Collecting Contributor Insights Under HIPAA

At a Glance

When you run tests for an organization that falls under HIPAA regulations, UserTesting enables you to gather feedback and insights on the Platform while handling Protected Health Information (PHI) in a manner that is compliant with HIPAA.


Click on the following header titles to skip to that section of the article:

What Is HIPAA?

HIPAA is the Health Insurance Portability and Accountability Act of 1996. It is a US federal law that requires the creation of national standards to protect sensitive patient health information from being exposed or disclosed without the awareness or consent of the patient. Entities covered under HIPAA are typically health care providers, healthcare clearinghouses (e.g., billing services and community health information systems), and health insurance companies. Although HIPAA is a US law, if your organization works with US patients, you will need to follow HIPAA guidelines for collecting insights. 

Due to HIPAA considerations, we do not allow customers to collect Protected Health Information (PHI), which may include information about physical or mental health status, without a Business Associate Agreement (BAA). Provided you have a  Business Associate Agreement (BAA) with UserTesting, you may collect PHI or qualify contributors who are managing or living with a disability or medical condition, or providing care for someone who is disabled or has a medical condition, through self-identification via specific questions as long you include an appropriate consent screener (see the Consent paragraph below). A BAA is required any time PHI is solicited, collected or transferred on the UserTesting Platform.

With a BAA in place, you may then ask or otherwise record information related to medical records, medical history, or other PHI as defined by The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Examples include:

  • Specific treatment/medical details
  • Hospital names
  • Doctor names
  • Medical records
  • Other Personal Health Information subject to HIPAA

Prohibited PHI is never allowed to be collected. Prohibited PHI includes:

  • Specific genetic information (e.g., genetic test results)
  • Biometric identifiers (e.g., fingerprints, voice prints, iris and retina scans)
  • Health plan beneficiary numbers
  • Health account numbers
  • Health Billing Information

Contact your account representative to find out if you already have a BAA in place. If your organization needs one for testing, see your account representative, or contact our sales team

Note: If you do not have a BAA in place, see this article to understand the Personally Identifiable Information (PII) you can and cannot collect during a session. 

Prior to collecting PHI, you should discuss the collection of such data with your internal legal and compliance functions. This article is for informational purposes only and should not be relied on as legal advice.

What Experiences Can I Test?

Here are examples of experiences you may test:

  • Improving the patient and potential patient experience in all channels
  • Telemedicine experience testing
  • Diary testing with chronic illness patients and pharmaceutical trials
  • Driving engagement in digital channels
  • Increasing new patient appointments
  • Decreasing patient leakage
  • Improving Patient Satisfaction (SAT)
  • Competitor Testing
  • Message Validation
  • Improving the cross-channel journey


How Does HIPAA Affect How I Run Tests?

Recruiting contributors

UserTesting does not collect sensitive information about health and mental status as a part of the UserTesting Contributor Network onboarding process.

If you need to collect this information, use screener questions to identify appropriate contributors. With a BAA in place, it is acceptable to ask contributors about their health status, conditions, and experiences. As a best practice, allow contributors to opt in or out of a test. Your first screener question should inform potential contributors that the test may require them to provide mental or physical status information. We recommend using phrasing like this:

We are collecting perspectives about experiences related to contributors’ mental and physical status. We will use this information to understand contributors’ needs and preferences. None of this information will be shared publicly; it will only be used by the teams who are working on projects related to the topics covered in this test. You might be required to share sensitive information, such as medical diagnoses or treatment details. Are you willing to participate in this study?

  • Yes, I am willing to participate in this study
  • No, I am not willing to participate in this study

You can also ask contributors about their health conditions in the screener. We suggest this framing:

Which, if any, of the following conditions have you formally been diagnosed with by a physician or health care professional? [multi-select]

  • I prefer not to answer [reject]
  • Arthritis
  • Heart/cardiovascular disease
  • Heart failure, a chronic condition in which the heart is weak and doesn’t pump blood as well as it should
  • Type 1 Diabetes
  • Type 2 Diabetes
  • Chronic Kidney Disease
  • Asthma
  • Hypertension/High blood pressure
  • None of the above [reject]

UserTesting Contributor Network and Custom Network: When testing with the UserTesting Contributor Network or Custom Network, contributors living with a disability or medical condition (or providing care to someone who is) may self-identify via specific screener questions. If you have access to Custom Network, you can create attribute filters related to your health study.

Invite Network: If testing is carried out with patients using the Invite Network, you will have full responsibility for qualifying contributors, and no additional qualification via UserTesting is required. If it is important to record a contributor’s opt-in as a part of your Invite Network test, include a question like this as the first task in your test:

We are collecting perspectives about experiences related to contributors’ mental and physical status. We will use this information to understand contributors’ needs and preferences. None of this information will be shared publicly; it will only be used by the teams who are working on projects related to the topics covered in this test. You might be required to share sensitive information, such as medical diagnoses or treatment details. If you are not willing to participate in this study, please end the session now.

Setting up tests

When building and running tests, be mindful of the PHI you may expose. Not all PHI may be collected or exposed as part of the testing process. 

