Qualtrics has acknowledged that its offerings are HIPAA compliant by entering into a Business Associate Agreement (BAA) with the University of Minnesota. This means that if your survey will involve Protected Health Information (PHI), Qualtrics will handle the PHI in a manner that is in compliance with the law. PHI generally consists of individually identifiable medical and health information.
Qualtrics offers Transport Layer Security (TLS) encryption (HTTPS) and survey security options like password protection and HTTP referrer checking. Their servers are stored in a tier one data storage facility that includes security measures such as biometric entry and double card swipe.
Read more about Qualtrics data security here:
University of Minnesota Security
Training, Policies and Procedures
Keep in mind that if your unit is handling PHI, you should have completed HIPAA training and be familiar with the policies and procedures the University has in place for dealing with PHI, including the Board of Regents Policy at http://regents.umn.edu/sites/default/files/policies/Health_Information.pdf. For more information about HIPAA and PHI, or if you have questions about your survey and HIPAA and PHI, contact firstname.lastname@example.org.
Access to Data
In the best interest of protecting data privacy, there will be a limited number of administrators who have access to Qualtrics. If you are a researcher and need to include the number of people who have access to the data in your documentation to IRB or granting agencies, be sure to list five brand administrators in Information Technology.