- Posts: 45
- Thank you received: 7
Welcome to the LimeSurvey Community Forum
Ask the community, share ideas, and connect with other LimeSurvey users!
LimeSurvey and HIPAA compliance
- jboogie21
- Offline
- Senior Member
Less
More
8 years 10 months ago #120015
by jboogie21
Replied by jboogie21 on topic LimeSurvey and HIPAA compliance
I think brainpsych might have already found his/her solution, but I thought I'd add my two cents for the discussion re:Limesurvey & HIPAA.
Based on my understanding (by no means am I an expert!!), to be HIPAA compliant the data must be secured/encrypted. That is the "easy" part especially when dealing with local data/PHI (Protected Health Information). However, most people are connected to the internet, and SaaS providers are becoming increasingly popular. Using SaaS providers increases risks. This increased risk is related to the transmission of PHI across servers that a service provider like brainpsych (assuming he/she is a health care provider of some sort) have no control over. Reputable SaaS providers will offer a Business Associates Agreement (BAA) which makes them liable for any security breaches. Basically, a BAA typically states that the SaaS provider will make sure PHI is safe/secure AND will inform the end user of any breaches. So in sum, to be HIPAA compliant PHI needs to be secured, and when using the internet there needs to be an audit trail should anything go awry.
So to circle back to brainpsych's original question, something else to consider is the type of information he/she is soliciting. If it is unidentifiable data, a SaaS provider like limeservice.com might be an option.
Based on my understanding (by no means am I an expert!!), to be HIPAA compliant the data must be secured/encrypted. That is the "easy" part especially when dealing with local data/PHI (Protected Health Information). However, most people are connected to the internet, and SaaS providers are becoming increasingly popular. Using SaaS providers increases risks. This increased risk is related to the transmission of PHI across servers that a service provider like brainpsych (assuming he/she is a health care provider of some sort) have no control over. Reputable SaaS providers will offer a Business Associates Agreement (BAA) which makes them liable for any security breaches. Basically, a BAA typically states that the SaaS provider will make sure PHI is safe/secure AND will inform the end user of any breaches. So in sum, to be HIPAA compliant PHI needs to be secured, and when using the internet there needs to be an audit trail should anything go awry.
So to circle back to brainpsych's original question, something else to consider is the type of information he/she is soliciting. If it is unidentifiable data, a SaaS provider like limeservice.com might be an option.
The following user(s) said Thank You: Ben_V
The topic has been locked.
- Ben_V
- Offline
- Platinum Member
Less
More
- Posts: 1223
- Thank you received: 351
8 years 10 months ago - 8 years 10 months ago #120020
by Ben_V
For mac users I recommend Icab a very great and stable browser allowing kiosk mode...
There is also a similar IOS app (I've never tested)
Benoît
EM Variables => bit.ly/1TKQyNu | EM Roadmap => bit.ly/1UTrOB4
Last Releases => 2.6x.x goo.gl/ztWfIV | 2.06/2.6.x => bit.ly/1Qv44A1
Demo Surveys => goo.gl/HuR6Xe (already included in /docs/demosurveys)
Replied by Ben_V on topic LimeSurvey and HIPAA compliance
jelo wrote: Search and watch out for "kiosk mode" which describes a mode where everything is locked to a certain application so that the tablet or pc cannot be misused
For mac users I recommend Icab a very great and stable browser allowing kiosk mode...
There is also a similar IOS app (I've never tested)
Benoît
EM Variables => bit.ly/1TKQyNu | EM Roadmap => bit.ly/1UTrOB4
Last Releases => 2.6x.x goo.gl/ztWfIV | 2.06/2.6.x => bit.ly/1Qv44A1
Demo Surveys => goo.gl/HuR6Xe (already included in /docs/demosurveys)
Attachments:
Last edit: 8 years 10 months ago by Ben_V.
The topic has been locked.
- brainpsych
- Topic Author
- Offline
- New Member
Less
More
- Posts: 8
- Thank you received: 0
8 years 10 months ago #120025
by brainpsych
Replied by brainpsych on topic LimeSurvey and HIPAA compliance
Hey,
Thank you all very much for your thoughts. Often times software that has all support done via forums can be a frustration for new users, but I have been very pleasantly surprised by this community.
