SurveyMonkey's commitment to HIPAA compliance is evident in their approach to handling sensitive health information. SurveyMonkey has a Business Associate Agreement (BAA) in place, which requires them to comply with HIPAA regulations.
SurveyMonkey's BAA ensures that they handle Protected Health Information (PHI) in accordance with HIPAA standards. This includes implementing administrative, technical, and physical safeguards to protect PHI.
SurveyMonkey also provides a Data Use and Security Addendum, which outlines their responsibilities for handling PHI. This addendum is included in the BAA and serves as a critical component of SurveyMonkey's HIPAA compliance efforts.
Features
SurveyMonkey offers a range of features to help you comply with HIPAA regulations.
The company implements administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic PHI.
These safeguards include measures required by the Security Rule, such as data encryption and single sign-on (SSO).
To enable HIPAA-compliant features, you need to upgrade to the Enterprise plan.
Once you've upgraded, you'll need to enter into a Business Associate Agreement (BAA) with SurveyMonkey.
This agreement meets the requirements of HIPAA and ensures that SurveyMonkey protects your PHI.
With the Enterprise plan, you'll get access to additional features, including AI-powered technology for creating branded surveys and forms.
You'll also get enterprise-grade security, including data encryption, SSO, and compliance with standards like HIPAA and GDPR.
Here are some of the notable features of SurveyMonkey Enterprise:
- AI-powered technology for creating branded surveys and forms.
- Enterprise-grade security with SSO, data encryption, and compliance with standards like HIPAA and GDPR.
- Customer experience enhancement by impacting KPIs like NPS and CSAT.
- Employee engagement and well-being insights.
- Centralized admin dashboard for user management and data security.
- Research capabilities for diverse requests and population reach.
- Connectivity with over 100 popular apps for data integration and insight enrichment.
Compliance for All
To ensure HIPAA compliance, you need to have a SurveyMonkey Enterprise account. This type of account is required to achieve compliance, and you can contact SurveyMonkey's Customer Success Manager (CSM) to add the Enterprise add-on to your existing account.
If you're a covered entity under HIPAA, which includes doctors, nurses, health plans, and healthcare clearinghouses, you should use SurveyMonkey in a way that doesn't violate its regulations. The same rule applies to businesses handling or processing PHI on behalf of a covered entity, including accounting firms and medical billing companies.
To guarantee HIPAA compliance, you should enable Enhanced Sensitive Data Protection on your account or team. This will help you handle your data responsibly and securely.
Here are some vital steps to follow:
- Exporting survey results: download files to your own computer, secure them by encrypting them, and only transfer them under an encrypted connection.
- Sharing surveys with others: only share surveys with people who are authorized to work on that survey.
- Transferring a survey to another account: enter the exact username of the receiving account, and ensure that the account is also ESDP-enabled if the survey contains sensitive data.
- Collecting responses: use a Web Link Collector, and do not use an Email Invitation Collector.
- Sharing survey results: only share survey results to authorized recipients.
By following these best practices, you can ensure that you're handling your data responsibly and securely, and that you're compliant with HIPAA regulations.
You might enjoy: Hdfc Re Kyc
Business Associate Agreement
SurveyMonkey has a standard Business Associate Agreement (BAA) that meets the requirement of HIPAA, making it easy for covered entities to bring them on board.
To enable HIPAA-compliant features on your SurveyMonkey account, you can view and sign a BAA in My Account.
Customers must sign a BAA with SurveyMonkey if they're using a HIPAA-compliant account.
You can preview and sign a BAA in My Account, and for more detailed instructions, click here.
SurveyMonkey maintains appropriate administrative, physical, and technical safeguards to provide for the continuing security of your protected health information (PHI).
Different types of covered entities use surveys for various purposes, such as collecting feedback from patients or employees, but they all need to ensure the security of PHI.
