HIPAA and human insight

UserTesting HIPAA illustration

As our access to physical and mental health solutions continues to broaden through technology, so do the experiences in which those solutions are offered. For organizations creating those experiences, testing may seem like a huge hurdle when patient and consumer data privacy is taken into consideration

This makes getting real human perspectives on those experiences even more important, and the risk of not testing them could have life-changing implications for patients and consumers.

This guide provides key tips and starting points for gathering feedback on experiences for any organization that needs to be HIPAA compliant. After reading this guide, you'll understand what you can test, how to test it, and get some real-world examples of how UserTesting customers are currently leveraging the platform to improve patient and consumer experiences while remaining HIPAA compliant.

Why empathy is critical for health-related organizations

UserTesting HIPAA and human insight guide

It’s well established that empathy is important for any organization. For many organizations, there’s a gap between what businesses think they know or understand about their customers, and how well customers feel they’re understood by those same organizations. At UserTesting, we call this the empathy gap, and it can happen anywhere. From nonprofit organizations to government agencies, to small startups, to Fortune 500 companies, and yes, even health-related organizations.

Working to reduce the empathy gap in any organization has massive benefits—improved customer loyalty and more confident go-to-market strategies, just to name a few. But with health organizations, the ramifications of improving—or ignoring—the experiences of patients and consumers can have life-changing implications.

Making sure that an app that helps a patient with a chronic condition keeps up with their medication schedule, for example, could have dire consequences if the app doesn’t work as intended or patients don’t understand how to use it effectively.

As the world continues to move to more digital and on-demand experiences, it’s no surprise that human health solutions and technologies are on the rise. Yet, unlike most consumer or B2B experiences, healthcare and wellness experiences have the added layers of security, privacy, and regulations to consider.

Many organizations must follow strict guidelines when handling patient and customer data, which can pose challenges when teams want to get feedback on the experiences they create that may include this information. In this guide, we'll dig into the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that applies to organizations working with US patient information, and how teams can gather valuable customer and patient insights that comply with HIPAA guidelines.


Understanding HIPAA and personally identifiable information (PII)

UserTesting HIPAA and human insight guide

Before strategizing how to test human health experiences, it's important to understand the purpose of HIPAA, and what information customers or patients may provide that needs to be protected.

What is HIPAA?

HIPAA is the Health Insurance Portability and Accountability Act of 1996. It’s a US federal law that requires the creation of national standards to protect sensitive patient health information from being exposed or disclosed without the awareness or consent of the patient. Entities covered under HIPAA are typically health care providers, healthcare clearinghouses (e.g., billing services and community health information systems), and health insurance companies. 

Although HIPAA is a US law, if your organization works with US patients, you’ll need to follow HIPAA guidelines for collecting insights.

Please consult with your internal legal counsel and/or security teams to ensure that you have a solid understanding of your organizational best practices.

What is PII?

Personally Identifiable Information (or “PII”) is data that could be used to determine the actual identity, and contact, of a specific living person.

Protecting the personal information of contributors is critical when gathering insights through testing. There are several different types of personal information that might be revealed during testing, which are described below:

Prohibited PII

Prohibited PII is information you should never ask for, or reveal when gathering feedback. If any of this information is accidentally revealed by your test participants, you’ll need to take extra steps to omit/obscure that information before sharing your findings with anyone else. Avoid gathering any information that could be used to commit fraudulent acts, such as genetic information, biometric data (like fingerprints), social security numbers, or credit card numbers.

Examples of prohibited PII include (but aren’t limited to) the following:

  • Credit card numbers or credit card purchases
  • Personal financial account numbers
  • Passport numbers
  • Car loan numbers
  • Drivers license numbers
  • Social Security numbers
  • Account passwords
  • Specific genetic information
  • Biometric identifiers (e.g., fingerprints, voice prints, iris, and retina scans)
  • Health plan account or beneficiary numbers

Sensitive PII

There are two types of PII you can test with—with prior consent from contributors, you can test experiences that may include the following information:

  • Sensitive PII
    • Race or ethnicity
    • Political or religious beliefs
    • Criminal convictions
  • Protected health information (PHI) (may require additional legal agreements)
    • Health diagnoses
    • Hospital names
    • Doctor names
    • Medical information or history

Next: Now that you have an understanding of HIPAA and the types of information you may encounter when testing human health experiences, let's dive into how to recruit the right participants for your testing.

