Is SurveyMonkey HIPAA Compliant?
Is SurveyMonkey HIPAA compliant? At the present time, SurveyMonkey is HIPAA compliant. However, SurveyMonkey’s parent company – Momentive – is in the process of being acquired by a private equity consortium. If the acquisition proceeds, we cannot guarantee the information below will remain accurate.
SurveyMonkey is an online application that enables subscribers to create and send surveys via email, social media, and messaging services. The application is most often used in the healthcare industry to gain insights into patients’ health habits, track the effectiveness of patient safety programs, and solicit feedback from members of the workforce.
Although SurveyMonkey offers a free plan, it is extremely limited. Free subscribers can only ask up to 10 questions per survey, plus accept only 40 responses per survey. Additionally, if PHI is going to be disclosed in any answers or questions, it will be necessary to enter into a Business Associate Agreement – something SurveyMonkey is only prepared to do with subscribers to its business plans.
Is SurveyMonkey HIPAA Compliant?
In its role as a Business Associate, SurveyMonkey is HIPAA compliant. The company provides a comprehensive security statement and a HIPAA compliance web page on which it attests to reasonably and appropriately protecting the confidentiality, integrity, and availability of electronic PHI received, maintained, or transmitted on behalf of Covered Entities (subject to accounts being HIPAA-enabled). The web page also lists some of the safeguards SurveyMonkey has put in place:
Get the FREE
HIPAA Compliance Checklist
Delivered via email so please ensure you enter your email address correctly.
Your Privacy Respected
- Assigned security team responsible for maintaining compliance with HIPAA.
- Screening, authorization, and HIPAA training of SurveyMonkey staff.
- Data backup and disaster recovery plans.
- Systems regularly monitored, updated, and patched.
- Incident response plan that includes reporting security incidents to Covered Entities.
- All communications with SurveyMonkey servers are encrypted with SSL.
- Regular risk assessments to ensure safeguards remain relevant and effective.
With regards to the Business Associate Agreement, SurveyMonkey offers its own Agreement or will enter a Covered Enty’s Agreement subject to being able to comply with the terms of the Agreement. Helpfully, the company has published a preview BAA on its website. However, visitors are alerted to the fact that the preview BAA was last updated in 2015 and reminded that SurveyMonkey’s parent company may soon be acquired – so the terms of the preview BAA may not remain the same.
Complying with HIPAA when using SurveyMonkey
If a Business Associate Agreement is in place, SurveyMonkey has the tools to support HIPAA compliance. These tools include activity logs and optional automatic log-off – which administrators should configure to comply with organizational HIPAA policies – and alert messages that warn users when they risk disclosing PHI or risk respondents disclosing PHI.
However, alert messages can be ignored and mistakes made. Therefore, it is important to train users on the compliant use of SurveyMonkey and how to respond if a response to a survey question discloses PHI they are not authorized to see. It may also be necessary to train users on how to identify and report inadvertent data breaches to compliance officers.
In conclusion, although SurveyMonkey is HIPAA compliant in its role as a Business Associate and has the tools to support HIPAA compliance, it is the responsibility of each Covered Entity to subscribe to an appropriate HIPAA-enabled business plan, configure the tools correctly, ensure users are trained how to comply with HIPAA when using SurveyMonkey, and monitor compliance.