HIPAA Compliance at SurveyMonkey
If you want to conduct online surveys but also need to comply with HIPAA, we’re here to help. Now, anyone with a PLATINUM or ENTERPRISE plan can HIPAA-enable their account at no additional cost.
It’s easy to get set up:
- Upgrade to a PLATINUM or ENTERPRISE plan.
- Enter into our Business Associate Agreement. It’s available in My Account.
- We’ll turn on additional privacy safeguards and act as your business associate.
In addition to offering powerful survey tools, we help covered entities meet their HIPAA obligations with:
- The ability to easily enter into a Business Associate Agreement with SurveyMonkey
- Administrative, physical and technical safeguards consistent with HIPAA requirements
- Alert messages to remind end users of their HIPAA obligations and warn them when they perform sensitive operations on protected health information (PHI)
- Logs of account activity
- 30-minute session timeouts for added security
Free Healthcare Survey GuideGet the Guide
SurveyMonkey as a Business Associate
Our standard business associate agreement (BAA) contains all of the provisions required by HIPAA (including the HITECH Act and related rules made by the DHHS), making it easy for covered entities to bring SurveyMonkey on board as a business associate and to HIPAA-enable their SurveyMonkey account. For a fee, you can also negotiate a custom BAA with us that fits your internal compliance requirements.
Customers with PLATINUM accounts can preview and sign a BAA in My Account. Customers on ENTERPRISE plans, your Group Admin can preview and sign a BAA from their My Group page. For more detailed instructions, click here.
With the assistance of security consultants and health information privacy experts, we are ensuring that our security measures are up to speed with HIPAA’s specialized and stringent requirements. As a result SurveyMonkey will maintain appropriate administrative, physical, and technical safeguards to provide for the continuing security of your PHI.
Specific Use Cases and Product Features
Different types of covered entities use surveys for different purposes. Examples include:
- Collecting patient feedback data
- Collecting patient registration information
- Conducting CAHPS surveys
- Performing medical research with questions from SurveyMonkey Question Bank
- Gathering data on mobile devices, such as smartphones and tablets
- Accreditation and compliance
- Measuring patient and hospital safety culture
In addition to ensuring we fulfill our duties as a business associate, we designed additional safeguards for our HIPAA-enabled accounts to help covered entities comply with their own HIPAA obligations. For example, end users will receive alert messages if they attempt to share PHI with third parties. We log account activity. And HIPAA-enabled accounts automatically sign out when they’re idle.
September 23, 2013 HIPAA Changes
Note that the Omnibus Rule issued by the Department of Health and Human Services (DHHS) are effective as of September 23, 2013. These new requirements include heightened financial penalties for organizations which are out of compliance. Our HIPAA compliance initiative was designed to help covered entities comply with these recent legal changes.
SurveyMonkey Enterprise & HIPAA
SurveyMonkey Enterprise gives anyone in your organization the ability to create surveys, while allowing your organization to own its data, manage users, and simplify billing for multiple accounts. HIPAA-compliant features are available to Enterprise customers to give them an additional way to safeguard the security of protected health information they collect through online surveys.
To learn more about HIPAA and the 2013 changes, visit the Department of Health and Human Services’ website: http://www.hhs.gov/ocr/hipaa/.