A year ago, could you have imagined living in a world where people would have to have their temperature taken to work at a retail store? Or where marketing event planners would need to be trained on HIPAA compliance? But that’s part of our new reality. Over the past year, companies from many industries have found themselves having to ask questions they’d never considered before.
Now, employers now have to think about reopening their workspaces safely, and businesses need to reevaluate their customers’ needs. To do that, they need data—possibly including information about people’s private health (e.g. “Have you been diagnosed with the coronavirus?” or "Have you been vaccinated?"). Companies contending with the new health concerns and social operations may find themselves straying into the realm of individually identifiable health information (protected health information or PHI), which may trigger HIPAA obligations for them.
Collecting the information you need in order to ensure a safe workplace or service is the ethical, responsible thing to do. You just need to be thoughtful about what you ask, who you ask, and why. If you need to adapt quickly to new situations, you also need policies that will let you do so compliantly. This article will address a few key considerations for building a privacy and security-minded survey program for the days ahead.
Note: read more about our HIPAA-compliant survey features here.
Why collecting PHI is a big deal
Federal laws exist to ensure the protection and confidential handling of individually identifiable health information (protected health information or PHI)—which can include things like whether they’ve been tested for the coronavirus or experiencing symptoms.
Organizations can violate the security of PHI in a number of ways, including by sharing protected health information in non-compliant ways, failing to keep PHI safe, or failing to notify the people you have data on that you have it. Covered entities are also required to report breaches of unsecured PHI to the regulator.
PHI can include a wide range of information related to someone’s health—their symptoms, medical history, even the fact that they usually pay for their doctors’ visits with a credit card. To get a more comprehensive idea of what’s covered, you can check out case examples here.
In the wake of the pandemic, the U.S. Equal Employment Commission relaxed its rules about what employers are allowed to ask about so that asking about coronavirus symptoms and vaccination is legally okay—but businesses are still responsible for protecting that sensitive data.
What you can do to protect your respondents’ privacy and put their minds at ease
- Keep responses anonymous. Keeping responses anonymous where possible is a key part of HIPAA compliance. Here’s how you can do it through SurveyMonkey. Of course, anonymity isn’t always an option, but when it is, it makes a big difference. If you're looking for general information like the percentage of employees who have been vaccinated rather than tracking individuals, this could be a good solution. Don’t forget that asking for email addresses (or having access to the email address associated with the response) counts as personally identifiable information.
- Strip out all personally identifiable information when presenting or sharing results, and show numbers in aggregate. One way to preserve privacy is to remove the individuality of your respondents. By aggregating data and looking at it as a whole, you can still demonstrate critical information related to your workplace without tying that information to any one person.
For example, if you want to make the point that too many of your employees are sick to risk reopening the office, you should export a pie chart with total percentages (e.g. 6% feel sick) rather than sharing an excel sheet or something else with individual readouts. Any analysis that can be performed in aggregate instead of by reading through each response will be more privacy-oriented. - Be transparent. Use the introduction to your survey to explain what you’re planning to do with this data and why it’s important. It will help address respondents’ concerns and likely boost your response rates.
How different organizations are managing coronavirus-related research during the crisis
Organizations of all backgrounds are using surveys to make strategic decisions amid the pandemic. Here are a few examples of ones that relate to sensitive information.
A major North American retailer makes plans to reopen
A major department store chain based in the Midwest is using SurveyMonkey Enterprise as they plan to reopen retail stores closed due to the pandemic. The company is sending out surveys asking employees to track symptoms, and is implementing health and safety checks at each store in order to better protect both employees and shoppers.
UN organization and partners in South Africa offer self-assessment survey
The ability to collect data, especially in countries where access to testing is limited, is critical for understanding the impact of the virus. In South Africa, there aren’t enough testing facilities to support the entire population. At the same time, local governments and organizations need to know where hotspots of virus are springing up and where resources are needed.
In an effort to help governments, health care systems, and citizens get a clear picture of their respective situations and make informed decisions, Slalom, the GSF, UNITAR, and the University of Cape Town (with the support of the Rali & Makentse Mampeule Foundation) developed an symptom assessment survey on SurveyMonkey Enterprise. The assessment is launching in South Africa as a pilot project, with the expectation that it may be expanded to other countries that have need.
This data is sensitive—but also incredibly important. The collaborative research could help save numerous lives.
The Rhode Island Department of Health examines how the virus spreads
The Rhode Island Department of Health is also interested in identifying hotspots—and more. The state is doing research that will inform its own plans and policies, and possibly even contribute to virus research overall.
They’ve created a program where respondents who have tested positive for coronavirus can opt in to receive daily surveys in order for the Rhode Island Department of Health to learn more about how those symptoms are progressing. The goal is to track trends and also direct people to the resources they need based on their responses. It’s an entirely optional program, and the data is examined in aggregate.
The research from the department of health will help offer more holistic support for people who are currently coping with the virus and may provide the state with critical insights to use toward developing treatments.
How SurveyMonkey Enterprise features can help you stay compliant
SurveyMonkey Enterprise has security features that can help you stay compliant while quickly measuring and addressing time-sensitive safety concerns. Here are a few of them.
- Account activity logs show the history of anyone who has accessed the account—including anyone who would have access to PHI.
- PHI Share alerts let you know instantly when someone shares PHI, so you can take the necessary action.
- Data encryption (SSL/TLS) reduces the risk associated with people taking the survey on their mobile device and the potential that the information may fall into the wrong hands while information is traveling between devices.
- Automatic user logout ensures that you don’t accidentally put information at risk by leaving a window open.
- Anonymous responses help you stay compliant, as we talked about above.
- In-product messages automatically remind users about their HIPAA obligations whenever they perform certain sensitive operations on PHI.
- Our support team is fully trained on HIPAA compliance.
Asking the questions that you need to ask to keep your community safe, offer better support, or provide for your employees are all wonderful efforts. When you establish strong, vetted processes for dealing with PHI, you can use survey data to make incredible positive changes in the world—changes we really need.
This article does not constitute, nor should it be construed as, legal advice intended to be relied upon by any SurveyMonkey customers or representative of our interpretation of HIPAA, but instead is intended to provide examples of privacy and security considerations in survey program design to our customers in practical terms. We recommend that you obtain independent legal advice with respect to your organization's specific legal and regulatory obligations.