A different take: Hipaa Cybersecurity Framework
Compliance and Reminders
To ensure HIPAA compliance with SurveyMonkey, it's essential to understand the key conditions and limitations of their Enterprise plan. For instance, once a SurveyMonkey account is HIPAA-enabled, it cannot be reverted to a non-HIPAA-enabled status.
If you're considering downgrading your account, be aware that downgrading a HIPAA-enabled account to a lower plan type is not possible. You'll need to open a new account if you want to remove HIPAA-compliant features or switch to a lower plan.
To guarantee HIPAA compliance, it's also crucial to understand the consequences of account suspensions and terminations. Failure to renew a HIPAA-enabled account will result in suspension, retaining data for a limited time, and eventually account closure. Similarly, terminating the Business Associate Agreement (BAA) will also lead to account closure.
Here are some key reminders to keep in mind:
- Account limitations: Once a SurveyMonkey account is HIPAA-enabled, it cannot be reverted to a non-HIPAA-enabled status.
- Downgrading plans: Downgrading a HIPAA-enabled account to a lower plan type is not possible.
- Account suspensions and terminations: Failure to renew a HIPAA-enabled account will result in suspension, retaining data for a limited time, and eventually account closure.
Enterprise User Reminders
As an Enterprise user of SurveyMonkey, it's essential to be aware of the following important reminders to ensure compliance with HIPAA regulations.
Once you enable HIPAA compliance on your SurveyMonkey account, it cannot be reverted to a non-HIPAA-enabled status. This is a permanent change that requires careful consideration.
Downgrading a HIPAA-enabled account to a lower plan type is not possible, so if you need to remove HIPAA-compliant features or switch to a lower plan, you'll need to open a new account.
If you fail to renew a HIPAA-enabled account, it will be suspended, and your data will be retained for a limited time. After this period, the account will be closed.
Terminating the Business Associate Agreement (BAA) also leads to account closure, so make sure to carefully review your account status before making any changes.
Here are the key consequences of not complying with HIPAA regulations on SurveyMonkey:
Monitor User Activities
To stay on top of user activities and ensure HIPAA compliance, it's essential to continuously monitor user actions. Your IT administrator can regularly check SurveyMonkey's Team Activity log to ensure that all user actions align with HIPAA guidelines.
This log provides valuable insights into who's accessing company health information and when. It's a simple yet effective way to prevent inappropriate access to sensitive information.
To take it a step further, automatic logout after idle can prevent unauthorized access to sensitive information. This feature is designed to protect patient data and maintain HIPAA compliance.
Here are some key features to look for in a HIPAA-compliant data collection solution:
- Automatic logout after idle to prevent unauthorized access
- Activity account logs to track who's accessing company health information
- PHI Share alerts to take action when personal health information is shared
Downgrades and Monitoring
If you're considering downgrading your SurveyMonkey account, be aware that it's not possible to revert a HIPAA-enabled account back to a regular account. You'll need to open a new account if you want to remove HIPAA-compliant features or switch to a lower plan.
If you're thinking of downgrading, you'll also want to know that you can transfer surveys from your HIPAA-enabled account to a regular account, but be careful not to transfer any surveys that contain PHI (protected health information).
Here are some key things to consider when downgrading or closing your HIPAA-enabled account:
- If you don't renew your account, it will be placed into a suspended state, and SurveyMonkey will preserve all data contained within the account.
- If you close your account, the BAA (Business Associate Agreement) will terminate, and your account will be closed.
- SurveyMonkey always provides an opportunity to save a copy of your survey data before your account gets closed.
It's also a good idea to regularly check SurveyMonkey's Team Activity log to ensure that all user actions align with HIPAA guidelines.
Sources
- https://help.surveymonkey.com/en/surveymonkey/policy/hipaa/
- https://www.surveymonkey.com/product/features/hipaa-compliance/
- https://www.ifaxapp.com/hipaa/is-surveymonkey-hipaa-compliant/
- https://help.surveymonkey.com/en/surveymonkey/policy/sda/
- https://b2bsaasreviews.com/products/surveymonkey-enterprise/
Featured Images: pexels.com
