Compliance

HIPAA Survey Compliance: Healthcare Survey Privacy Guide

6 min read

Learn how HIPAA applies to healthcare surveys, what de-identification standards to follow, and how to design compliant survey research involving protected health information in the US.

What Is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law enacted in 1996 that establishes national standards for the protection of protected health information (PHI). The HIPAA Privacy Rule governs the use and disclosure of PHI by covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates. For survey research, HIPAA matters when your study involves health data collected from or on behalf of a covered entity, or when your research platform processes PHI as a business associate.

Who Needs to Comply?

  • Covered entities: healthcare providers who transmit health information electronically, health plans, and healthcare clearinghouses
  • Business associates: organizations that perform functions involving PHI on behalf of covered entities, including survey platforms, data analytics firms, and research agencies under contract
  • Research teams receiving PHI from covered entities for approved research purposes
  • Survey platforms that store, process, or transmit PHI, even if headquartered outside the US, if they serve US covered entities
  • Canadian research firms contracted by US healthcare organizations to conduct patient experience surveys or clinical research

Gray areas: HIPAA does not apply to all health-related surveys. A market research firm surveying consumers about their health habits, without any connection to a covered entity, is not subject to HIPAA. The regulation follows the data's relationship to a covered entity, not the topic of the research. However, once a covered entity is involved (providing patient lists, commissioning the study, or receiving identifiable results), HIPAA's requirements apply to the entire data chain.

Key Requirements for Research Teams

Protected Health Information Defined

PHI under HIPAA includes any individually identifiable health information held or transmitted by a covered entity or business associate. This encompasses demographic data, medical histories, test results, insurance information, and any other information that relates to an individual's past, present, or future health condition, healthcare provision, or healthcare payment, when combined with identifiers that link to a specific individual. Survey responses become PHI when they connect health information to identifiable participants through a covered entity relationship.

The Research Exception

HIPAA's Privacy Rule allows covered entities to use or disclose PHI for research without individual authorization under specific conditions. An IRB or Privacy Board must approve a waiver of authorization, finding that: the use involves no more than minimal risk to privacy, the research could not practicably be conducted without the waiver, and the research could not practicably be conducted without access to the PHI. Alternatively, covered entities can disclose a limited dataset (PHI stripped of direct identifiers but retaining dates and geographic information) for research under a data use agreement.

De-identification Standards

HIPAA defines two methods for de-identifying PHI. The Safe Harbor method requires removal of 18 specific identifiers: names, geographic data smaller than a state, dates (except year) related to an individual, phone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers, device identifiers, web URLs, IP addresses, biometric identifiers, full-face photographs, and any other unique identifying number. The Expert Determination method allows a qualified statistical expert to certify that the risk of re-identification is very small. De-identified data is not PHI and falls outside HIPAA's scope entirely.

Business Associate Agreements

Any organization that processes PHI on behalf of a covered entity must sign a Business Associate Agreement (BAA). For survey platforms, this means that if a hospital uses your platform to survey patients and the survey data includes PHI, a BAA is required. The BAA specifies permissible uses of PHI, required safeguards, breach notification obligations, and the business associate's responsibilities for data protection. Without a BAA, the covered entity cannot share PHI with the platform, and the platform cannot legally process it.

Security Rule Requirements

HIPAA's Security Rule requires administrative, physical, and technical safeguards for electronic PHI. Administrative safeguards include risk assessments, workforce training, and security policies. Physical safeguards include facility access controls and workstation security. Technical safeguards include access controls, audit controls, integrity controls, and transmission security. For survey platforms, this translates to encryption, access logging, role-based permissions, and documented security procedures.

Compliance Checklist

  • Determined whether your survey involves PHI connected to a HIPAA covered entity
  • Executed a Business Associate Agreement if your platform or agency processes PHI
  • Obtained individual authorization or an IRB/Privacy Board waiver of authorization for research use
  • Applied Safe Harbor de-identification (18 identifiers removed) or obtained Expert Determination for data intended for use without authorization
  • Electronic PHI is encrypted in transit and at rest
  • Access to PHI is restricted through role-based access controls with unique user IDs
  • Audit logs track all access to PHI including who accessed it, when, and what was viewed
  • Workforce members with PHI access have completed HIPAA training
  • A risk assessment has been conducted and documented within the past 12 months
  • A breach notification procedure is documented (60-day notification to individuals, HHS, and media if 500+ affected)
  • Data retention and destruction policies are specified for each research project
  • Minimum necessary standard is applied, only the PHI needed for the research purpose is accessed

How This Compares to PHIPA

Requirement HIPAA (US) PHIPA (Ontario)
Scope Covered entities + business associates Health information custodians + agents
De-identification Safe Harbor (18 identifiers) or Expert Determination Removal of identifiers + risk assessment
Research authorization waiver IRB or Privacy Board approval REB approval + custodian satisfaction
Business associate / agent agreement BAA required Agent agreement with custodian
Breach notification 60 days to individuals; HHS annually or immediately (500+) To custodian; custodian notifies IPC
Penalties Up to $1.5M per violation category per year Up to $200K individual / $1M organization
Minimum necessary Yes, explicit requirement Yes, collect only what is needed
Right to accounting of disclosures Yes, 6-year accounting Limited

How Quali-Fi Helps You Comply

Quali-Fi supports HIPAA-ready research workflows for teams conducting healthcare surveys involving US covered entities. The platform's encryption standards. AES-256 at rest and TLS 1.3 in transit, meet HIPAA's technical safeguard requirements for electronic PHI. Role-based access controls ensure that only authorized team members can access survey data containing PHI, and comprehensive audit logs document every data access event for the accounting of disclosures that HIPAA requires.

For de-identification workflows, Quali-Fi's anonymization tools support Safe Harbor de-identification by enabling systematic removal of the 18 specified identifier types from survey datasets. Export configurations can be set to automatically exclude identifier fields, preventing accidental disclosure of PHI in data extracts. The platform's consent management features support both individual authorization workflows (where participants consent directly) and IRB-approved waiver workflows (where consent screens reflect the approved waiver conditions).

Quali-Fi's SOC 2 Type II certification independently validates the administrative, physical, and technical safeguards that HIPAA requires. For Canadian research firms serving US healthcare clients, the platform provides a single environment that meets both HIPAA and PHIPA requirements, eliminating the need to maintain separate platforms for US and Canadian healthcare research. Data residency options allow you to direct US healthcare data to appropriate hosting environments while keeping Canadian health data in Canada.

FAQs

Does HIPAA apply to all health surveys?

No. HIPAA applies only when PHI is involved in a relationship with a covered entity. A market research survey asking consumers about health topics, without involvement from a healthcare provider, health plan, or clearinghouse, is not subject to HIPAA. The key question is whether the data connects to a covered entity, not whether the survey topic is health-related.

Can a Canadian firm be a HIPAA business associate?

Yes. HIPAA's business associate requirements apply based on the function performed, not the organization's location. If a Canadian research firm or survey platform processes PHI on behalf of a US covered entity, it must sign a BAA and comply with HIPAA's requirements. This is increasingly common as US healthcare systems engage Canadian research firms for patient experience and outcomes research.

HIPAA uses "authorization" rather than "consent" for research use of PHI. An authorization is a detailed document that specifies the PHI to be used, who will use it, the purpose, an expiration date, and the individual's right to revoke. It is more prescriptive than general research consent. An IRB waiver of authorization allows research without individual authorization but does not waive the requirement for general informed consent to participate in the research.

Related Guides

Put it into practice

Ready to apply this in your research?

Quali-Fi makes it easy to run surveys, conjoint studies, and more, all in one platform.