Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

LimeSurvey and HIPAA compliance

  • brainpsych
  • brainpsych's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
8 years 10 months ago #119922 by brainpsych
LimeSurvey and HIPAA compliance was created by brainpsych
Hi all,

I was a bit surprised to see that when I do a search for 'HIPAA' on the forums, no hits come up. I am reading in a number of places that LimeSurvey can be HIPAA compliant, but I need to know how to do this. I'd assume it is not HIPAA compliant right out of the box, and some settings need to toggled and it may need to be installed in a certain way.

Can anyone enlighten me? Any places out there which describe a best practices approach to implementing this tool in a HIPAA compliant way?

Thanks,
Colin
The topic has been locked.
More
8 years 10 months ago #119929 by Ben_V
Replied by Ben_V on topic LimeSurvey and HIPAA compliance

I am reading in a number of places that LimeSurvey can be HIPAA compliant...


HI, do you refer to the following resources ?

rc.partners.org

idash.ucsd.edu => (how to make an electronic informed consent...)

Benoît

EM Variables => bit.ly/1TKQyNu | EM Roadmap => bit.ly/1UTrOB4
Last Releases => 2.6x.x goo.gl/ztWfIV | 2.06/2.6.x => bit.ly/1Qv44A1
Demo Surveys => goo.gl/HuR6Xe (already included in /docs/demosurveys)
The topic has been locked.
  • brainpsych
  • brainpsych's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
8 years 10 months ago #119931 by brainpsych
Replied by brainpsych on topic LimeSurvey and HIPAA compliance
Yes, them as well as a couple of other sources.

Is this incorrect?
The topic has been locked.
More
8 years 10 months ago #119932 by Ben_V
Replied by Ben_V on topic LimeSurvey and HIPAA compliance
My opinion is that LimeSurvey allows the configuration of "HIPAA compliant" questionnaires (out of the box).

This said, the most important points for fully compliance are how your questionnaire is designed (including display of all necessary privacy notes) and how collected data are stored and used...

Benoît

EM Variables => bit.ly/1TKQyNu | EM Roadmap => bit.ly/1UTrOB4
Last Releases => 2.6x.x goo.gl/ztWfIV | 2.06/2.6.x => bit.ly/1Qv44A1
Demo Surveys => goo.gl/HuR6Xe (already included in /docs/demosurveys)
The topic has been locked.
  • brainpsych
  • brainpsych's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
8 years 10 months ago #119940 by brainpsych
Replied by brainpsych on topic LimeSurvey and HIPAA compliance
That is kind of what I was thinking.

If the Limesurvey end of things is secure, are there any tutorials on how to set up the rest?

In my situation, I'd be having patients take the survey once they were in my office, so it wouldn't seem too hard to host Limesurvey on a cheapie in-house server.

However, it would be nice if I could make it possible for someone outside of my office to do them ahead of time and maintain HIPAA compliance.

IF it is just going to be much simpler to keep it on a local server, does anyone have any recommendations on how to do this?

Thanks again.
The topic has been locked.
  • brainpsych
  • brainpsych's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
8 years 10 months ago #119941 by brainpsych
Replied by brainpsych on topic LimeSurvey and HIPAA compliance
Also, if the surveys are only going to be done locally, is there any way to do this with the local PC version of the software? There would never be more one person at a time taking a survey.

Thanks
The topic has been locked.
  • holch
  • holch's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
8 years 10 months ago #119947 by holch
Replied by holch on topic LimeSurvey and HIPAA compliance
In the case that the survey would be done locally (I assume on a tablet or a station where the patient can respond), the XAMPP version of Limesurvey should be enough. The only thing you need to know is the local (!!) IP of the computer / server where it is installed on.

For example, if you have a work station where people would respond, you could install Limesurvey (or the XAMPP/Limesurvey package) on this computer and use it also as server. Then you usually could access the survey also as "http://localhost/_folder-where-your-limesurvey-is-installed/"

I am not familiar with the requirements of that HIPAA thingy, so I can't tell you, if the data needs to be stored locally. But I highly doubt it, because this would exclude basically any thirdparty software offered as SAS. Most survey packages are only available as SAS though.

I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.

The topic has been locked.
More
8 years 10 months ago #119950 by jelo
Replied by jelo on topic LimeSurvey and HIPAA compliance

holch wrote: In the case that the survey would be done locally (I assume on a tablet or a station where the patient can respond), the XAMPP version of Limesurvey should be enough. The only thing you need to know is the local (!!) IP of the computer / server where it is installed on.

What holch means is that when running a local installation of Limesurvey via XAMPP you access the survey via the IP of the local computer. 127.0.0.1 works only from the local OC. If the PC is connected to a LAN the IP of the NIC (networkcard) can be used too. Even others from the LAN might be able to access the Limesurvey installation.

holch wrote: Most survey packages are only available as SAS though.

