HIPAA-compliant user research methods: a complete guide for product and UX teams
How to conduct HIPAA-compliant user research for healthcare, mental health, and pharma products. Covers when HIPAA applies, compliance checklist, BAA requirements, de-identification rules, HIPAA-compliant tools, and method-by-method compliance guidance.
How do you conduct HIPAA-compliant user research?
You conduct HIPAA-compliant user research by following four requirements throughout the entire research lifecycle: (1) determine whether your research involves protected health information (PHI) and whether HIPAA applies, (2) sign Business Associate Agreements (BAAs) with every tool and vendor that touches participant data, (3) use de-identified or synthetic data in prototypes and test scenarios instead of real patient records, and (4) implement administrative, technical, and physical safeguards that protect participant health information from unauthorized access.
HIPAA does not prohibit user research. It establishes the conditions under which research involving health information can be conducted safely and legally. Most UX research for healthcare products can be conducted within HIPAA requirements with proper planning. The key is knowing when HIPAA applies, what it requires, and how to adapt your research process accordingly.
This guide provides the compliance checklist, tool requirements, and method-by-method guidance that product and UX teams need to conduct user research for healthcare, mental health, pharma, and health tech products without violating federal law.
For trauma-informed research methods applicable to mental health and healthcare research, see our trauma-informed research guide. For mental health app research specifically (crisis protocols, therapeutic feature testing), see our mental health app research guide.
Frequently asked questions
When does HIPAA apply to user research?
HIPAA applies when your research involves protected health information (PHI) from or about individuals, AND your organization is a covered entity (healthcare provider, health plan, healthcare clearinghouse) or a business associate of one. PHI includes any individually identifiable health information: diagnosis, treatment records, prescription data, lab results, therapy notes, insurance claims, and any data that connects health information to an individual’s identity. If your research uses only de-identified data, synthetic data, or general wellness information not connected to a covered entity, HIPAA may not apply directly, but following HIPAA standards is still best practice.
What is PHI in the context of user research?
PHI is any health information that can identify an individual. In user research, PHI includes: participant health conditions disclosed during screening or sessions, medical records or health data shown during usability testing, therapy or treatment information shared during interviews, prescription or medication information, insurance or billing details, and any combination of health information with the 18 HIPAA identifiers (name, date of birth, address, phone number, email, SSN, medical record numbers, etc.). Even seemingly innocuous data becomes PHI when combined: “a 34-year-old woman in Austin being treated for depression” is identifiable even without a name.
What is a Business Associate Agreement (BAA)?
A BAA is a contract between a HIPAA-covered entity (or business associate) and a vendor that will access, process, store, or transmit PHI on their behalf. For user research, you need BAAs with every tool in your research workflow that touches participant data: video conferencing platforms, transcription services, survey tools, analysis platforms, cloud storage, and recruitment panels. Without a BAA, using a tool with PHI is a HIPAA violation regardless of how secure the tool claims to be.
Do you need IRB approval for HIPAA-compliant user research?
Not always, but the two requirements are separate. HIPAA governs how PHI is handled. IRB governs the ethics of human subjects research. Commercial UX research that does not involve formal hypothesis testing, vulnerable populations, or academic publication may not require IRB review, but it still requires HIPAA compliance if PHI is involved. If you are researching with patients, people with mental health conditions, or clinical populations, IRB review is strongly recommended even when not legally required.
Can you use real patient data in usability testing?
No. Use synthetic or mock data in all prototypes and test scenarios. Real patient records, even de-identified ones, carry residual re-identification risk and create unnecessary HIPAA exposure. Build realistic synthetic data that mirrors the structure, complexity, and volume of real clinical data without containing actual patient information. Participants interact with the interface, not with real patients’ health information.
What happens if there is a HIPAA breach during research?
A HIPAA breach during research triggers the same notification requirements as any other breach. You must: (1) investigate the breach within 60 days, (2) notify affected individuals “without unreasonable delay” and no later than 60 days after discovery, (3) notify HHS through the breach portal, and (4) if the breach affects 500+ individuals, notify prominent media outlets in the affected state. For user research, the most common breach risk is accidental PHI exposure during a screen share or recording. Prevention (mock data, pre-session protocols, recording review) is vastly preferable to remediation.
HIPAA compliance checklist for user research
Use this checklist before, during, and after every research study that may involve PHI.
