Is Qualtrics HIPAA Compliant?

UIC’s agreement with Qualtrics includes a Business Associate Agreement. This means individuals may use this service to maintain Protected Health Information (PHI) regulated by HIPAA. While Qualtrics meets the “physical safeguard” component of HIPAA, compliance with federal laws and university policy is decided on a case-by-case basis by the UIC Institutional Review Board.

The Qualtrics survey tool is available for use by UIC faculty, staff, and students in support of the university's educational mission and organizational goals.

Complying with HIPAA’s requirements is a shared responsibility. Users sharing and storing PHI in Qualtrics are responsible for complying with HIPAA safeguards, including:
  • Using and disclosing only the minimum necessary PHI for the intended purpose.
  • Obtaining all required authorizations for using and disclosing PHI.
  • Ensuring that PHI is seen only by those who are authorized to see it.
  • Obtaining all necessary data-sharing agreements and Business Associate Agreements for using and disclosing PHI.
  • Following any additional steps required by your unit to comply with HIPAA.
  • Sensitive data, including PHI, may be collected and stored in Qualtrics for non-clinical purposes only (for example, research and hospital quality improvement initiatives). Qualtrics should not be used for any clinical applications that deliver, document, or otherwise contribute to the care of individual patients
For more information about the Institutional Review Board HIPAA policy, review: http://research.uic.edu/ 
For details about HIPAA and other security related aspects of Qualtrics, visit https://www.qualtrics.com/security-statement/



Keywords:compliance, surveys, research, protected data, sensitive data, PHI, clinical data   Doc ID:91902
Owner:Elizabeth R.Group:University of Illinois at Chicago ACCC
Created:2019-05-22 08:35 CDTUpdated:2019-07-25 11:03 CDT
Sites:University of Illinois at Chicago ACCC
Feedback:  0   0