Is SurveyMonkey HIPAA Compliant?
SurveyMonkey is HIPAA compliant and – when organizations subscribe to an Enterprise Plan and agree to SurveyMonkey’s Business Associate Agreement – Survey Monkey can be used to collect, store, and analyze Protected Health Information (PHI). Organizations that do not wish to subscribe to an Enterprise Plan can still use the service, but not to collect, store, and analyze PHI.
SurveyMonkey is an online application that enables subscribers to create and send surveys via email, social media, and messaging services. The application is most often used in the healthcare industry to gain insights into patients’ health habits, track the effectiveness of patient safety programs, and solicit feedback from members of the workforce.
Although SurveyMonkey offers a free plan, it is extremely limited. Free subscribers can only ask up to 10 questions per survey, plus accept only 40 responses per survey. Additionally, if PHI is going to be disclosed in any answers or questions, it will be necessary to enter into a Business Associate Agreement – something SurveyMonkey is only prepared to do with subscribers to its Enterprise Plan.
Is SurveyMonkey HIPAA Compliant?
In its role as a Business Associate, SurveyMonkey is HIPAA compliant. The company provides a comprehensive security statement and a HIPAA compliance web page on which it attests to reasonably and appropriately protecting the confidentiality, integrity, and availability of electronic PHI received, maintained, or transmitted on behalf of covered entities (subject to accounts being HIPAA-enabled). The web page also lists some of the safeguards SurveyMonkey has put in place:
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
- Assigned security team responsible for maintaining compliance with HIPAA.
- Screening, authorization, and HIPAA training of SurveyMonkey staff.
- Data backup and disaster recovery plans.
- Systems regularly monitored, updated, and patched.
- Incident response plan that includes reporting security incidents to Covered Entities.
- All communications with SurveyMonkey servers are encrypted with SSL.
- Regular risk assessments to ensure safeguards remain relevant and effective.
With regards to the Business Associate Agreement, SurveyMonkey offers its own Agreement or will enter a covered entity’s Agreement subject to being able to comply with the terms of the Agreement. Helpfully, the company has published a preview BAA on its website. However, visitors are alerted to the fact that the preview BAA was last updated in 2018 and the terms of the preview BAA may not remain the same.
Complying with HIPAA when using SurveyMonkey
If a Business Associate Agreement is in place, SurveyMonkey has the tools to support HIPAA compliance. These tools include activity logs and optional automatic log-off – which administrators should configure to comply with organizational HIPAA policies – and alert messages that warn users when they risk disclosing PHI or risk respondents disclosing PHI.
However, alert messages can be ignored and mistakes made. Therefore, it is important to train users on the compliant use of SurveyMonkey and how to respond if a response to a survey question discloses PHI they are not authorized to see. It may also be necessary to train users on how to identify and report inadvertent data breaches to compliance officers.
In conclusion, although SurveyMonkey is HIPAA compliant in its role as a business associate and has the tools to support HIPAA compliance, it is the responsibility of each covered entity to subscribe to an appropriate HIPAA-enabled business plan, configure the tools correctly, ensure users are trained how to comply with HIPAA when using SurveyMonkey, and monitor compliance.