Yours,
Colin
Thank you all very much for your thoughts. Often times software that has all support done via forums can be a frustration for new users, but I have been very pleasantly surprised by this community.
Yours,
Colin
The topic has been locked.
- Ben_V
- Offline
- Platinum Member
Less
More
- Posts: 1223
- Thank you received: 351
8 years 9 months ago #121304
by Ben_V
Benoît
EM Variables => bit.ly/1TKQyNu | EM Roadmap => bit.ly/1UTrOB4
Last Releases => 2.6x.x goo.gl/ztWfIV | 2.06/2.6.x => bit.ly/1Qv44A1
Demo Surveys => goo.gl/HuR6Xe (already included in /docs/demosurveys)
Replied by Ben_V on topic LimeSurvey and HIPAA compliance
Just discovered:
Plugin for limesurvey that enables asymmetric response encryption.
Plugin for limesurvey that enables asymmetric response encryption.
Benoît
EM Variables => bit.ly/1TKQyNu | EM Roadmap => bit.ly/1UTrOB4
Last Releases => 2.6x.x goo.gl/ztWfIV | 2.06/2.6.x => bit.ly/1Qv44A1
Demo Surveys => goo.gl/HuR6Xe (already included in /docs/demosurveys)
The topic has been locked.
- Mazi
- Offline
- Official LimeSurvey Partner
7 years 10 months ago #135897
by Mazi
You can now use the new Limesurvey Android app "OfflineSurveys" to run any Limesurvey survey in kiosk mode at any Android device, see www.offlinesurveys.com
Best regards/Beste Grüße,
Dr. Marcel Minke
Need Help? We offer professional Limesurvey support: survey-consulting.com
Contact: marcel.minke(at)survey-consulting.com
Replied by Mazi on topic LimeSurvey and HIPAA compliance
Ben_V wrote:
jelo wrote: Search and watch out for "kiosk mode" which describes a mode where everything is locked to a certain application so that the tablet or pc cannot be misused
For mac users I recommend Icab a very great and stable browser allowing kiosk mode...
You can now use the new Limesurvey Android app "OfflineSurveys" to run any Limesurvey survey in kiosk mode at any Android device, see www.offlinesurveys.com
Best regards/Beste Grüße,
Dr. Marcel Minke
Need Help? We offer professional Limesurvey support: survey-consulting.com
Contact: marcel.minke(at)survey-consulting.com
The topic has been locked.
- r0bis
- Offline
- Senior Member
Less
More
- Posts: 60
- Thank you received: 7
7 years 7 months ago #140787
by r0bis
r0berts
Replied by r0bis on topic LimeSurvey and HIPAA compliance
Hi there, this is a great thread for me.
I am also a just a doctor looking into anonymous collection of patient responses in an outpatient psychiatry centre with two teams providing service.
Considering HIPAA/DPA requirements I would think it would be best to err on the side of caution and not have any patient identifiable information there. I would go for the following setup:
*** Hardware:
1) XAMPP server without a LAN connection (much less opportunity for remote hacking)
2) computer physically secured - as much as reasonable (no easy access + cable-locked)
3) HDD is encrypted (probably just home directory)
*** Software:
1) Patients have their unique PINs - at first they only see a screen with request to enter their PIN in kiosk mode browser
2) PIN lets computer know which service survey to present to the user
3) Patient does a quick survey with 3 mandatory slider type questions AND has an option to enter free text in the box below
4) The idea here is to let people respond in as easy and hassle-free way as possible
*** Data analysis - cyclical:
1) Once a week I connect to the computer with my laptop via ethernet crossover cable
2) I log into the admin interface and download data in R format from web admin interface
3) On my laptop I run a weekly report analysis script on the data in R
4) Analysis script is done in such a way as to provide printable graphs for the whole period and printable text responses for the last week. These are used to provide feedback to the teams and the patients.
### Question:
What I am most thinking about at this stage is - how to connect the PIN and the survey. I do not think that Limesurvey would support such a PIN kind of authentication. I think that probably I need to set up a website (maybe a static one) which compares the PIN entered to the list it has and then displays the survey page. I am wondering also if the PIN might be passed to Limesurvey and used as a token? How to best do it is a bit unclear to me at this stage. Effectively I want the same people (patients) use the same survey to track their response change over time (typically over 2 years).
