Protected Health Information (PHI) and HIPAA (UserTesting)

Learn how UserTesting enables you to gather feedback while handling Protected Health Information (PHI) in a matter that is compliant with HIPAA.


This article applies to: ut logo tiny.pngUserTesting 


On this page:



What is HIPAA?

  • HIPAA is the Health Insurance Portability and Accountability Act of 1996.
  • It is a US federal law that requires the creation of national standards to protect sensitive patient health information from being exposed or disclosed without the awareness or consent of the patient.
  • Entities covered under HIPAA are typically health care providers, healthcare clearinghouses (e.g., billing services and community health information systems), and health insurance companies.
  • Although HIPAA is a US law, if your organization works with US patients, you will need to follow HIPAA guidelines for collecting insights. 



What is PHI?

  • PHI stands for Protected Health Information. It includes information about physical or mental health status.
  • With a Business Associate Agreement in place with UserTesting, you may ask or otherwise record information related to medical records, medical history, or other PHI as defined by HIPAA.
  • Examples include:
    • Specific treatment/medical details
    • Hospital names
    • Doctor names
    • Medical records
    • Other Personal Health Information subject to HIPAA
  • Prohibited PHI is never allowed to be collected. Prohibited PHI includes:
    • Specific genetic information (e.g., genetic test results)
    • Biometric identifiers (e.g., fingerprints, voice prints, iris and retina scans)
    • Health plan beneficiary numbers
    • Health account numbers
    • Health Billing Information



What do I need to do to collect patient health information?

  • UserTesting does not allow customers to collect PHI without a Business Associate Agreement (BAA).
  • A BAA is required any time PHI is solicited, collected, or transferred on the UserTesting platform.
  • Provided you have a  BAA with UserTesting, you may collect PHI or qualify participants who are managing or living with a disability or medical condition, or providing care for someone who is disabled or has a medical condition, through self-identification via specific questions as long you include an appropriate consent screener.
  • Contact your account representative or our sales team to set up a BAA.
  • If you do not have a BAA in place, learn what Personally Identifiable Information (PII) you can and cannot collect during a session. 

    : Before collecting PHI, you should discuss the collection of such data with your internal legal and compliance functions. This article is for informational purposes only and should not be relied on as legal advice.



What experiences can I test?

Here are examples of experiences you may test:

  • Improving the patient and potential patient experience in all channels
  • Telemedicine experience testing
  • Diary testing with chronic illness patients and pharmaceutical trials
  • Driving engagement in digital channels
  • Increasing new patient appointments
  • Decreasing patient leakage
  • Improving Patient Satisfaction (SAT)
  • Competitor Testing
  • Message Validation
  • Improving the cross-channel journey



Recruiting participants

  • UserTesting does not collect sensitive information about health and mental status as a part of the UserTesting Network onboarding process.
  • If you need to collect this information, use screener questions to identify appropriate people.
  • With a BAA in place, it is acceptable to ask participants about their health status, conditions, and experiences.

Testing with the UserTesting Network

  • Participants living with a disability or medical condition (or providing care to someone who is) may self-identify via specific screener questions.
  • If you have access to Custom Network, you can create attribute filters related to your health study.

Testing with Invite Network

  • You have full responsibility for qualifying participants, and no additional qualification via UserTesting is required.
  • If it is important to record a participant's opt-in as a part of your Invite Network test, include a question like this as the first task in your test:
    We are collecting perspectives about experiences related to contributors’ mental and physical status. We will use this information to understand contributors’ needs and preferences. None of this information will be shared publicly; it will only be used by the teams who are working on projects related to the topics covered in this test. You might be required to share sensitive information, such as medical diagnoses or treatment details. If you are not willing to participate in this study, please end the session now.

Best practices

  • Allow participants to opt in or out of a test. 
    • Your first screener question should inform potential participants that the test may require them to provide mental or physical status information. We recommend using phrasing like this:

      We are collecting perspectives about experiences related to contributors’ mental and physical status. We will use this information to understand contributors’ needs and preferences. None of this information will be shared publicly; it will only be used by the teams who are working on projects related to the topics covered in this test. You might be required to share sensitive information, such as medical diagnoses or treatment details. Are you willing to participate in this study?

        • Yes, I am willing to participate in this study
        • No, I am not willing to participate in this study
  • You can also ask participants about their health conditions in the screener. We suggest this framing:

    Which, if any, of the following conditions have you formally been diagnosed with by a physician or health care professional? [multi-select]

      • I prefer not to answer [reject]
      • Arthritis
      • Heart/cardiovascular disease
      • Heart failure, a chronic condition in which the heart is weak and doesn’t pump blood as well as it should
      • Type 1 Diabetes
      • Type 2 Diabetes
      • Chronic Kidney Disease
      • Asthma
      • Hypertension/High blood pressure
      • None of the above [reject]


Setting up tests

  • When building and running tests, be mindful of the PHI you may expose.
  • You must include an opt-in screener question that alerts participants to the fact they will be expected to share personal information.
  • Not all PHI may be collected or exposed as part of the testing process. For example:

    Sensitive PHI

    (May be collected with the consent of the participant and a signed BAA in place)

    Prohibited PHI

    (May never be collected, regardless of BAA status)

