Qualtrics has acknowledged that its offerings are HIPAA compliant by entering into a Business Associate Agreement (BAA) with the University of Minnesota. This means that if your survey will involve Protected Health Information (PHI), Qualtrics will handle the PHI in a manner that is in compliance with the law. PHI generally consists of individually identifiable medical and health information.
Qualtrics offers Transport Layer Security (TLS) encryption (HTTPS) and survey security options like password protection and HTTP referer checking. Their servers are stored in a tier one data storage facility that includes security measures such as biometric entry and double card swipe.
Read more about Qualtrics data security here:
Access to Data
In the best interest of protecting data privacy, there will be a limited number of administrators who have access to Qualtrics. If you are a researcher and need to include the number of people who have access to the data in your documentation to IRB or granting agencies, be sure to list five brand administrators in Information Technology.
Third-Party Survey Software
The current survey software available system-wide is Qualtrics. Qualtrics is the preferred online survey tool of the University of Minnesota because it meets stringent information security requirements not found in most free online survey tools. The text below has been approved by the Office of General Counsel (OGC) regarding reasons University faculty, staff, and students should not purchase or use other third-party survey software (such as Survey Monkey or Zoomerang).
A click-through agreement is a contract, and the University can be liable under the contract. The “click-through” license agreements that users must “accept” before using a software program are subject to the same principles as contracts that are formed in any other way, meaning these click-through agreements are legally binding contracts. When a University employee enters into such an agreement, they are doing so on behalf of the University. Therefore, the University as a whole (not just the employee) may be bound by this employee’s agreement, and may also be liable under it. These click-through agreements can also violate University policy and practices regarding contract review, and uncapped liability, and jurisdiction over what state’s laws govern. Under University policy, the OGC must review any contract not in the University’s standard Contracts Library.
Click-through agreements can also grant ownership of your (and therefore, the University’s) data to the software company. Most third-party hosted sites claim to own the content on their site. Not only would this mean loss of valuable intellectual property for individuals and the University, it could also violate the Minnesota Government Data Practices Act or the federal Family Educational Rights and Privacy Act.
Use of third-party survey software could violate privacy laws. State and federal laws prohibit disclosure of certain information about students, and require specific security measures to prevent unauthorized access to this information. Without official contracts verified by OGC to ensure the safety of this data, the third-party survey software vendor may have no legal responsibility to uphold these standards.