SurveyMonkey

ENTERPRISE ADD-ON: HIPAA compliant accounts are only available to customers on Enterprise. If you're interested, contact sales. If you already have an Enterprise account, contact your Customer Success Manager (CSM).

Does HIPAA apply to me? If you are a “covered entity” (as defined by HIPAA) and are using SurveyMonkey to collect or store protected health information (generally any information about the health status, provision of health care, or payment for health care that can be linked to a specific individual, such as an individual’s name and/or contact details combined with information about health care that the individual received), then HIPAA likely applies to your use of SurveyMonkey. If you don’t need HIPAA but do need a higher level of security when using SurveyMonkey to collect or store information, check out the Enhanced Sensitive Data Protection feature.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a United States law that regulates the collection and handling of “protected health information” (PHI). Certain organizations called “covered entities” and their business associates are required to comply with HIPAA.

For SurveyMonkey, being "HIPAA-compliant" means that we offer a service that enables covered entities to collect and manage PHI through surveys in a manner compliant with HIPAA. As part of offering this service, SurveyMonkey ensures that it operates in a way that is consistent and compatible with those laws and SurveyMonkey's role as a business associate to a covered entity user.

In accordance with our Terms of Use, SurveyMonkey only permits PHI to be collected by regulated entities if it is done through a “HIPAA-enabled account” with a business associate agreement (BAA) in place. However, SurveyMonkey does not require you to have a BAA if you are not regulated by HIPAA with respect to the PHI you collect in your surveys.

  • HIPAA Security Measures that SurveyMonkey Employs
  • Feature List

SurveyMonkey offers a standard form BAA which meets the requirements of HIPAA. If you're interested in enabling HIPAA features on your account, please contact us.

If you've already entered into a BAA with us, you can contact us to receive a copy of your BAA.

Once an account is HIPAA-enabled, it cannot be reverted to a non-HIPAA account. If the BAA is terminated, your account will also be closed. See the Downgrades section below for more information.

Review the common questions below to understand how downgrades work for HIPAA-enabled accounts.

  • Can I downgrade my HIPAA-enabled account or team to a lower plan type?
  • What happens if I don't renew my HIPAA-enabled account or team?
  • What happens if I close my HIPAA-enabled account or terminate my BAA?

Once you enable HIPAA-compliant features on your account or team, follow these best practices when performing certain actions to help ensure that you're handling your data responsibly and securely.

Action
HIPAA Security Tips
Exporting survey resultsIf you download survey results to your own computer, please ensure that those downloaded files are handled appropriately since they contain PHI. We suggest that you secure those files by encrypting them and only transferring them under an encrypted connection.
Sharing surveys with othersWhen you share a survey, the people you choose to share it with will have access to view and possibly edit the survey, or access any collected survey responses. Remember to only share surveys in a manner consistent with your HIPAA obligations. Only share a survey with people who are authorized to work on that survey.
Transferring a survey to another accountIf you must transfer a survey to a different SurveyMonkey account, ensure that you are absolutely certain that the receiving account is the one you intend to send it to. To transfer a survey, you must enter the exact username of that account. The transfer process cannot be undone without action by the receiving account holder.

If your survey contains PHI, it is your responsibility to ensure that such PHI is only disclosed to an appropriate recipient. This means that if you transfer PHI to another account, it is crucial that that account must also be HIPAA-enabled.
Collecting responsesIf you collect PHI in your survey, we recommend that you use a Web Link Collector.

We do not recommend the use of an Email Invitation Collector. Email Invitation Collectors email survey invitations to contacts with a unique survey link tied to a contact's email address. If respondents are able to edit their responses, a contact of an email invitation could complete all or part of a survey and forward their unique survey link to someone else. This would allow the second contact to view the first contact’s responses, which may contain PHI.
Sharing survey resultsYour survey results may contain PHI, so remember to only share survey results in a manner consistent with your HIPAA obligations. Only disclose results to authorized recipients.