May 13, 2019

Ten Ways to Stay HIPAA Compliant In Web-Enabled Market Research

A helpful set of guidelines to help in navigating research projects requiring HIPAA compliance.

Ten Ways to Stay HIPAA Compliant In Web-Enabled Market Research
Rebecca West

by Rebecca West

0

Research credit to Jennifer Morehead, Civicom Compliance Officer

If you think compliance is expensive – try non-compliance.” – Paul McNulty, Former US Deputy Attorney General

In 2010, Mark Zuckerberg declared privacy dead. This last week, he reversed his position. After a myriad of consumer complaints, bad press, and a $5 billion dollar fine from the European regulators, he’s come to an understanding about the importance of privacy to most Americans. The new truth is this: Privacy is trending.

HIPAA’s been around for over twenty years, and those involved in medical research and dealing directly with patients are well aware of the requirements of compliance. However as leading facilitators of web-enabled market research globally, we’ve seen a range of compliance understanding from market researchers, mostly as a result of the complexity of modern market research using web-enabled tools, and what specifically to do to ensure compliance is met.

Hence, we’ve created a set of guidelines for what to look for in handling projects requiring HIPAA compliance that have grown out of what we have done to help keep our clients HIPAA compliant while remaining compliant ourselves. While much of this applies to other data requirements such as the GDPR, we’re focusing today on how to be HIPAA compliant in web-enabled market research. So here are ten things worth looking for.

Healthcare Experience

Market researchers may enter the healthcare market deliberately or may fall into it because a healthcare company purchases their services. This is significant because many businesses may never intend to enter a market subject to HIPAA, yet if they do, they become subject to HIPAA requirements. Ask your supplier partner if they have worked on healthcare projects and are ready to meet requirements for protected health information (PHI).

Business Associate Agreements (BAA’s)

Business Associates are service providers to entities that have access to protected health information as part of providing services. Vendor partners should be ready and willing to sign a BAA – it is a violation not to have one in place.

Consent Management

Market research standards incorporate GDPR and HIPAA requirements for consent. Look at your vendor’s website. Do you have evidence that they have enhanced privacy and security policies to comply with HIPAA? In line with HIPAA requirements, they should have designated Privacy and Security Officers.  Do they have a policy or process to deal with individual requests for accounting of disclosures? Have you thought about what you want to happen if a vendor receives such a request?

Minimization of Your Data

You can reduce risk by using the absolute minimum data necessary for your research. Your vendor partners should be able to tell you the minimum information required for them to provide their services. Can they anonymize respondent data? Can they provide you with audio and face masking? Voice recordings and full-face images are considered PHI.

Data Mapping

Vendors should have data mapping of their processes in place to demonstrate that they know where your data goes and who accesses it. Expect consumers to exercise their right to privacy – vendors should be prepared to respond to requests for accounting of disclosure within the HIPAA required period of 45 days.

Secure Data Transfer

Encryption of PHI is required at rest and in transit. Vendors should be able to accommodate use of secured file sharing platforms whether it is through your proprietary web app or a third party SFTP. Never transfer PHI over email (unless sufficient encryption is enabled). Remote access to networks should be made only through use of VPNs and there should be a regular review of firewall rules.

Physical Security

Policies must be in place to ensure physical security. This could start with biometric authentication for entry to production areas. Protect the integrity of PHI: automatic timeout/log out for workstations [in a survey of 300+ healthcare professionals, primarily from organizations with less than 500 employees, 20% said they don’t have this] Require verifiable unique access to client confidential information.

A Security Culture

It is a HIPAA violation not to provide training for staff who handle PHI. Many companies invest in technical security but a true security culture will invest in their people. They are the front line to stop unauthorized disclosures. Training should cover the required topics as set out in the privacy rule. It’s important to provide training to employees at every level with an explanation of the laws and regulations in a way that applies to what they do every day.

Risk Assessments

Companies must engage in both regular risk assessments as required by HIPAA and risk assessments related to new or changing processes / projects. Willingness to submit to audit is essential.

Seamless Service Compliance

You may work with vendors with multiple service offering(s). Compliance should be seamless across all of their lines of business, with the appropriate controls along the way.

The Bottom Line

You don’t have to look far to find breaches in privacy that vendors caused. The bottom line is to understand how your vendors are handling your data and whether they can maintain HIPAA compliance. Demonstrate privacy and data protection awareness from the beginning of the relationship.

 

Sources:

1 https://www.backupify.com/blog/the-it-directors-guide-to-hipaa-compliance

2 https://www.securitymetrics.com/blog/2017-hipaa-survey-results

0

data privacyhealthcare research

Disclaimer

The views, opinions, data, and methodologies expressed above are those of the contributor(s) and do not necessarily reflect or represent the official policies, positions, or beliefs of Greenbook.

Comments

More from Rebecca West

The Five Clear Steps to Successful Product Testing Right Now

The Five Clear Steps to Successful Product Testing Right Now

Product testing during COVID is possible with these must-know steps.

Rebecca West

Rebecca West

Manage the Overwhelming Chaos of Qualitative Research Data

Manage the Overwhelming Chaos of Qualitative Research Data

How to keep qualitative data organized.

Rebecca West

Rebecca West

When It Comes to Managing Data Security, Know the Company You Keep

Research Technology (ResTech)

When It Comes to Managing Data Security, Know the Company You Keep

Companies shouldn’t wait for the EU-U.S. Data Privacy shield to be finalized to start putting in place measures for managing data transfer.

Rebecca West

Rebecca West

ARTICLES

Moving Away from a Narcissistic Market Research Model

Research Methodologies

Moving Away from a Narcissistic Market Research Model

Why are we still measuring brand loyalty? It isn’t something that naturally comes up with consumers, who rarely think about brand first, if at all. Ma...

Devora Rogers

Devora Rogers

Chief Strategy Officer at Alter Agents

The Stepping Stones of Innovation: Navigating Failure and Empathy with Carol Fitzgerald
Natalie Pusch

Natalie Pusch

Senior Content Producer at Greenbook

Sign Up for
Updates

Get what matters, straight to your inbox.
Curated by top Insight Market experts.

67k+ subscribers

Weekly Newsletter

Greenbook Podcast

Webinars

Event Updates

I agree to receive emails with insights-related content from Greenbook. I understand that I can manage my email preferences or unsubscribe at any time and that Greenbook protects my privacy under the General Data Protection Regulation.*