Do Healthcare Surveys Need to Be HIPAA Compliant Too?

One of the biggest challenges for doctors, hospitals, insurance carriers, and any other organizations handling patient data is HIPAA compliance. Compliance with HIPAA, short for the Health Insurance Portability and Accountability Act, can get particularly tricky for these organizations when it comes to communicating with patients and gathering feedback. For instance, these organizations must use HIPAA-compliant email, messaging, and patient reviews, which must be compliant but are often a source of violations.

These aren’t the only types of patient communications that fall within the scope of HIPAA; patient surveys need to be HIPAA-compliant as well. Achieving HIPAA compliance for a patient survey will depend on the nature of the survey. First, it is worth noting that healthcare practices often are most concerned about the issue of whether they can use email to send out these surveys. There is no issue with emailing if you use HIPAA compliant server hosting  and have a signed authorization from the patient stating that you can email them.

No matter what type of tool you use, you want to make sure that the firm will go beyond the BAA (Business Associate Agreement, a contract between a HIPAA-covered entity and a business associate that defines the scope of activities covered by HIPAA and how PHI will be protected) to be able to actual maintain compliance in the manner described within the law.

Are patient surveys considered marketing?

No, according to the Health and Human Services Department. It is important to understand that the surveys are not marketing because HHS has specific guidelines related to marketing communications. The definition of marketing from HHS is “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.”

Any type of communication, such as an email, that does not provide treatment recommendations but is rather promoting services of a healthcare facility (such as a $49 baseline EKG special) is marketing. So is an email that lets the customers of a health insurance company know about other products they have available (such as casualty or homeowner’s insurance). Unless a patient survey includes a promotion for a product or service, you should treat it in the same manner as you do protected health information in any other core healthcare function setting.

Business associate agreement: key to using survey tools

A key thing to keep in mind when you think about the way that you survey your patients is that it is not technically possible for a technology, any technology, to be HIPAA-compliant in and of itself. Instead, it is the provider that must be compliant with HIPAA. Additionally, compliance is cannot be achieved by merely completing documents. Instead, you must continually collect thorough paperwork of audits, assessments, and staff training.

For organizations to realize across-the-board HIPAA compliance, they must have safeguards in place at all times for all the protected health information (PHI) they handle. In order to be certain that their relationship with the providers of tools they use is acceptable per HHS guidelines, they must have any business partners, including providers of surveys, sign a BAA so that they are stating their adherence to the specifications of the healthcare law.

Important questions for hosts & survey providers

As indicated by certified healthcare privacy compliance officer Donna Grindle, many covered entities and business associates sign BAAs but do not do enough vetting, thinking the act of signing a BAA is sufficient on its own. “Most industry experts recommend going further than just a signed contract but actually doing some due diligence for assurances that they actually have a plan,” she noted.

In order to determine that the provider of a survey tool you want to use is compliant, you can use a set of questions. Sample questions for a patient survey provider are the following – and note that these questions are the same basic ones you should ask us or any other provider of digital tools that you use (cloud or otherwise):

1. Will your host and survey provider sign a flexible business associate agreement (BAA)?

If any company is in any way involved in the use or disclosure of protected health information (as occurs when patients send you PHI through a survey), you must have a BAA in place. It is your responsibility to have the BAA. Check that the BAA covers everything you need to stay compliant. You do not want a one-size-fits-all agreement, so be certain that you can adjust or negotiate its terms. Keep in mind that this firm is the guardian of the data that is protected by your clients’ or patients’ rights. You are held liable if they set up inadequate protections and suffer a breach.

2. Will your host and survey provider give you their facilities’ technical and physical security policies?

Since you are a covered entity under HIPAA, you need information on how digital and physical access are controlled by the company. In order for a security policy to have the strength you need, you should see that they monitor their infrastructure and systems, check IDs, and have badges for visitors. There is no grounds, legal or otherwise, for you to take an organization at its word related to security of your data.

3. When did the host and survey provider last perform a risk assessment?

You should be able to get copies of the most recent audit and risk analysis conducted by the company. Typically these analyses are conducted multiple times annually. You also want to know if the vendor is using a risk assessment that is based on principles from the NIST standards. That is important because it is the basis used by the government regulators: the Office for Civil Rights (OCR), the subagency of the HHS that is charged with developing and enforcing the HIPAA rules, uses NIST specifications when conducting breach investigations.

4. When a security incident occurs, what are your breach notification procedures?

Knowing how quickly you will be notified if your system is compromised is critical to you, so it should be critical to your business associates as well. There should be stated windows within the business associate agreement. You will see various timeframes that are required across the country. Some are extremely tight windows, as with Texas, in which the state’s HHS Department requires notification “[f]or federal information, including without limitation, Federal Tax Information, Social Security Administration Data, and Medicaid Client Information” to occur “within the first, consecutive clock hour of Discovery.” That’s right – just one hour for the initial notification to the government, in that case.

While the speed with which notifications needs to occur is established within the law, some providers will state in their contracts that they have as much as 30 days to let you know that a breach has occurred. Audit the states in which you operate and all your agreements to make sure you know the procedures and timeframes for each one – keeping in mind that a strong provider will potentially exceed the specifications set by the state.

Beyond HIPAA-compliant hosting

Are you in need of an infrastructure for your patient surveys or any other aspects of your digital environment? At Atlantic.Net, we go beyond HIPAA and HITECH auditing with our SOC 1 and SOC 2 certifications and 100% uptime guarantee. See our HIPAA compliant web hosting services.