew a HIPAA-enabled account will result in suspension, retaining data for a limited time. After this period, the account will be closed. Terminating the BAA also leads to account closure.
Ensuring HIPAA Compliance Using SurveyMonkey
Here are some vital steps to guarantee HIPAA compliance when using tools like SurveyMonkey:
Enable HIPAA features
Activate HIPAA-compliant features on your SurveyMonkey account using the Enterprise add-on. Collect PHI only through a HIPAA-enabled account, and refrain from using the online survey platform to handle PHI if you don’t have the Enterprise add-on.
Sign a BAA
If you’re using a HIPAA-compliant account, you must sign a BAA with SurveyMonkey. This legal document holds you and the online survey forms provider accountable in case of a HIPAA breach.
Conduct regular user training
Train users in handling PHI within the SurveyMonkey platform. Emphasize its specific features that maintain HIPAA compliance. Regular training about proper PHI handling enables employees and other organization personnel to become more aware of their role in safeguarding PHI and the consequences they could face for failing to do so.
Handle data carefully
Follow the HIPAA security tips provided by SurveyMonkey. The provider gives valuable information on the secure handling of exported survey results, careful sharing of surveys, responsible transfer of surveys between accounts, and cautious collection and sharing of PHI.
Continuously monitor user activities
Ensure that all user actions align with HIPAA guidelines. Your IT administrator can monitor user activities by regularly checking SurveyMonkey’s Team Activity log.
Drive Your Business Forward With HIPAA-Compliant Data Collection Solutions
SurveyMonkey can be a convenient and secure way to collect data, provided that users follow the provider’s guidelines for HIPAA compliance. Still, you should also carefully consider its reminders for Enterprise plan users. Remember that enabling SurveyMonkey HIPAA compliance, terminating a BAA, and downgrading your plan have permanent consequences.
While SurveyMonkey Enterprise has limitations, choosing it for secure healthcare data collection also has significant benefits. Besides streamlining the process of collecting data, it can aid in gaining patient trust, using its compliance with HIPAA as a way to provide reassurance.