Pre-study checklist
- PHI assessment. Determine whether the study will involve PHI at any stage (screening, sessions, analysis, reporting)
- BAAs signed. Every tool in the research workflow has a signed BAA: video platform, transcription service, survey tool, analysis platform, cloud storage, recruitment service
- Risk assessment completed. Document potential PHI exposure risks and mitigation strategies for each research activity
- Consent forms drafted. HIPAA-compliant authorization forms that detail: what PHI will be collected, how it will be used, who will access it, how long it will be retained, and the participant’s right to revoke authorization
- Minimum necessary standard applied. Collect only the PHI essential for the research purpose. If you do not need diagnosis information, do not ask for it
- De-identification plan. Document how PHI will be de-identified before analysis and reporting (safe harbor method: remove 18 identifiers, or expert determination method)
- Mock/synthetic data prepared. All prototypes, test scenarios, and demo environments use synthetic data, not real patient records
- Research team trained. Every researcher has completed HIPAA training and understands PHI handling procedures
- Privacy officer identified. A designated individual is responsible for HIPAA compliance throughout the study
- Breach response plan documented. Written procedure for identifying, containing, investigating, and reporting a PHI breach
During-study checklist
- Consent obtained. HIPAA authorization signed before any PHI is collected or discussed
- Recording consent confirmed. Participant has explicitly agreed to audio/video recording, understanding that recordings may contain PHI
- Pre-session PHI briefing. Remind participants: “Please avoid sharing real patient names, medical record numbers, or other identifying health information during the session”
- Screen share protocol active. If participants share their screen, researcher watches for accidental PHI exposure and instructs participant to close sensitive windows
- Encrypted session. Video/audio session uses end-to-end encryption on a BAA-covered platform
- Access limited. Only authorized researchers can view or access session recordings and notes
- Incident logging. Any accidental PHI exposure is documented immediately with timestamp and description
Post-study checklist
- Recordings reviewed. Check recordings for accidental PHI before storing or sharing
- PHI redacted. Remove or redact any PHI from transcripts, notes, and recordings before analysis
- Data de-identified. Apply de-identification per your documented plan before any findings leave the research team
- Findings anonymized. No individual participant can be identified in any report, presentation, or deliverable
- Audit trail documented. Log who accessed what data, when, and for what purpose
- Retention schedule applied. Data retained only as long as necessary, then securely destroyed per documented schedule
- Retention documentation. Maintain audit trails and consent records for minimum 6 years per HIPAA requirements
HIPAA-compliant tool comparison for user research
| Research activity | HIPAA-compliant options (BAA available) | Non-compliant alternatives to avoid |
|---|---|---|
| Video sessions | Zoom for Healthcare, Doxy.me, Microsoft Teams (with BAA), Webex (with BAA) | Standard Zoom (no BAA), Google Meet (no BAA for HIPAA), FaceTime |
| Transcription | Rev (with BAA), Otter.ai (with BAA, enterprise plan), TranscribeMe (with BAA), manual transcription | Free transcription tools, consumer-grade AI transcription without BAAs |
| Survey collection | Qualtrics (with BAA), REDCap, Alchemer (with BAA), SurveyMonkey Enterprise (with BAA) | Google Forms, Typeform (no BAA), free SurveyMonkey |
| Data storage | AWS (with BAA + HIPAA config), Azure (with BAA), Google Cloud (with BAA + HIPAA config), encrypted local storage | Standard Google Drive, Dropbox (no BAA on basic plans), iCloud |
| Research analysis | Dovetail (with BAA, enterprise), Atlas.ti (local install), NVivo (local install), manual analysis on encrypted local | Free analysis tools, non-BAA cloud platforms |
| Participant recruitment | Rally (HIPAA-compliant), CleverX verified panels (for healthcare professional recruitment), direct recruitment through healthcare partners | General consumer panels without HIPAA compliance |
| Session scheduling | Calendly (with BAA, enterprise plan), manual scheduling via encrypted email | Standard Calendly, Doodle, generic scheduling tools |
| Note-taking | Encrypted local documents, HIPAA-compliant EHR-integrated notes | Google Docs (no BAA), Notion (no BAA), Miro (no BAA) |
Critical note: A tool claiming to be “HIPAA compliant” means nothing without a signed BAA between your organization and the vendor. The BAA is the legal document that establishes HIPAA responsibility. Always request and sign the BAA before using any tool with PHI.
How to adapt each research method for HIPAA compliance
User interviews
User interviews are the highest PHI exposure risk because participants naturally share health details when discussing their experiences.
HIPAA adaptations:
- Brief participants before the session: “Please avoid sharing real patient names or specific health record details. We are interested in your workflow and experience, not specific patients”
- If a participant shares PHI inadvertently (mentions a patient name, shows a real record), note the timestamp. Redact from the transcript and recording during post-processing
- Use HIPAA-compliant recording and transcription tools with signed BAAs
- Store interview recordings on encrypted, access-controlled systems. Delete per your retention schedule
- In consent forms, specify that if PHI is accidentally disclosed, it will be redacted and not included in findings
Usability testing
Usability testing with healthcare products carries risk when participants interact with prototypes using real-looking health data.
