What Is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law enacted in 1996 that establishes national standards for the protection of protected health information (PHI). The HIPAA Privacy Rule governs the use and disclosure of PHI by covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates. For survey research, HIPAA matters when your study involves health data collected from or on behalf of a covered entity, or when your research platform processes PHI as a business associate.
Who Needs to Comply?
- Covered entities: healthcare providers who transmit health information electronically, health plans, and healthcare clearinghouses
- Business associates: organizations that perform functions involving PHI on behalf of covered entities, including survey platforms, data analytics firms, and research agencies under contract
- Research teams receiving PHI from covered entities for approved research purposes
- Survey platforms that store, process, or transmit PHI, even if headquartered outside the US, if they serve US covered entities
- Canadian research firms contracted by US healthcare organizations to conduct patient experience surveys or clinical research
Gray areas: HIPAA does not apply to all health-related surveys. A market research firm surveying consumers about their health habits, without any connection to a covered entity, is not subject to HIPAA. The regulation follows the data's relationship to a covered entity, not the topic of the research. However, once a covered entity is involved (providing patient lists, commissioning the study, or receiving identifiable results), HIPAA's requirements apply to the entire data chain.
Key Requirements for Research Teams
Protected Health Information Defined
PHI under HIPAA includes any individually identifiable health information held or transmitted by a covered entity or business associate. This encompasses demographic data, medical histories, test results, insurance information, and any other information that relates to an individual's past, present, or future health condition, healthcare provision, or healthcare payment, when combined with identifiers that link to a specific individual. Survey responses become PHI when they connect health information to identifiable participants through a covered entity relationship.
The Research Exception
HIPAA's Privacy Rule allows covered entities to use or disclose PHI for research without individual authorization under specific conditions. An IRB or Privacy Board must approve a waiver of authorization, finding that: the use involves no more than minimal risk to privacy, the research could not practicably be conducted without the waiver, and the research could not practicably be conducted without access to the PHI. Alternatively, covered entities can disclose a limited dataset (PHI stripped of direct identifiers but retaining dates and geographic information) for research under a data use agreement.
De-identification Standards
HIPAA defines two methods for de-identifying PHI. The Safe Harbor method requires removal of 18 specific identifiers: names, geographic data smaller than a state, dates (except year) related to an individual, phone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers, device identifiers, web URLs, IP addresses, biometric identifiers, full-face photographs, and any other unique identifying number. The Expert Determination method allows a qualified statistical expert to certify that the risk of re-identification is very small. De-identified data is not PHI and falls outside HIPAA's scope entirely.
Business Associate Agreements
Any organization that processes PHI on behalf of a covered entity must sign a Business Associate Agreement (BAA). For survey platforms, this means that if a hospital uses your platform to survey patients and the survey data includes PHI, a BAA is required. The BAA specifies permissible uses of PHI, required safeguards, breach notification obligations, and the business associate's responsibilities for data protection. Without a BAA, the covered entity cannot share PHI with the platform, and the platform cannot legally process it.
Security Rule Requirements
HIPAA's Security Rule requires administrative, physical, and technical safeguards for electronic PHI. Administrative safeguards include risk assessments, workforce training, and security policies. Physical safeguards include facility access controls and workstation security. Technical safeguards include access controls, audit controls, integrity controls, and transmission security. For survey platforms, this translates to encryption, access logging, role-based permissions, and documented security procedures.
