Patient satisfaction surveys: Health care operations or marketing?

Patient satisfaction surveys are classified as healthcare operations rather than marketing under HIPAA because they directly contribute to quality assessment and performance improvement activities explicitly protected under the Privacy Rule. A study titled ‘Relationship Between Hospital Performance on a Patient Satisfaction Survey and Surgical Quality, ’ assessing patient satisfaction in hospitals, notes that, “patients treated at hospitals with higher patient satisfaction scores experienced lower rates of 30-day mortality, failure to rescue, and minor complications.”

These surveys collect feedback about patients' experiences to evaluate service quality, identify opportunities for improvement, and enhance care delivery, functions that align precisely with the healthcare operations as defined in HIPAA. 

The Privacy Rule specifically permits covered entities to use or disclose protected health information (PHI) for quality assessment and improvement activities, which includes patient satisfaction measurement. Unlike marketing communications that promote products or services for purchase, satisfaction surveys seek evaluative feedback about past experiences rather than encouraging future commercial transactions. 

This distinction is needed because healthcare operations activities can use PHI without specific patient authorization, whereas marketing generally requires explicit consent.

Why market research firms become business associates

According to HIPAA regulations, a business associate is a third party that needs access to health information to perform functions or services for healthcare entities. The delivery of healthcare involves complex operations, and healthcare providers and health plans frequently rely on third-party vendors to help them operate as businesses and fulfill their responsibilities to patients and beneficiaries. 

A Manatt paper provides that, “Not all outside vendors or service providers that have relationships with a Covered Entity qualify as Business Associates under HIPAA. An entity qualifies as a Business Associate if it ‘creates, receives, maintains, or transmits’ PHI ‘on behalf of’ either a Covered Entity or a Business Associate.”

Since market research firms analyze patient data, conduct satisfaction surveys, or evaluate healthcare services, they typically require access to PHI, thus qualifying as business associates. Market research firms must understand their obligations as business associates and ensure they have the necessary infrastructure and processes to comply with HIPAA requirements when handling PHI on behalf of their healthcare clients.

Framing health care operations under HIPAA

The HIPAA Privacy Rule specifically permits covered entities to use or disclose PHI for their own treatment, payment, and health care operations activities without patient authorization. An excerpt from Patient Confidentiality states, “a HIPAA rule permits disclosure of PHI without prior obtained consent for healthcare operations, treatment, and payment. This includes consultation between providers regarding a patient, referring a patient, and information required by law for public health safety and reporting.”

The Privacy Rule provides examples of healthcare operations, including:

• conducting quality assessment and improvement activities
• developing clinical guidelines, performing patient safety activities
• conducting population-based activities to improve health or reduce costs
• developing protocols, case management, care coordination
• reviewing competence or qualifications of healthcare professionals
• training healthcare providers
• conducting legal, auditing, and compliance functions
• managing business planning and development
  
  

The line between operations and marketing

HIPAA defines marketing as any communication that promotes sale of a product or service, which generally requires explicit patient authorization before PHI can be used or disclosed. According to a law review of Sorrell v IMS Health Inc., “The Privacy Rule flatly prohibits any unauthorized use or disclosure of protected health information for marketing purposes.” 

The Privacy Rule provides that certain communications are explicitly exempted from the definition of marketing. The key difference lies in the purpose and content of the communication. 

A feedback survey asking "Tell us about last week's visit" serves quality improvement purposes and falls under healthcare operations because it aims to assess service quality and identify areas for improvement. As part of operations, such communications can utilize PHI without specific marketing authorization from patients. In contrast, a promotional email stating "Buy our new wellness package" clearly promotes a specific service or product for purchase, constituting marketing under HIPAA.

Why asking ‘How did we do?’ is considered operations, not promotions

Patient satisfaction surveys asking "How did we do?" are classified as healthcare operations rather than marketing under HIPAA because they primarily serve quality assessment and performance improvement functions. These surveys collect feedback about patients' experiences to evaluate and enhance service delivery, which falls squarely within the Privacy Rule's definition of healthcare operations.

