Is Qualtrics HIPAA compliant? (2025 update)

Qualtrics is a cloud-based survey and experience management platform that provides a suite of tools for collecting, analyzing, and acting on customer and employee feedback. It offers a wide range of features for designing surveys, collecting responses, and gaining insights into customer and employee experiences. 

With Qualtrics, organizations often use Qualtrics to gather data on customer satisfaction, employee engagement, market research, and other areas to make informed decisions and improve their products or services.

Is Qualtrics HIPAA compliant? Yes, based on our research, Qualtrics can be HIPAA compliant.

Will Qualtrics sign a business associate agreement (BAA)?

Yes, Qualtrics will sign a business associate agreement, which can be reviewed here.

What does the Qualtrics BAA cover?

The Qualtrics BAA covers the use and disclosure of protected health information (PHI), stating, "Qualtrics recognizes the importance of protecting patient privacy and safeguarding PHI. Qualtrics offers features that enable customers to secure patient data and ensure regulatory adherence.

• Secure Data Storage: Qualtrics employs security measures to safeguard PHI, including data encryption at rest and in transit, robust access controls, and regular security audits.
• Role-Based Access Controls (RBAC): Qualtrics enables healthcare organizations to define user roles and permissions, enabling organizations to ensure only authorized personnel have access to PHI.
• Data Minimization: Qualtrics enables customers to determine what data to collect from their end-customers, therefore allowing customers to collect only necessary PHI, thereby minimizing exposure. Qualtrics supports data masking at ingestion. Brand administrators define organizational policies that enable the masking or deletion of sensitive information, such as name, email, and IP address, when it’s collected, before saving the records in the Qualtrics system.
• Audit Trails: Qualtrics enables customers to review access logs to track user activity, facilitating compliance audits with the ability for brand admins to search, filter, and export audit events through an easy-to-use interface and APIs.
• HITRUST CSF Certification: Qualtrics has achieved Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) certification, a comprehensive, certifiable framework that aligns with HIPAA requirements, demonstrating our commitment to data security and privacy.”

Conclusion

Qualtrics signs a BAA and is therefore HIPAA compliant.

Learn more: HIPAA Compliant Email: The Definitive Guide

FAQS

What is a business associate agreement?

A business associate agreement (BAA) is a legally binding contract establishing a relationship between a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) and its business associates. The purpose of this agreement is to ensure the proper protection of personal health information (PHI) as required by HIPAA regulations.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for protecting the privacy and security of certain health information, known as protected health information (PHI).

HIPAA is designed to protect the privacy and security of individuals’ health information and to ensure that healthcare providers and insurers can securely exchange electronic health information. Violations of HIPAA can result in significant fines and penalties for covered entities.

Who does HIPAA apply to?

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.