I thought that alternatively I might set up a two-page survey where the first page just asks for the PIN and the next page is the rest of the survey. However I am not sure how I would error-check the PIN entry; the only way I imagine would be perhaps if the first page PIN entry was a conditional question, but this sounds a bit awkward, especially if numbers got high. The max population expected over 2 year window would perhaps be about 300.
Your thoughts would be very much appreciated
Rob
I am also a just a doctor looking into anonymous collection of patient responses in an outpatient psychiatry centre with two teams providing service.
Considering HIPAA/DPA requirements I would think it would be best to err on the side of caution and not have any patient identifiable information there. I would go for the following setup:
*** Hardware:
1) XAMPP server without a LAN connection (much less opportunity for remote hacking)
2) computer physically secured - as much as reasonable (no easy access + cable-locked)
3) HDD is encrypted (probably just home directory)
*** Software:
1) Patients have their unique PINs - at first they only see a screen with request to enter their PIN in kiosk mode browser
2) PIN lets computer know which service survey to present to the user
3) Patient does a quick survey with 3 mandatory slider type questions AND has an option to enter free text in the box below
4) The idea here is to let people respond in as easy and hassle-free way as possible
*** Data analysis - cyclical:
1) Once a week I connect to the computer with my laptop via ethernet crossover cable
2) I log into the admin interface and download data in R format from web admin interface
3) On my laptop I run a weekly report analysis script on the data in R
4) Analysis script is done in such a way as to provide printable graphs for the whole period and printable text responses for the last week. These are used to provide feedback to the teams and the patients.
### Question:
What I am most thinking about at this stage is - how to connect the PIN and the survey. I do not think that Limesurvey would support such a PIN kind of authentication. I think that probably I need to set up a website (maybe a static one) which compares the PIN entered to the list it has and then displays the survey page. I am wondering also if the PIN might be passed to Limesurvey and used as a token? How to best do it is a bit unclear to me at this stage. Effectively I want the same people (patients) use the same survey to track their response change over time (typically over 2 years).
I thought that alternatively I might set up a two-page survey where the first page just asks for the PIN and the next page is the rest of the survey. However I am not sure how I would error-check the PIN entry; the only way I imagine would be perhaps if the first page PIN entry was a conditional question, but this sounds a bit awkward, especially if numbers got high. The max population expected over 2 year window would perhaps be about 300.
Your thoughts would be very much appreciated
Rob
r0berts
The topic has been locked.
- holch
- Away
- LimeSurvey Community Team
Less
More
- Posts: 11746
- Thank you received: 2750
7 years 7 months ago #140789
by holch
I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.
Replied by holch on topic LimeSurvey and HIPAA compliance
What is the difference between a token and the PIN you are suggesting?
You could increase the number of "uses" by increasing "uses left" of the token. This means someone with this specific token could fill in the survey as many times as you give them "uses" for this token.
You could increase the number of "uses" by increasing "uses left" of the token. This means someone with this specific token could fill in the survey as many times as you give them "uses" for this token.
I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.
The following user(s) said Thank You: r0bis
The topic has been locked.
- jboogie21
- Offline
- Senior Member
Less
More
- Posts: 45
- Thank you received: 7
7 years 7 months ago #140791
by jboogie21
Replied by jboogie21 on topic LimeSurvey and HIPAA compliance
From my understanding I think r0bis is saying PIN which translated into Lime terminology is token.
I have several follow up questions:
When you say anonymous, do you mean anonymous or confidential? If you mean anonymous, Lime does a great job with that so much so that tracking responses over time is near impossible. The fact that you mention tracking, I'm going to assume you want to know who said what and thus want responses to be confidential.
What type of info do you want to track? From my experience tracking change overtime is a little tricky and requires some planning. In an overly simple nutshell and assuming you are administering this in your doctor's office, I would:
PM me if you want more details on how we use Lime in a health care environment.
I have several follow up questions:
When you say anonymous, do you mean anonymous or confidential? If you mean anonymous, Lime does a great job with that so much so that tracking responses over time is near impossible. The fact that you mention tracking, I'm going to assume you want to know who said what and thus want responses to be confidential.