HIPAA adaptations:
- All prototypes use synthetic patient data. Create realistic mock records with fictional names, dates, diagnoses, and treatments
- If testing an existing product (not a prototype), create a test account with synthetic data. Never test with a participant’s real patient data or their own health records
- Screen share monitoring: if participants share their screen showing real patient data (e.g., from their EHR), instruct them to close it and note the incident
- Test in isolated environments that do not connect to real clinical systems
Surveys
Surveys that collect health information from respondents require HIPAA compliance.
HIPAA adaptations:
- Use HIPAA-compliant survey platforms with signed BAAs (Qualtrics, REDCap, Alchemer)
- Do not collect the 18 HIPAA identifiers unless absolutely necessary. If you need demographic data, collect age ranges instead of dates of birth, state instead of full address
- Apply the minimum necessary standard: every question should pass the test “Do we need this health information for the research purpose?”
- Anonymous surveys that cannot be linked to individuals may fall outside HIPAA scope, but verify with your privacy officer
Diary studies
Diary studies with healthcare users create sustained PHI exposure over days or weeks.
HIPAA adaptations:
- Use HIPAA-compliant diary platforms or encrypted submission methods
- Provide clear instructions on what to share versus what to keep private: “Log your experience with the app. Do not include patient names, medical record numbers, or specific diagnosis information”
- Review diary entries regularly for inadvertent PHI and redact before analysis
- If participants submit photos or screenshots, review for PHI (visible medical records, patient names on screens, prescription labels) before including in analysis
Contextual inquiry
Contextual inquiry in clinical environments has the highest PHI exposure risk of any method.
HIPAA adaptations:
- Organizational BAA between your company and the healthcare facility is mandatory
- Define observation boundaries: what the researcher can observe, what screens they can view, and where they can and cannot be present
- Never observe actual patient encounters without explicit patient consent (separate from the healthcare professional’s consent)
- If PHI is visible on screens during observation, the researcher must not record, photograph, or document it
- Post-observation notes must be reviewed for inadvertent PHI before leaving the facility
De-identification requirements for research data
HIPAA defines two methods for de-identifying health information so it no longer constitutes PHI.
Safe Harbor method (45 CFR 164.514(b))
Remove all 18 identifiers:
| Category | Identifiers to remove |
|---|---|
| Direct identifiers | Names, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, device identifiers, biometric identifiers (fingerprint, voiceprint), full-face photographs |
| Geographic | All geographic subdivisions smaller than a state (street address, city, county, zip code). Zip codes with population <20,000 must be replaced with 000 |
| Dates | All dates directly related to an individual (birth date, admission date, discharge date, death date). Year is permitted if the individual is not older than 89 |
| Communication | Telephone numbers, fax numbers, email addresses, URLs, IP addresses |
After removing all 18 identifiers: The covered entity must also have no actual knowledge that the remaining information could identify an individual.
Expert Determination method (45 CFR 164.514(a))
A qualified statistical or scientific expert determines that the risk of identifying an individual from the data is “very small.” This method is more flexible but requires expert consultation and documentation.
For most UX research: The Safe Harbor method is simpler and sufficient. Remove the 18 identifiers from all transcripts, recordings, notes, and reports before sharing outside the research team.
How to write HIPAA-compliant consent forms for research
Standard research consent forms require additional elements for HIPAA compliance.
Required HIPAA authorization elements
Your consent form must include:
- Specific description of PHI to be used or disclosed: “We may collect information about your experience using [product], including any health-related information you share during the session”
- Who will use or receive the PHI: “The research team at [company]. De-identified findings may be shared with the product development team”
- Purpose of the use or disclosure: “To improve the usability of [product] for healthcare professionals/patients”
- Expiration date or event: “This authorization expires 12 months after the study completion date, or upon your request to revoke, whichever comes first”
- Right to revoke: “You may revoke this authorization at any time by contacting [researcher] at [email]. Revocation applies to future uses; data already de-identified cannot be re-identified for deletion”
- Statement about re-disclosure: “Information disclosed under this authorization may no longer be protected by HIPAA if the recipient is not a covered entity. However, we will apply the same protections to all research data regardless”
- Signature and date
Consent form template addition for HIPAA studies
Add this block to your standard consent form for any study involving PHI:
Health Information Authorization
This study may involve discussion of health-related experiences. By signing below, you authorize [Company] to collect, use, and store health information you share during this research session for the purposes described above.
Your health information will be:
- Accessible only to the authorized research team
- Stored on encrypted, access-controlled systems
- De-identified before any findings are shared beyond the research team
- Deleted [timeframe] after study completion
You may revoke this authorization at any time by contacting [name] at [email]. You will still receive your full incentive if you choose to revoke.
- I authorize the collection and use of my health information as described above
How to recruit healthcare participants compliantly
Recruiting patients
- Do not use PHI to identify or contact potential participants without their prior authorization or an IRB waiver
- Recruit through the healthcare provider with their cooperation (the provider contacts patients, not you)
- Use general recruitment channels (community boards, social media, patient advocacy groups) that do not rely on PHI for targeting
- Screener surveys should not collect PHI. Screen by behavior (“Do you use a patient portal?”) not by condition (“Do you have diabetes?”)