Sensitive PHI

(may be collected with the consent of the contributor and a signed BAA in place)

Prohibited PHI

(may never be collected, regardless of BAA status)

  • Specific treatment/medical details
  • Hospital names
  • Doctor names
  • Medical information or history
  • Specific genetic information (e.g., genetic test results)
  • Biometric identifiers (e.g., fingerprints, voice prints, iris and retina scans)
  • Health plan beneficiary numbers
  • Health account numbers

It is highly recommended that you use the Blur Tool feature embedded within the task question when asking people to complete the following activities:

  • Any time someone logs into an account: When someone logs in during an unmoderated desktop or mobile test, separate that activity from any other follow-up activity to limit the exposure of sensitive information and maximize how much is captured of the post-login experience. 
  • When a large group sees personally identifiable information, and it’s not important for them to know it: In general, it is best to limit the potential exposure of personal information. If a video will be shown outside of a small team, it is recommended that the video be blurred.

In addition, you must include an opt-in screener question that alerts contributors to the fact they will be expected to share personal information.

Do not enable the Contributor View when setting up your test. Because the HIPAA Privacy Rule protects several identifiers of individually identifiable health information, we discourage the use of the camera task as it captures a full-face image that could identify a patient.

You can ask contributors questions about their health as long as prohibited PII is not exposed. Here are some examples of verbal tasks and questions you might include:

May ask examples May not ask examples
  • What symptoms prompted you to seek medical advice?
  • What alternative approaches besides medications do you use to manage symptoms
  • How old were you when you were diagnosed with xxx?
  • What are your most common symptoms of xxx condition?
  • Where did you undergo treatment for your lymphoma?
  • What dosage did you take of xxx drug?
  • Please log in using your social security number. (blurred or unblurred)


Collecting insights

Do not download videos or clips. To ensure that data is only stored on HIPAA compliant systems, we discourage downloading videos and highlight reels. Instead, videos should be played within the UserTesting Platform. You can include links to videos or clips within your reports, provided that the systems on which reports are stored are HIPAA compliant.

Even with a BAA in place, you should first look to your organization's internal guidelines around what can ultimately be shared in reports, and align your tests around what the output needs to be to support your storytelling.

What You Should Know About Adverse Events Reporting

You may get contributors who talk about potential side effects or product problems that could be associated with a drug or medical device they use. We recommend the following strategies to manage the interception of adverse reporting events during unmoderated tests:

1. Include a screener question that qualifies contributors based on whether or not they consent to be contacted for follow-up if their responses indicate that they have experienced an adverse event. For example:

This test may touch on experiences that you have had with [medication/device]. May we contact you to follow up in the case that you share information that might help us to understand adverse events such as a mild, moderate, or severe side effect or bad reaction?

  • Yes, I consent to be contacted
  • No, I do not want to be contacted [reject]

2. Add a single select, multiple choice yes/no question asking whether contributors have experienced an adverse reaction. Follow up with a written question that specifically asks them to describe the reaction. For instance:

Have you experienced any adverse reactions such as [relevant reactions] when taking/using [medication/medical device name]? [single select multiple choice question]

  • Yes, I have experienced an adverse reaction
  • No, I have not experienced any adverse reactions

If you answered “yes” to the last question, please describe your reaction. We may follow up with you after the test to gather more information, if necessary. [written question]

Monitor the data that is returned daily to ensure that any information collected is reported in a timely manner for pharmacovigilance follow-up.

3. Consider what questions or tasks you have included that would prompt contributors to share information about experiences they have had with the product or device. Ensure that you share the test with the appropriate individuals with appropriate pharmacovigilance training who can watch or listen to those specific tasks or questions. 

4. You should review feedback from questions that might surface sensitive information. Use the instant highlight reel to ensure you see everyone answer the question or complete the task and to make the review of this information efficient. Be sure to share the test with appropriate colleagues as a proof of concept, in case there are concerns around how contributors react to prompts. 

5. If you need to contact a contributor to follow up, schedule a Live Conversation with that individual as a specific contributor. You may also message them using the messaging feature in the Platform (note: you should never contact a UserTesting contributor outside of the Platform). Both options ensure that the individual identity of a contributor remains protected.


Frequently Asked Questions

Q: Is UserTesting “HIPAA compliant”?

Yes! Indeed, the UserTesting and UserZoom platforms are both HIPAA compliant! However, UserZoom GO and EnjoyHQ are not HIPAA compliant. 

Q: Does my company have a BAA signed with UserTesting?

Check with your UserTesting Administrator to determine if your company has a BAA signed with UserTesting. 

Q: What questions can I ask if I don’t have a BAA signed?

If your company does not have a BAA signed with UserTesting, follow best practices for writing screener questions and collecting personally identifiable information (PII). You should not ask any questions intending to collect health information. 

Q: Can I ask about contributors’ illnesses or disabilities?

Yes, you can ask contributors about personal health information as long as you have a BAA signed with UserTesting. We recommend having a screener for all PII (including PHI) and that you obtain additional consent from the contributor during the test.

Learn More

Need more information? Read these related articles.

Want to learn more about this topic? Check out our University course. 

Please provide any feedback you have on this article. Your feedback will be used to improve the article and should take no more than 5 minutes to complete. Article evaluations will remain completely confidential unless you request a follow-up. 

Was this article helpful?
0 out of 0 found this helpful