Recommendations for HIPAA-Compliant Survey Tool

We’re looking to gather data on decision-making from the patients of one of our healthcare clients. Based on what we’ve seen with survey tools, HIPAA-compliance is a feature only included at the enterprise level.

Does anyone have any recommendations for ensuring HIPAA compliance in surveys without having to enterprise pricing? Any and all advice is welcome and appreciated!

2 Likes

Hey @richard.briddock

Great question. Let me have a quick look around in our resources.

I believe @jessica_best has some privacy experience. Any thoughts here?

Hey @richard.briddock,

Thank you @hesh_fekry for tagging Jessica. I’m sure she’ll have insights she can share.

As we wait for Jessica to share insights from her extended experience, I’ve done some research to help narrow your search by looking for answers to two main questions.

First question: Does Google Forms offer an HIPAA compliant solution?

Specifically Google Forms.

Many smaller than enterprise orgs rely on Google’s high quality solutions, and I personally remembered Google Forms being used by past and current healthcare providers. So I assumed there must be some level of HIPAA compliance.

I found background info from the HIPAA Journal:

Is Google Forms HIPAA Compliant?

No software solution can be truly HIPAA compliant, as HIPAA compliance depends on the actions of users. However, Google does support HIPAA compliance and Google Forms is covered by its business associate agreement. Therefore, Google Forms can be considered a HIPAA compliant solution that is suitable for use in healthcare.

hipaajournal.com also has practical advice along with current news on HIPAA compliance available for immediate reading.

I also found Google for Work’s HIPAA Compliance & Data Protection with Google Apps guide.
A PDF on Google Apps for Work HIPAA implementation. Breaks down using Google services with PHI, additional considerations you should make for HIPAA compliance and security audits. It can help you see how you can make specific Google Apps core services work for you.

You can get in contact with Google to confirm pricing. I cannot confirm their pricing, if any, and their team usually replies to pricing questions to help inform your decision.

Second question: Are there other solutions with non-enterprise pricing?

I reviewed and compiled a short list of best possible solutions without enterprise pricing to help narrow your search a bit.

  • Jotform - HIPAA compliance available in Silver ($39/month, annually) and Gold ($99/month, annually) tiers. No additional fee.
  • Zoho Survey - May provide HIPAA compliance in their Pro ($35/month, annually) tier, but cannot confirm.

Other solutions either have HIPAA compliance listed clearly (at enterprise level as you mentioned) like SurveyMonkey, while some do not list it at all. You may need to reach out and confirm with several providers.

This should help narrow down your search,
Tania

Wow, Tania has much more info on this than I do!

I never claim to be a legal expert, especially in things as specific as SOC/HIPAA compliance, so I’d always recommend spending the money for legal council here, to see if your legal team/a consultant can make clear recommendations that will keep you covered.

In general, though, it doesn’t surprise me that HIPAA or other data security may cost a fee. Most free tools explicitly state that users should not enter private or sensitive data, as they’re not secure storage or capture mechanisms (i.e. Google Forms with your free/personal account).

I love Tania’s recommendations for inexpensive data collection that has some security provisions, but again… Would run both by your legal council. It’s true that data collection is only one part of legally compliant data management!

Best of luck.

2 Likes

Hey @jessica_best,

Thank you for the insight. Your recommendation to spend money on legal council is very helpful. Someone who is qualified you can present your found solutions and concerns to.

Your insight that about free tools and their explicitly stated terms on private/sensitive data is also a great help. It sounds like a situation where you must do your due diligence and before investing any $ into a solution, to seek legal council first to be 100% sure. HIPAA compliance would demand it.

This should help you in your next steps. Keep us updated on how it goes from here, and if you have more questions feel free to ask. @richard.briddock

Thank you so much,
Tania

1 Like