HIPAA and human insight

Before strategizing how to test human health experiences, it's important to understand the purpose of HIPAA, and what information customers or patients may provide that needs to be protected.

What is HIPAA?

HIPAA is the Health Insurance Portability and Accountability Act of 1996. It’s a US federal law that requires the creation of national standards to protect sensitive patient health information from being exposed or disclosed without the awareness or consent of the patient. Entities covered under HIPAA are typically health care providers, healthcare clearinghouses (e.g., billing services and community health information systems), and health insurance companies. 

Although HIPAA is a US law, if your organization works with US patients, you’ll need to follow HIPAA guidelines for collecting insights.

Please consult with your internal legal counsel and/or security teams to ensure that you have a solid understanding of your organizational best practices.

What is PII?

Personally Identifiable Information (or “PII”) is data that could be used to determine the actual identity, and contact, of a specific living person.

Protecting the personal information of contributors is critical when gathering insights through testing. There are several different types of personal information that might be revealed during testing, which are described below:

Prohibited PII

Prohibited PII is information you should never ask for, or reveal when gathering feedback. If any of this information is accidentally revealed by your test participants, you’ll need to take extra steps to omit/obscure that information before sharing your findings with anyone else. Avoid gathering any information that could be used to commit fraudulent acts, such as genetic information, biometric data (like fingerprints), social security numbers, or credit card numbers.

Examples of prohibited PII include (but aren’t limited to) the following:

• Credit card numbers or credit card purchases
• Personal financial account numbers
• Passport numbers
• Car loan numbers
• Drivers license numbers
• Social Security numbers
• Account passwords
• Specific genetic information
• Biometric identifiers (e.g., fingerprints, voice prints, iris, and retina scans)
• Health plan account or beneficiary numbers

Sensitive PII

There are two types of PII you can test with—with prior consent from contributors, you can test experiences that may include the following information:

• Sensitive PII
  • Race or ethnicity
  • Political or religious beliefs
  • Criminal convictions
• Protected health information (PHI) (may require additional legal agreements)
  • Health diagnoses
  • Hospital names
  • Doctor names
  • Medical information or history

Next: Now that you have an understanding of HIPAA and the types of information you may encounter when testing human health experiences, let's dive into how to recruit the right participants for your testing.

Understandably, testing experiences that may contain PII requires additional guardrails and strategies to protect participants' privacy. Fortunately, with consent and planning—and consultation with your organization's legal team—it's possible to test with sensitive PII.

Using screener questions to gain consent

Once you've established that your team is set up to test with sensitive PII, the next step is gaining consent from the people you'd like to test with. If you're using an insights platform, you should have the ability to pre-screen participants based on a set of requirements your team establishes for each test. At UserTesting, we call these screener questions, and they enable you to screen for participants based on demographic information, like age or income, as well as enabling participants to opt-in and consent to use potentially sensitive PII.

Here's an example of what a screener might look like for a test that will include sensitive PII:

Screener question 

This test includes questions that will ask about your experiences related to technology usage and your physical or mental status. Some people might find it uncomfortable to talk about this topic or answer questions about it. You will not be penalized for opting out of this test. Please confirm that you are interested in continuing this screener and potentially completing the test, if selected.

Participant answer choices

•  I prefer not to answer [participants who chose this would not be allowed to take the test]
• Yes, I would like to continue and potentially qualify for this test [participants who chose this would be allowed to take the test]
• No, I would like to stop here and not complete this screener and test [participants who chose this would not be allowed to take the test]

Once you've gained consent, you can narrow down your participant group by screening for specific health conditions, if applicable.

Best practice: Remember to always provide participants with the option to opt out with each screener by offering an option such as, "I prefer not to answer." This ensures participants can exit at any point they don't feel comfortable—before the test begins. It also provides participants with a preview of the type of information they'll be asked so it won't come as a surprise when they begin the test.

Using red herring answers in screener questions

Another way to ensure you're recruiting the right participants is to include false answers as options in screener questions to ensure participants are legitimately qualified to take the test. Examples of this could be including fictitious names of conditions, brands, or types of technology used. 

Adding this additional level of screening will help further ensure your participants are the best qualified to provide their insights.

Next: Once you've recruited your participants, it's time to test! Keep reading to discover what kinds of health and wellness experiences you can test.

Once you've obtained guidance from your legal team and recruited participants who have opted in to share PII, there's a lot you can test to understand human health experiences better.

If you need inspiration, here's a sampling of some of the experiences you can test:

• Telemedicine experiences
• Chronic condition management
• New patient intake
• Your competitors
• Message validation
• Multichannel journeys

Now that you know what you want to test, how do you do it? Fortunately, testing with PII, once you've obtained consent and legal approval, is very similar to how you'd approach testing any other experience. Depending on what you'd like to learn, you can use a variety of methodologies to gather insights, including:

As human health organizations transform to more digital-based experiences to meet current patient and consumer needs, the importance of creating great experiences has skyrocketed. With only 57% of the global population trusting pharmaceutical companies, for example, health-focused organizations have a unique opportunity to leverage human insight to create experiences that meet the health needs of patients and drive business success.

For more inspiration, check out these UserTesting customers that rely on patient and consumer feedback to meet the health and wellness needs of a modern population.