The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Is Qualtrics HIPAA Compliant?

Posted By on May 19, 2023

The issue with answering the question is Qualtrics HIPAA compliant is that, although the “experience management” platform appears to support HIPAA compliance, configuring and using the platform in a HIPAA compliant manner looks more complicated than some Covered Entities will be comfortable with.

For those who struggle with fancy terminology, Qualtrics is an online platform that enables businesses to create and send surveys, obtain customer/employee feedback, and address satisfaction issues using analytics and AI-powered automation. As an engagement and response tool, Qualtrics is a very advanced option. But is Qualtrics HIPAA compliant?

Certainly, Qualtrics appears to be HIPAA compliant in its role as a Business Associate to a Covered Entity. It has multiple security certifications – including self-certified compliance with the HiTRUST CSF Framework – and is willing to enter into a Business Associate Agreement with a Covered Entity if the platform is going to be used for collecting, storing, or transmitting PHI.

Qualtrics doesn’t provide previews of its Business Associate Agreements, but the draft Contractor Agreement for businesses Qualtrics might share PHI with is very comprehensive and covers everything required by the Administrative Simplification provisions. Assuming the Business Associate Agreement between Covered Entities and Qualtrics is equally as comprehensive, there should be no problem with clarifying Covered Entities’ and Qualtrics’ compliance obligations.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Can Qualtrics be Used in Compliance with HIPAA?

This is where the issue with HIPAA compliance exists. As mentioned previously, Qualtrics is a very advanced experience management platform. However, rather than explaining the platform’s capabilities – and how to use them – in a language people might understand, the limited information on the web site is garnished with fancy terminology. This can make it difficult to configure and use Qualtrics in compliance with HIPAA.

There is a rich resource library that contains product demonstrations, and you can also find demos on YouTube that don’t require you to register first. Both sources demonstrate that, if you don’t know what you are doing when using the platform, the range of options is complicated to navigate – potentially resulting in configuration challenges, user problems, project delays, and incomplete data analyses.

To help overcome the issue, Qualtrics has an online resource library with plenty of “how to” pages; but, again, we get the feeling you already have to be familiar with the software – and understand the terminology – to benefit from the advice offered. Phone, email, and chat customer service is also available depending on which level of plan you subscribe to, but the company’s live support services get very poor reviews on user-verified review sites.

Limited Use Cases Suggest Other Solutions May be More Viable

Like most online survey software, Qualtrics can be used to gain insights into patients’ health habits, track the effectiveness of patient safety programs, and solicit feedback from members of the workforce. Provided the platform is configured and used in compliance with HIPAA when PHI is being collected, stored, or transmitted, the platform can be an asset for these use cases.

However, in order to appear more valuable to healthcare providers than competing online survey software, Qualtrics also suggests additional use cases that are unrealistic – for example, solving the nationwide nursing shortage and diagnosing patients’ illnesses remotely with no reference to each patient’s medical history. Other examples tend to have an overreliance on the authenticity of customer reviews to prove a point.

In conclusion, Qualtrics is a HIPAA compliant platform that might be a nice toy to have, but it is an expensive toy that could create compliance issues due to the complexity of navigating the platform. Additionally, concerns exist about the steep learning curve, reportedly poor customer support, and limited use cases which suggest other solutions may be more viable. Certainly, simpler survey platforms which are easier to understand are less likely to be responsible for inadvertent HIPAA violations.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist