HIPAA Compliance at SurveyMonkey

SurveyMonkey as a Business Associate

Our standard business associate agreement (BAA) contains all of the provisions required by HIPAA (including the HITECH Act and related rules made by the DHHS), making it easy for covered entities to bring SurveyMonkey on board as a business associate and to HIPAA-enable their SurveyMonkey account. For a fee, you can also negotiate a custom BAA with us that fits your internal compliance requirements.

View our standard BAA →

Customers with PLATINUM accounts can preview and sign a BAA in My Account. Customers on ENTERPRISE plans, your Group Admin can preview and sign a BAA from their My Group page. For more detailed instructions, click here.

HIPAA Security

With the assistance of security consultants and health information privacy experts, we are ensuring that our security measures are up to speed with HIPAA’s specialized and stringent requirements. As a result SurveyMonkey will maintain appropriate administrative, physical, and technical safeguards to provide for the continuing security of your PHI.

Specific Use Cases and Product Features

Different types of covered entities use surveys for different purposes. Examples include:

– Collecting patient feedback data
– Collecting patient registration information
– Conducting CAHPS surveys
– Performing medical research with questions from SurveyMonkey Question Bank
– Gathering data on mobile devices, such as smartphones and tablets
– Accreditation and compliance
– Measuring patient and hospital safety culture

In addition to ensuring we fulfill our duties as a business associate, we designed additional safeguards for our HIPAA-enabled accounts to help covered entities comply with their own HIPAA obligations. For example, end users will receive alert messages if they attempt to share PHI with third parties. We log account activity. And HIPAA-enabled accounts automatically sign out when they’re idle.

September 23, 2013 HIPAA Changes

Note that the Omnibus Rule issued by the Department of Health and Human Services (DHHS) are effective as of September 23, 2013. These new requirements include heightened financial penalties for organizations which are out of compliance. Our HIPAA compliance initiative was designed to help covered entities comply with these recent legal changes.

SurveyMonkey Enterprise & HIPAA

SurveyMonkey Enterprise gives anyone in your organization the ability to create surveys, while allowing your organization to own its data, manage users, and simplify billing for multiple accounts. HIPAA-compliant features are available to Enterprise customers to give them an additional way to safeguard the security of protected health information they collect through online surveys.

Questions?

Visit our HIPAA FAQ, or feel free to contact us with any questions you have about our product features or how we can help you comply with HIPAA’s requirements.

To learn more about HIPAA and the 2013 changes, visit the Department of Health and Human Services’ website: http://www.hhs.gov/ocr/hipaa/.