Recruiting healthcare professionals
- Healthcare professionals (clinicians, nurses, pharmacists, administrators) are not patients. Recruiting them does not involve patient PHI
- Screen by role, specialty, and tool usage, similar to other B2B professional recruitment
- CleverX verified panels can source pre-screened healthcare professionals with role verification
- Incentive benchmarks: $150-300/hr for clinicians, $100-200/hr for nurses and allied health, $200-400/hr for specialists and administrators
Incentive considerations
- Never tie incentives to health status or treatment. “We are paying you for your time, not for information about your health”
- Pay regardless of session completion. Participants who withdraw mid-session due to discomfort must still receive full incentive
- Document incentive payments. HIPAA does not regulate incentives directly, but the appearance of paying for health information creates compliance risk
Common HIPAA compliance mistakes in user research
| Mistake | Why it happens | How to prevent it |
|---|---|---|
| No BAAs with research tools | Team uses standard (non-HIPAA) versions of familiar tools | Audit every tool in the research workflow before the study. No BAA = cannot use with PHI |
| PHI in recruitment screeners | Researcher asks about health conditions to filter participants | Screen by behavior and app usage, not by diagnosis. “Do you use a mental health app?” not “Do you have depression?” |
| Real patient data in prototypes | Design team uses real records “for realism” | Create synthetic data sets that mirror real data structure without real patient information |
| Accidental PHI in recordings | Participant shares a real patient name or shows a real medical record during screen share | Pre-session briefing + real-time monitoring + post-session recording review and redaction |
| PHI in analysis tools without BAA | Researcher uploads transcripts with PHI to Dovetail, Miro, or Google Docs | De-identify before uploading to any tool without a BAA. Or use only BAA-covered analysis tools |
| Missing retention schedule | Research data with PHI stored indefinitely “just in case” | Document retention periods in the consent form. Delete per schedule. Maintain deletion records |
| Consent form missing HIPAA authorization | Standard consent form used without HIPAA-specific elements | Use the HIPAA authorization template addition above for any study involving PHI |
| Team members without HIPAA training | New researcher joins the study without training | Require HIPAA training completion before any researcher accesses study data |
Frequently asked questions (continued)
Does HIPAA apply to telehealth and digital health app research?
Yes, if the app is offered by or connected to a covered entity (healthcare provider, health plan). Telehealth apps operated by or on behalf of healthcare providers handle PHI and require HIPAA compliance for any research involving user data. Digital health apps that operate independently (wellness apps, fitness trackers) may not be covered by HIPAA, but many voluntarily comply. The FTC Health Breach Notification Rule may apply to non-HIPAA health apps. Consult your legal team for your specific product’s regulatory status.
Can you do unmoderated research under HIPAA?
Yes, with limitations. Unmoderated research using HIPAA-compliant platforms (surveys on Qualtrics with BAA, unmoderated tasks on a BAA-covered platform) is compliant if properly configured. The risk: without a moderator present, you cannot prevent participants from sharing PHI in open-text responses or screen recordings. Mitigate by: using mock data in all test scenarios, instructing participants to avoid sharing real health information, and reviewing all submissions for PHI before analysis.
How long must you retain HIPAA research records?
HIPAA requires covered entities to retain documentation of policies, procedures, and authorizations for 6 years from the date of creation or the date last in effect, whichever is later. For research, this means: consent forms and HIPAA authorizations retained for 6 years after study completion, audit trails retained for 6 years, and BAAs retained for 6 years after termination. Research data itself (recordings, transcripts, notes) should be retained only as long as necessary for the research purpose, then securely destroyed. Document your retention schedule and destruction dates.
What is the difference between HIPAA compliance and HIPAA certification?
There is no official HIPAA certification. No government agency certifies organizations as “HIPAA compliant.” When vendors claim “HIPAA certification,” they typically mean they have undergone a third-party audit of their security controls and policies. This is useful but not legally equivalent to compliance. Compliance is an ongoing process, not a one-time certification. What matters for research: signed BAAs with every vendor, documented policies, trained staff, and implemented safeguards.
How does GDPR intersect with HIPAA for international research?
If your research involves participants in the EU, GDPR applies in addition to HIPAA. GDPR has stricter consent requirements (explicit opt-in, right to erasure, data portability) and broader definitions of personal data. For international healthcare research, comply with both: HIPAA for US participants’ PHI, GDPR for EU participants’ personal data, and the stricter standard when they overlap. Use GDPR-compliant consent forms (which generally exceed HIPAA requirements) and ensure data transfers between the US and EU comply with applicable transfer mechanisms.