How to recruit participants to test with PII

Understandably, testing experiences that may contain PII requires additional guardrails and strategies to protect participants' privacy. Fortunately, with consent and planning—and consultation with your organization's legal team—it's possible to test with sensitive PII.

Using screener questions to gain consent

Once you've established that your team is set up to test with sensitive PII, the next step is gaining consent from the people you'd like to test with. If you're using an insights platform, you should have the ability to pre-screen participants based on a set of requirements your team establishes for each test. At UserTesting, we call these screener questions, and they enable you to screen for participants based on demographic information, like age or income, as well as enabling participants to opt-in and consent to use potentially sensitive PII.

Here's an example of what a screener might look like for a test that will include sensitive PII:

Screener question 

This test includes questions that will ask about your experiences related to technology usage and your physical or mental status. Some people might find it uncomfortable to talk about this topic or answer questions about it. You will not be penalized for opting out of this test. Please confirm that you are interested in continuing this screener and potentially completing the test, if selected.

Participant answer choices

  •  I prefer not to answer [participants who chose this would not be allowed to take the test]
  • Yes, I would like to continue and potentially qualify for this test [participants who chose this would be allowed to take the test]
  • No, I would like to stop here and not complete this screener and test [participants who chose this would not be allowed to take the test]

Once you've gained consent, you can narrow down your participant group by screening for specific health conditions, if applicable.

Best practice: Remember to always provide participants with the option to opt out with each screener by offering an option such as, "I prefer not to answer." This ensures participants can exit at any point they don't feel comfortable—before the test begins. It also provides participants with a preview of the type of information they'll be asked so it won't come as a surprise when they begin the test.

Using red herring answers in screener questions

Another way to ensure you're recruiting the right participants is to include false answers as options in screener questions to ensure participants are legitimately qualified to take the test. Examples of this could be including fictitious names of conditions, brands, or types of technology used. 

Adding this additional level of screening will help further ensure your participants are the best qualified to provide their insights.

Next: Once you've recruited your participants, it's time to test! Keep reading to discover what kinds of health and wellness experiences you can test.

Health experiences you can test

man at standing desk using laptop

Once you've obtained guidance from your legal team and recruited participants who have opted in to share PII, there's a lot you can test to understand human health experiences better.

If you need inspiration, here's a sampling of some of the experiences you can test:

  • Telemedicine experiences
  • Chronic condition management
  • New patient intake
  • Your competitors
  • Message validation
  • Multichannel journeys

Now that you know what you want to test, how do you do it? Fortunately, testing with PII, once you've obtained consent and legal approval, is very similar to how you'd approach testing any other experience. Depending on what you'd like to learn, you can use a variety of methodologies to gather insights, including:


Concept testing

Test concepts before investing time and resources in development


Live experiences

Understand how patients currently interact with live experiences, both digitally and in-person

Research Icon

Real-world testing

Observe patients in a natural setting to gain a holistic view of their needs and behaviors

clipboard illustration

Survey validation

Test surveys prior to launching to a wider group to ensure they capture the information you need

Next: If you need a little inspiration, check out the next section for some inspiring use cases from some of UserTesting's health and wellness customers.

Insights in action: 3 use cases

Image of man looking down at laptop

As human health organizations transform to more digital-based experiences to meet current patient and consumer needs, the importance of creating great experiences has skyrocketed. With only 57% of the global population trusting pharmaceutical companies, for example, health-focused organizations have a unique opportunity to leverage human insight to create experiences that meet the health needs of patients and drive business success.

For more inspiration, check out these UserTesting customers that rely on patient and consumer feedback to meet the health and wellness needs of a modern population.



Learn how Cedar humanizes healthcare through human insight and understanding the challenges patients face.



Learn how Eargo makes its customers feel heard—and hear better—through regular customer feedback.


Total Brain

Discover how Total Brain uses customer empathy to make mental health and fitness accessible to everyone