Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

LimeSurvey and HIPAA compliance

  • holch
  • holch's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
8 years 10 months ago - 8 years 10 months ago #119955 by holch
Replied by holch on topic LimeSurvey and HIPAA compliance
In theory, you could even install Limesurvey on the tablet (if you manage to install a webserver that can run PHP and MySQL), so the tablet or the laptop could work as both, server and tool to apply the questionnaire, if there is only one person at the time doing the survey.

Now if more than one person at the same time might fill in the survey you should separate the server and the client (computer/browser where the questionnaire is filled in) physically. E.g. if your secretary has a computer that is always on, when the practice is open, then you could install it on this computer. Ideally this "server" is connected to the router via a cable and not Wifi, but it can also work with Wifi.

Then you need to find out, what the internal IP of this "server" is. Your office most probably has two kind of IPs. The public one, that is given to you by your ISP and that identify your office (or better your router) on the internet. But internally, the router needs also addresses for each computer/device that is connected to the local area network. That would be what I call the internal IP. They are not accessible from the internet (there are exceptions, but I assume that is not your case). These IPs are usually either static or dynamically assigned by the router (DHCP). For your survey to run properly, the IP of your "server" (device where limesurvey is installed) should be static, because otherwise it can happen that the IP changes over time (e.g. when you switch off the server overnight, the next day it might have a different IP).

So you should talk with the person that set up your network in the office. If it is you, you should have a look at the administration of your router. It usually gives you the option to assign static IPs to certain devices.

I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.

Last edit: 8 years 10 months ago by holch.
The topic has been locked.
  • brainpsych
  • brainpsych's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
8 years 10 months ago #119957 by brainpsych
Replied by brainpsych on topic LimeSurvey and HIPAA compliance
I am just noticing that I only read the last of 3 posts when I myself responded.

Jelo - what does "local OC" mean?

Holch - The distinction between SAS and SaaS is not something that I am understanding from the link. Sorry.

Also, I assume a tablet could be on the same wireless network as the host computer - it doesn't need to be connected via ethernet?

Also, I assume there would be something easily done to make an Ipad only allow the individual to access one program - i.e., the browser pointed at the survey?
The topic has been locked.
  • brainpsych
  • brainpsych's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
8 years 10 months ago #119958 by brainpsych
Replied by brainpsych on topic LimeSurvey and HIPAA compliance
Holch,

I think I'll skip running a server on the tablet itself. There is a Ubuntu Installer for Android, but I'd need to get the data off of there and back it up/look at and to do this I'd presumably need to use my network - probably with less robust encryption options that I'd have with a host computer and a tablet.

So, I think you answered all of my questions and connecting the "server" to the router directly is easy and I assume the tablet can access the server via wifi?


Thanks so much. I really appreciate everyone's time.
The topic has been locked.
More
8 years 10 months ago #119959 by jelo
Replied by jelo on topic LimeSurvey and HIPAA compliance

brainpsych wrote: Jelo - what does "local OC" mean?

Sorry, I hit O instead of the P key.
I meant local PC.

brainpsych wrote: Holch - The distinction between SAS and SaaS is not something that I am understanding from the link. Sorry.

You can safely ignore the content of the link for your problem.

brainpsych wrote: Also, I assume a tablet could be on the same wireless network as the host computer - it doesn't need to be connected via ethernet?

Yes, correct.

brainpsych wrote: Also, I assume there would be something easily done to make an Ipad only allow the individual to access one program - i.e., the browser pointed at the survey?

It depends on the App you will use as browser. Search and watch out for "kiosk mode" which describes a mode where everything is locked to a certain application so that the tablet or pc cannot be misused.

E.g. www.webascender.com/Blog/ID/447/How-to-S...iPad-to-Just-One-App
or support.apple.com/HT5509

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
The topic has been locked.
  • holch
  • holch's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
8 years 10 months ago #119961 by holch
Replied by holch on topic LimeSurvey and HIPAA compliance
As Jelo said: Ignore the differences between SAS and SaaS. Let's go for SaaS - Software as a service. This means that the provider doesn't sell you a software that you install on your computer or your server. Actually today you might associate this with "cloud".

Installing Limesurvey on a tablet: I have done it with an Android tablet already. There are apps that install the webserver and then you just need to install Limesurvey on that webserver, just as you would for a hosted service.

But I think the best solution is to have it running on a "server" (can be an ordinary computer) at your office. The tablet can access the "server" easily via WIFI through the router.

For the possibility to only allow one application (the browser) on the tablet, as Jelo said, search for kiosk mode.

Never used it, but you should find a solution there.

I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.

The topic has been locked.
More
8 years 10 months ago #120015 by jboogie21
Replied by jboogie21 on topic LimeSurvey and HIPAA compliance
I think brainpsych might have already found his/her solution, but I thought I'd add my two cents for the discussion re:Limesurvey & HIPAA.

Based on my understanding (by no means am I an expert!!), to be HIPAA compliant the data must be secured/encrypted. That is the "easy" part especially when dealing with local data/PHI (Protected Health Information). However, most people are connected to the internet, and SaaS providers are becoming increasingly popular. Using SaaS providers increases risks. This increased risk is related to the transmission of PHI across servers that a service provider like brainpsych (assuming he/she is a health care provider of some sort) have no control over. Reputable SaaS providers will offer a Business Associates Agreement (BAA) which makes them liable for any security breaches. Basically, a BAA typically states that the SaaS provider will make sure PHI is safe/secure AND will inform the end user of any breaches. So in sum, to be HIPAA compliant PHI needs to be secured, and when using the internet there needs to be an audit trail should anything go awry.