Compliance Checklist
- Determined whether your survey involves PHI connected to a HIPAA covered entity
- Executed a Business Associate Agreement if your platform or agency processes PHI
- Obtained individual authorization or an IRB/Privacy Board waiver of authorization for research use
- Applied Safe Harbor de-identification (18 identifiers removed) or obtained Expert Determination for data intended for use without authorization
- Electronic PHI is encrypted in transit and at rest
- Access to PHI is restricted through role-based access controls with unique user IDs
- Audit logs track all access to PHI including who accessed it, when, and what was viewed
- Workforce members with PHI access have completed HIPAA training
- A risk assessment has been conducted and documented within the past 12 months
- A breach notification procedure is documented (60-day notification to individuals, HHS, and media if 500+ affected)
- Data retention and destruction policies are specified for each research project
- Minimum necessary standard is applied, only the PHI needed for the research purpose is accessed
How This Compares to PHIPA
| Requirement | HIPAA (US) | PHIPA (Ontario) |
|---|---|---|
| Scope | Covered entities + business associates | Health information custodians + agents |
| De-identification | Safe Harbor (18 identifiers) or Expert Determination | Removal of identifiers + risk assessment |
| Research authorization waiver | IRB or Privacy Board approval | REB approval + custodian satisfaction |
| Business associate / agent agreement | BAA required | Agent agreement with custodian |
| Breach notification | 60 days to individuals; HHS annually or immediately (500+) | To custodian; custodian notifies IPC |
| Penalties | Up to $1.5M per violation category per year | Up to $200K individual / $1M organization |
| Minimum necessary | Yes, explicit requirement | Yes, collect only what is needed |
| Right to accounting of disclosures | Yes, 6-year accounting | Limited |
How Quali-Fi Helps You Comply
Quali-Fi supports HIPAA-ready research workflows for teams conducting healthcare surveys involving US covered entities. The platform's encryption standards. AES-256 at rest and TLS 1.3 in transit, meet HIPAA's technical safeguard requirements for electronic PHI. Role-based access controls ensure that only authorized team members can access survey data containing PHI, and comprehensive audit logs document every data access event for the accounting of disclosures that HIPAA requires.
For de-identification workflows, Quali-Fi's anonymization tools support Safe Harbor de-identification by enabling systematic removal of the 18 specified identifier types from survey datasets. Export configurations can be set to automatically exclude identifier fields, preventing accidental disclosure of PHI in data extracts. The platform's consent management features support both individual authorization workflows (where participants consent directly) and IRB-approved waiver workflows (where consent screens reflect the approved waiver conditions).
Quali-Fi's SOC 2 Type II certification independently validates the administrative, physical, and technical safeguards that HIPAA requires. For Canadian research firms serving US healthcare clients, the platform provides a single environment that meets both HIPAA and PHIPA requirements, eliminating the need to maintain separate platforms for US and Canadian healthcare research. Data residency options allow you to direct US healthcare data to appropriate hosting environments while keeping Canadian health data in Canada.
FAQs
Does HIPAA apply to all health surveys?
No. HIPAA applies only when PHI is involved in a relationship with a covered entity. A market research survey asking consumers about health topics, without involvement from a healthcare provider, health plan, or clearinghouse, is not subject to HIPAA. The key question is whether the data connects to a covered entity, not whether the survey topic is health-related.
Can a Canadian firm be a HIPAA business associate?
Yes. HIPAA's business associate requirements apply based on the function performed, not the organization's location. If a Canadian research firm or survey platform processes PHI on behalf of a US covered entity, it must sign a BAA and comply with HIPAA's requirements. This is increasingly common as US healthcare systems engage Canadian research firms for patient experience and outcomes research.
What is the difference between authorization and consent under HIPAA?
HIPAA uses "authorization" rather than "consent" for research use of PHI. An authorization is a detailed document that specifies the PHI to be used, who will use it, the purpose, an expiration date, and the individual's right to revoke. It is more prescriptive than general research consent. An IRB waiver of authorization allows research without individual authorization but does not waive the requirement for general informed consent to participate in the research.
Related Compliance Topics
- PHIPA and Survey Data. Ontario health privacy for research
- Data Anonymization for Research. De-identification techniques across frameworks
- Consent Management in Surveys. Authorization and consent flow design
- Research Ethics Compliance. IRB requirements for healthcare research
- PIPEDA Compliance for Research. Canadian privacy baseline
- SOC 2 for Research Platforms. Security certification for healthcare technology