Qualtrics Research Suite is a generalized survey service permitting the creation and distribution of surveys, as well as data storage and analysis. Use of the service is free to all University of Michigan units.
Qualtrics is a secure U-M contracted-for cloud service that can be used to maintain or share the university's sensitive unregulated data, as well as some kinds of sensitive regulated data.
U-M's agreement with Qualtrics includes a Business Associate Agreement. This means individuals may use this service to maintain Protected Health Information (PHI) regulated by HIPAA. Complying with HIPAA's requirements is a shared responsibility. Users sharing and storing PHI in Qualtrics are responsible for complying with HIPAA safeguards, including:
- Using and disclosing only the minimum necessary PHI for the intended purpose.
- Obtaining all required authorizations for using and disclosing PHI.
- Ensuring that PHI is seen only by those who are authorized to see it.
- Obtaining all necessary data-sharing agreements and Business Associate Agreements for using and disclosing PHI.
- Following any additional steps required by your unit to comply with HIPAA.
Sensitive data, including PHI, may be collected and stored in Qualtrics for non-clinical purposes only (for example, research and hospital quality improvement initiatives). Qualtrics should not be used for any clinical applications that delivers, documents, or otherwise contributes to the care of individual patients.
Social Security numbers should only be used where required by law or where they are essential for university business processes. If you must use SSNs, it is preferred that you use institutional resources designed to house this data, such as the Data Warehouse. Information Assurance (IA) can help you explore appropriate storage locations or work with you to appropriately encrypt the data if those alternatives will not work for you. (Contact IA via the ITS Service Center.)
Qualtrics should not be used to maintain or share Export Controlled Research, as Qualtrics cannot ensure that only U.S. persons have access to or maintain its systems.