So to circle back to brainpsych's original question, something else to consider is the type of information he/she is soliciting. If it is unidentifiable data, a SaaS provider like limeservice.com might be an option.
The following user(s) said Thank You: Ben_V
The topic has been locked.
More
8 years 10 months ago - 8 years 10 months ago #120020 by Ben_V
Replied by Ben_V on topic LimeSurvey and HIPAA compliance

jelo wrote: Search and watch out for "kiosk mode" which describes a mode where everything is locked to a certain application so that the tablet or pc cannot be misused


For mac users I recommend Icab a very great and stable browser allowing kiosk mode...

There is also a similar IOS app (I've never tested)


Benoît

EM Variables => bit.ly/1TKQyNu | EM Roadmap => bit.ly/1UTrOB4
Last Releases => 2.6x.x goo.gl/ztWfIV | 2.06/2.6.x => bit.ly/1Qv44A1
Demo Surveys => goo.gl/HuR6Xe (already included in /docs/demosurveys)
Attachments:
Last edit: 8 years 10 months ago by Ben_V.
The topic has been locked.
  • brainpsych
  • brainpsych's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
8 years 10 months ago #120025 by brainpsych
Replied by brainpsych on topic LimeSurvey and HIPAA compliance
Hey,

Thank you all very much for your thoughts. Often times software that has all support done via forums can be a frustration for new users, but I have been very pleasantly surprised by this community.

Yours,
Colin
The topic has been locked.
More
8 years 9 months ago #121304 by Ben_V
Replied by Ben_V on topic LimeSurvey and HIPAA compliance

Benoît

EM Variables => bit.ly/1TKQyNu | EM Roadmap => bit.ly/1UTrOB4
Last Releases => 2.6x.x goo.gl/ztWfIV | 2.06/2.6.x => bit.ly/1Qv44A1
Demo Surveys => goo.gl/HuR6Xe (already included in /docs/demosurveys)
The topic has been locked.
  • Mazi
  • Mazi's Avatar
  • Offline
  • Official LimeSurvey Partner
  • Official LimeSurvey Partner
More
7 years 10 months ago #135897 by Mazi
Replied by Mazi on topic LimeSurvey and HIPAA compliance

Ben_V wrote:

jelo wrote: Search and watch out for "kiosk mode" which describes a mode where everything is locked to a certain application so that the tablet or pc cannot be misused


For mac users I recommend Icab a very great and stable browser allowing kiosk mode...


You can now use the new Limesurvey Android app "OfflineSurveys" to run any Limesurvey survey in kiosk mode at any Android device, see www.offlinesurveys.com

Best regards/Beste Grüße,
Dr. Marcel Minke
Need Help? We offer professional Limesurvey support: survey-consulting.com
Contact: marcel.minke(at)survey-consulting.com
The topic has been locked.
More
7 years 7 months ago #140787 by r0bis
Replied by r0bis on topic LimeSurvey and HIPAA compliance
Hi there, this is a great thread for me.

I am also a just a doctor looking into anonymous collection of patient responses in an outpatient psychiatry centre with two teams providing service.

Considering HIPAA/DPA requirements I would think it would be best to err on the side of caution and not have any patient identifiable information there. I would go for the following setup:

*** Hardware:
1) XAMPP server without a LAN connection (much less opportunity for remote hacking)
2) computer physically secured - as much as reasonable (no easy access + cable-locked)
3) HDD is encrypted (probably just home directory)

*** Software:
1) Patients have their unique PINs - at first they only see a screen with request to enter their PIN in kiosk mode browser
2) PIN lets computer know which service survey to present to the user
3) Patient does a quick survey with 3 mandatory slider type questions AND has an option to enter free text in the box below
4) The idea here is to let people respond in as easy and hassle-free way as possible

*** Data analysis - cyclical:
1) Once a week I connect to the computer with my laptop via ethernet crossover cable
2) I log into the admin interface and download data in R format from web admin interface
3) On my laptop I run a weekly report analysis script on the data in R
4) Analysis script is done in such a way as to provide printable graphs for the whole period and printable text responses for the last week. These are used to provide feedback to the teams and the patients.

### Question:
What I am most thinking about at this stage is - how to connect the PIN and the survey. I do not think that Limesurvey would support such a PIN kind of authentication. I think that probably I need to set up a website (maybe a static one) which compares the PIN entered to the list it has and then displays the survey page. I am wondering also if the PIN might be passed to Limesurvey and used as a token? How to best do it is a bit unclear to me at this stage. Effectively I want the same people (patients) use the same survey to track their response change over time (typically over 2 years).

I thought that alternatively I might set up a two-page survey where the first page just asks for the PIN and the next page is the rest of the survey. However I am not sure how I would error-check the PIN entry; the only way I imagine would be perhaps if the first page PIN entry was a conditional question, but this sounds a bit awkward, especially if numbers got high. The max population expected over 2 year window would perhaps be about 300.

Your thoughts would be very much appreciated

Rob

r0berts
The topic has been locked.
  • holch
  • holch's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
7 years 7 months ago #140789 by holch
Replied by holch on topic LimeSurvey and HIPAA compliance
What is the difference between a token and the PIN you are suggesting?

You could increase the number of "uses" by increasing "uses left" of the token. This means someone with this specific token could fill in the survey as many times as you give them "uses" for this token.

I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.

The following user(s) said Thank You: r0bis
The topic has been locked.

Lime-years ahead

Online-surveys for every purse and purpose