The issue with answering the question is Qualtrics HIPAA compliant is that, although the “experience management” platform appears to support HIPAA compliance, configuring and using the platform in a HIPAA compliant manner looks more complicated than some Covered Entities will be comfortable with.
For those who struggle with fancy terminology, Qualtrics is an online platform that enables businesses to create and send surveys, obtain customer/employee feedback, and address satisfaction issues using analytics and AI-powered automation. As an engagement and response tool, Qualtrics is a very advanced option. But is Qualtrics HIPAA compliant?
Certainly, Qualtrics appears to be HIPAA compliant in its role as a Business Associate to a Covered Entity. It has multiple security certifications – including self-certified compliance with the HiTRUST CSF Framework – and is willing to enter into a Business Associate Agreement with a Covered Entity if the platform is going to be used for collecting, storing, or transmitting PHI.
Qualtrics doesn’t provide previews of its Business Associate Agreements, but the draft Contractor Agreement for businesses Qualtrics might share PHI with is very comprehensive and covers everything required by the Administrative Simplification provisions. Assuming the Business Associate Agreement between Covered Entities and Qualtrics is equally as comprehensive, there should be no problem with clarifying Covered Entities’ and Qualtrics’ compliance obligations.
Can Qualtrics be Used in Compliance with HIPAA?
This is where the issue with HIPAA compliance exists. As mentioned previously, Qualtrics is a very advanced experience management platform. However, rather than explaining the platform’s capabilities – and how to use them – in a language people might understand, the limited information on the web site is garnished with fancy terminology. This can make it difficult to configure and use Qualtrics in compliance with HIPAA.
There is a rich resource library that contains product demonstrations, and you can also find demos on YouTube that don’t require you to register first. Both sources demonstrate that, if you don’t know what you are doing when using the platform, the range of options is complicated to navigate – potentially resulting in configuration challenges, user problems, project delays, and incomplete data analyses.
To help overcome the issue, Qualtrics has an online resource library with plenty of “how to” pages; but, again, we get the feeling you already have to be familiar with the software – and understand the terminology – to benefit from the advice offered. Phone, email, and chat customer service is also available depending on which level of plan you subscribe to, but the company’s live support services get very poor reviews on user-verified review sites.
Limited Use Cases Suggest Other Solutions May be More Viable
Like most online survey software, Qualtrics can be used to gain insights into patients’ health habits, track the effectiveness of patient safety programs, and solicit feedback from members of the workforce. Provided the platform is configured and used in compliance with HIPAA when PHI is being collected, stored, or transmitted, the platform can be an asset for these use cases.
However, in order to appear more valuable to healthcare providers than competing online survey software, Qualtrics also suggests additional use cases that are unrealistic – for example, solving the nationwide nursing shortage and diagnosing patients’ illnesses remotely with no reference to each patient’s medical history. Other examples tend to have an overreliance on the authenticity of customer reviews to prove a point.
In conclusion, Qualtrics is a HIPAA compliant platform that might be a nice toy to have, but it is an expensive toy that could create compliance issues due to the complexity of navigating the platform. Additionally, concerns exist about the steep learning curve, reportedly poor customer support, and limited use cases which suggest other solutions may be more viable. Certainly, simpler survey platforms which are easier to understand are less likely to be responsible for inadvertent HIPAA violations.