    • Specific treatment/medical details
    • Hospital names
    • Doctor names
    • Medical information or history
    • Specific genetic information (e.g., genetic test results)
    • Biometric identifiers (e.g., fingerprints, voice prints, iris and retina scans)
    • Health plan beneficiary numbers
    • Health account numbers


Best practices

  • We highly recommend that you use the Blur Tool feature embedded within the task question when asking people to complete the following activities:
    • Any time someone logs into an account: When someone logs in during an unmoderated desktop or mobile test, separate that activity from any other follow-up activity to limit the exposure of sensitive information and maximize how much is captured of the post-login experience. 
    • When a large group sees personally identifiable information, and it’s not important for them to know it: In general, it is best to limit the potential exposure of personal information. If a video will be shown outside of a small team, it is recommended that the video be blurred.
  • Do not enable the Contributor View when setting up your test.
    • Because the HIPAA Privacy Rule protects several identifiers of individually identifiable health information, we discourage the use of the camera task as it captures a full-face image that could identify a patient.
  • You can ask participants questions about their health as long as prohibited PII is not exposed. Here are some examples of verbal tasks and questions you might include:

    May ask

    May not ask

    • What symptoms prompted you to seek medical advice?
    • What alternative approaches besides medications do you use to manage symptoms
    • How old were you when you were diagnosed with xxx?
    • What are your most common symptoms of xxx condition?
    • Where did you undergo treatment for your lymphoma?
    • What dosage did you take of xxx drug?
    • Please log in using your social security number. (blurred or unblurred)


Analyzing insights

  • Do not include videos or clips.
    • To ensure that data is only stored on HIPAA compliant systems, we discourage downloading videos and highlight reels.
    • Instead, videos should be played within the UserTesting platform.
  • You can include links to videos or clips within your reports, provided that the systems on which reports are stored are HIPAA compliant.
  • Even with a BAA in place, you should first look to your organization's internal guidelines around what can ultimately be shared in reports, and align your tests around what the output needs to be to support your storytelling.



Adverse events reporting

  • Adverse events reporting entails participants talking about potential side effects or product problems that could be associated with a drug or medical device they use. 
  • We recommend the following strategies to manage the interception of adverse reporting events during unmoderated tests:
      1. Include a screener question that qualifies participants based on whether or not they consent to be contacted for follow-up if their responses indicate that they have experienced an adverse event. For example:

        This test may touch on experiences that you have had with [medication/device]. May we contact you to follow up in the case that you share information that might help us to understand adverse events such as a mild, moderate, or severe side effect or bad reaction?

        • Yes, I consent to be contacted
        • No, I do not want to be contacted [reject]
      2. Consider what questions or tasks you have included that would prompt participants to share information about experiences they have had with the product or device. Ensure that you share the test with the appropriate individuals with appropriate pharmacovigilance training who can watch or listen to those specific tasks or questions. 
      3. You should review feedback from questions that might surface sensitive information. Use the instant highlight reel to ensure you see everyone answer the question or complete the task and to make the review of this information efficient. Be sure to share the test with appropriate colleagues as a proof of concept, in case there are concerns around how contributors react to prompts. 
      4. If you need to contact a participant to follow up, schedule a Live Conversation with that individual as a specific contributor. You may also message them using the messaging feature in the platform (note: you should never contact a UserTesting contributor outside of the Platform). Both options ensure that the individual identity of a participant remains protected.
      5. Add a single select, multiple choice yes/no question asking whether participants have experienced an adverse reaction. Follow up with a written question that specifically asks them to describe the reaction. Monitor the data that is returned daily to ensure that any information collected is reported promptly for pharmacovigilance follow-up. For instance:

        Have you experienced any adverse reactions such as [relevant reactions] when taking/using [medication/medical device name]? [single select multiple choice question]

        • Yes, I have experienced an adverse reaction
        • No, I have not experienced any adverse reactions
        If you answered “yes” to the last question, please describe your reaction. We may follow up with you after the test to gather more information, if necessary. [written question]



Is UserTesting “HIPAA compliant”?

Yes! Indeed, the UserTesting and UserZoom platforms are both HIPAA compliant! However, UserZoom GO and EnjoyHQ are not HIPAA compliant. 


Does my company have a BAA signed with UserTesting?

Check with your UserTesting Administrator to determine if your company has a BAA signed with UserTesting. 


What questions can I ask if I don’t have a BAA signed?

If your company does not have a BAA signed with UserTesting, follow best practices for writing screener questions and collecting personally identifiable information (PII). You should not ask any questions intending to collect health information. 


Can I ask about participants’ illnesses or disabilities?

Yes, you can ask participants about personal health information as long as you have a BAA signed with UserTesting. We recommend having a screener for all PII (including PHI) and that you obtain additional consent from the contributor during the test.



Related content

information icon.png

knowledge icon.png

Want to learn more? Check out these Knowledge Base articles... 

Interested in growing your skills? Check out our University courses...

video icon 2.png

team icon.png

Need hands-on training?

Can't find your answer?


Please provide any feedback you have on this article. Your feedback will be used to improve the article and should take no more than 5 minutes to complete. Article evaluations will remain completely confidential unless you request a follow-up. 

Was this article helpful?
0 out of 0 found this helpful