The University of Oklahoma has executed a HIPAA Business Associate Agreement (BAA) with Qualtrics, which permits Health Science Center health care components (HCC) to utilize the Qualtrics online survey and analytics tool while handling electronic protected health information (ePHI). Health Care Components (HCC) refer to those units within the University of Oklahoma that engage in covered health care activities under HIPAA regulations. These components are required to comply with HIPAA’s privacy and security rules when handling protected health information (PHI).
The use of University PHI for research, analytics, and reporting continues to be governed by the University’s HIPAA policies. All faculty, staff, and researchers who intend to use PHI in Qualtrics must ensure full compliance with these policies, which can be accessed at: https://apps.ouhsc.edu/hipaa/secured/default.asp?page=policies.
If you have any questions, please reach out to the University’s HIPAA Compliance Team at oucompliance@ouhsc.edu
Qualtrics may also be used to collect and analyze FERPA-protected information. It is the responsibility of the data handler to request, store, and use student educational records in strict compliance with the University’s FERPA policies.
FERPA policies can be reviewed at: https://www.ou.edu/registrar/academic-records/ferpa/release-of-information. If you have questions about the University’s FERPA policies or issues handling FERPA-protected information, please reach out to the Office of the Registrar.
All University employees, researchers, and students utilizing Qualtrics for sensitive data collection must complete both HIPAA and FERPA training as applicable to their data use.