According to an Oman Medical Journal study ‘Patient Satisfaction Survey as a Tool Towards Quality Improvement’ the surveys serve the following operational purpose, “Patients’ evaluation of care is a realistic tool to provide opportunity for improvement, enhance strategic decision making, reduce cost, meet patients' expectations, frame strategies for effective management, monitor healthcare performance of health plans and provide benchmarking across the healthcare institutions.” 

Quality assessment and improvement activities are explicitly included in HIPAA's permitted uses and disclosures for healthcare operations, allowing covered entities to use PHI for these purposes without specific patient authorization. The distinction lies in the purpose of the communication: patient satisfaction surveys aim to gather information to improve healthcare delivery, not to promote products or services for sale. 

They focus on past experiences rather than future purchases, serving an evaluative rather than promotional function. These surveys help healthcare organizations fulfill their regulatory and accreditation requirements. From a practical perspective, if patient satisfaction surveys were classified as marketing, healthcare organizations would face barriers to quality improvement. 

Typical survey tasks that involve PHI

• Demographic segmentation: Using health-related variables like diagnosis history or treatment dates to target respondents.
• Medical record reviews: Accessing electronic health records to identify eligible participants, which requires safeguards under HIPAA’s "activities preparatory to research" clause.
• Personalized invitations: Including identifiers like appointment dates or provider names in survey emails.
• Data analysis: Reporting results with granular details (e.g., rare conditions) that risk re-identification.
  
  

Where PHI can slip into a survey or email

An excerpt from Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research notes, “The Privacy Rule generally restricts the use or disclosure of protected health information, except as permitted by the individual or as authorized or required by the Privacy Rule.” Instances where PHI can be found in the operations of marketing research firms include:  

1. Even the most basic identifying information, such as email addresses, becomes PHI when associated with a healthcare provider, as it implies a patient-provider relationship. According to HIPAA guidelines, if a clinic sends an email to its database, "it could be inferred that the email addresses of the recipients qualified as PHI because the sender of the email is a healthcare service". 
2. Survey questions themselves may elicit responses containing health details, treatment experiences, or condition-specific feedback that constitutes PHI. 
3. Marketing research firms often use demographic segmentation, which can include health-related variables that qualify as protected information. 
4. Metadata and technical processes behind surveys may capture information like IP addresses, timestamps, and device information that, when combined with other data, could identify individuals. 
5. The personalization of survey invitations might include appointment references, provider names, or treatment locations that reveal protected information. 
6. When analyzing and reporting survey results, inadequate de-identification processes might allow individual patients to be identified, especially in smaller population samples. 
7. The transmission process itself poses risks if unsecured channels are used, as emails containing PHI that are intercepted on route to the recipient may result in unauthorized disclosure.
   
   

Why research firms should use HIPAA compliant platforms 

HIPAA compliant email and HIPAA compliant marketing platforms make use of the technical safeguards required by the HIPAA Security Rule, including high standards of encryption that ensure the confidentiality and integrity of PHI in transit between the covered entity and the recipient. Without proper encryption, intercepted communications would expose PHI, constituting a reportable breach. 

These platforms typically incorporate data loss prevention features that can "block inadvertent or deliberate disclosures in marketing emails," preventing accidental PHI exposures through automated screening. The consequences of non-compliance are severe. In 2022 alone, HHS' Office for Civil Rights received 64,592 HIPAA data breach notifications, with misdelivered emails accounting for approximately 8% of reported breaches.

FAQs

Can marketing research firms use subcontractors (e.g., survey platforms)?

Yes, but the firm must ensure subcontractors sign BAAs and comply with HIPAA and subcontractors that handle PHI automatically qualify as business associates.

Are marketing research firms liable for HIPAA violations?

Yes. Business associates face direct penalties for non-compliance, including fines up to $1.5 million annually per violation category.

Do firms need BAAs for patient satisfaction surveys?

Yes, if surveys include identifiable PHI (e.g., names, email addresses linked to healthcare providers). However, fully anonymized surveys may not require a BAA.

How does HIPAA affect cross-border marketing research?

If PHI is stored or processed outside the United States, firms must ensure that subcontractors comply with HIPAA and include data residency clauses in Business Associate Agreements (BAAs).