What type of info do you want to track? From my experience tracking change overtime is a little tricky and requires some planning. In an overly simple nutshell and assuming you are administering this in your doctor's office, I would:
- use the Lime token system
- upon check in give patient a token
- enter token to complete the survey (you can reduce the string to something more manageable than the default of 15)
- at some point move the data to a separate DB to track change and run analyses
PM me if you want more details on how we use Lime in a health care environment.
The following user(s) said Thank You: r0bis
The topic has been locked.
- r0bis
- Offline
- Senior Member
Less
More
- Posts: 60
- Thank you received: 7
7 years 6 months ago #140987
by r0bis
r0berts
Replied by r0bis on topic LimeSurvey and HIPAA compliance
Thank you both for clarifying things for me. I think token is the way to go then, because I could have it to be at manageable length (say 4 or 5 symbols). I suppose it should be possible for me to implement a simple survey box so that:
If not - would it be possible for me to modify survey mechanism so that date is recorded, but not the time. Or possibly I could use a hidden survey field filled with Expression Manager where I could record
via php function?
- Screen always is at survey start page as I set up that page to be the HTTP server index page
- I set up the survey page to also be the exit page from survey (after pressing 'Submit'), so after one submit the system is ready for the next submission.
- I suppose I can customise the start page freely through templates so that it looks the way I want it to look.
- to facilitate one entry per week I could use a weekly cron job to reset 'uses left' in mysql database every weekend, that might be an alternative to setting 1000 uses left right from the start.
If not - would it be possible for me to modify survey mechanism so that date is recorded, but not the time. Or possibly I could use a hidden survey field filled with Expression Manager where I could record
Code:
date('d-m-Y')
r0berts
The topic has been locked.
- Mazi
- Offline
- Official LimeSurvey Partner
7 years 6 months ago #141007
by Mazi
Best regards/Beste Grüße,
Dr. Marcel Minke
Need Help? We offer professional Limesurvey support: survey-consulting.com
Contact: marcel.minke(at)survey-consulting.com
Replied by Mazi on topic LimeSurvey and HIPAA compliance
As for your date question: If you set your survey to be anonymous, then there will be no real date stamp stored at the survey details to keep anonymity. Instead a fake date (1980--01-01 00:00:00 if I remember correctly) is stored.
You can work around that by creating a question of type equation and adding the following as question text:
{date("Y-m-d")}.
You can also set the question to be hidden at advanced question settings -> always hide this question.
This will save the current date at a (hidden) question together with the results.
You can work around that by creating a question of type equation and adding the following as question text:
{date("Y-m-d")}.
You can also set the question to be hidden at advanced question settings -> always hide this question.
This will save the current date at a (hidden) question together with the results.
Best regards/Beste Grüße,
Dr. Marcel Minke
Need Help? We offer professional Limesurvey support: survey-consulting.com
Contact: marcel.minke(at)survey-consulting.com
The topic has been locked.
- jboogie21
- Offline
- Senior Member
Less
More
- Posts: 45
- Thank you received: 7
7 years 6 months ago #141028
by jboogie21
Replied by jboogie21 on topic LimeSurvey and HIPAA compliance
Mazi's example is a workaround. I would just put a word of caution out there that given the right scenario a hidden date stamp could turn the survey from anonymous to confidential. Just a thought.
The topic has been locked.
- r0bis
- Offline
- Senior Member
Less
More
- Posts: 60
- Thank you received: 7
7 years 5 months ago - 7 years 5 months ago #142033
by r0bis
r0berts
Replied by r0bis on topic LimeSurvey and HIPAA compliance
Yes, I agree, this is important. On the one hand I want people to know that this is going to be anonymous - so that we can get as honest feedback as possible. On the other hand grouping by dates and following developments in such a way is important to us. Another consideration I suppose is in context of a place where a given number of people come in every week; there always could be some way how a dedicated person theoretically could correlate new records in the database with people visiting that day. In this way it is a bit different to a survey on internet scenario. Hence I would think that what is nearly equally important her is policy. We need to think exactly how we would treat the data and then explain it clearly and stick to it.
r0berts
Last edit: 7 years 5 months ago by r0bis. Reason: spelling correction
The topic has been locked.