SAAS (Software as a Service). When first reading SAS I was irritated sine SAS is a company offering analytical software.

When hosting Limesurvey for HIPPA compliance you can start by looking for "HIPAA Compliant Hosting" since most of the compliance is the the same to any webapplication. A survey system can be sometimes easier protected than e.g. CRM or patients records database. Still waiting for a established HIPAA hosting requirements checklist. Keep data stored to a minimum is a good way to start.

When you have your local installation of Limesurvey on a single desktop computer I would first try to ensure that the PC cannot be stolen easliy. Or that the computer is fully encrypted and only will be booted into a kiosk mode when patients should fill out surveys.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
The topic has been locked.
  • holch
  • holch's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
8 years 10 months ago - 8 years 10 months ago #119951 by holch
Replied by holch on topic LimeSurvey and HIPAA compliance
Jelo is of course right, it should be SaaS (Software as a Service), not SAS. SAS stand for either the analytical software mentioned by Jelo, or for "Software as Service". So both (SaaS and SAS) are used for more or less the same thing, but SaaS would be definitely the better choice here, as it avoids confusion with the software.

testingsaas.blogspot.com.br/2008/12/saas...-thats-question.html

I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.

Last edit: 8 years 10 months ago by holch.
The topic has been locked.
  • brainpsych
  • brainpsych's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
8 years 10 months ago #119953 by brainpsych
Replied by brainpsych on topic LimeSurvey and HIPAA compliance
Holch,

Thanks for your thoughts...

I believe what you are describing is what I'm thinking. Let me elaborate.

HIPAA mandates a certain level of security that must be implemented for protected healthcare information while it is being stored and/or transmitted. I believe that if I did it on a local network that it is much easier to maintain HIPAA compliance. In this situation, the main issue is that the data are stored in a secure fashion. Storing locally seems relatively easy - storing and transmitting data in the cloud/over the internet is much more complex.

With regard to SAS, you are speaking well above my paygrade

*Damn it Jim, I'm a doctor, not a programmer*

Having said that, I believe you are referring to the less-important (to me) feature of being able to do these surveys from outside of my local network?

So, 2 questions:

1. If I were to have the XAMPP package running on desktop within my local network, I would just generate a token for each new patient and then point the browser on the tablet to an (internal) address that the token-generating process would provide me?

2. If I had a laptop with the XAMPP version running on it, I could just hand the laptop to the patient and they could take it on the laptop? They would take the survey through the web browser?

Thanks again and I'm sorry if my lack of understanding of how the world of computers works is complicating you understanding what I'm asking for.
The topic has been locked.
  • holch
  • holch's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
8 years 10 months ago - 8 years 10 months ago #119955 by holch
Replied by holch on topic LimeSurvey and HIPAA compliance
In theory, you could even install Limesurvey on the tablet (if you manage to install a webserver that can run PHP and MySQL), so the tablet or the laptop could work as both, server and tool to apply the questionnaire, if there is only one person at the time doing the survey.

Now if more than one person at the same time might fill in the survey you should separate the server and the client (computer/browser where the questionnaire is filled in) physically. E.g. if your secretary has a computer that is always on, when the practice is open, then you could install it on this computer. Ideally this "server" is connected to the router via a cable and not Wifi, but it can also work with Wifi.

Then you need to find out, what the internal IP of this "server" is. Your office most probably has two kind of IPs. The public one, that is given to you by your ISP and that identify your office (or better your router) on the internet. But internally, the router needs also addresses for each computer/device that is connected to the local area network. That would be what I call the internal IP. They are not accessible from the internet (there are exceptions, but I assume that is not your case). These IPs are usually either static or dynamically assigned by the router (DHCP). For your survey to run properly, the IP of your "server" (device where limesurvey is installed) should be static, because otherwise it can happen that the IP changes over time (e.g. when you switch off the server overnight, the next day it might have a different IP).

So you should talk with the person that set up your network in the office. If it is you, you should have a look at the administration of your router. It usually gives you the option to assign static IPs to certain devices.

I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.

Last edit: 8 years 10 months ago by holch.
The topic has been locked.
  • brainpsych
  • brainpsych's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
8 years 10 months ago #119957 by brainpsych
Replied by brainpsych on topic LimeSurvey and HIPAA compliance
I am just noticing that I only read the last of 3 posts when I myself responded.

Jelo - what does "local OC" mean?

Holch - The distinction between SAS and SaaS is not something that I am understanding from the link. Sorry.

Also, I assume a tablet could be on the same wireless network as the host computer - it doesn't need to be connected via ethernet?

Also, I assume there would be something easily done to make an Ipad only allow the individual to access one program - i.e., the browser pointed at the survey?
The topic has been locked.

Lime-years ahead

Online-surveys for every purse and purpose