Ohio University

Appropriate Use: Qualtrics

Qualtrics may be used to maintain or share the university's unregulated data as well as some kinds of sensitive regulated data. By logging in and using the university’s instance of Qualtrics, you are agreeing to the following terms of service:

  • Usage must adhere to the university's Computer & Network Use policy, Copyright policy, university brand standards, and other relevant policies, state, and federal laws.
  • You must protect the privacy and confidentiality of student, patient, employee and other institutional information, as required by FERPA (privacy of student information), HIPAA (privacy of patient information).
  • In accordance with federal regulations and Ohio University policy, all research involving human subjects must be reviewed and approved by an Institutional Review Board prior to any research intervention with a participant. To learn more, visit:
  • Use of Qualtrics is restricted to the university's central missions of education, research and public service.
  • Commercial use of Qualtrics is not allowed under our site license.

HIPAA: Academic use only - No clinical data - No Export Controlled data

Ohio University has a Business Associate Agreement (BAA) with Qualtrics for maintaining Protected Health Information (PHI) as regulated by HIPAA.

Qualtrics can only be used to collect and store sensitive data for non-clinical, academic purposes. It cannot be used for any clinical applications, regardless of the sensitivity level of the data. Qualtrics should also not be used to maintain or share Export Controlled research, because Qualtrics cannot ensure that only U.S. persons have access to or maintain its systems.

Maintaining HIPAA compliance is the duty of all involved parties, and as such users of Qualtrics are responsible for complying with HIPAA regulations. For the list of complete requirements, please view HIPAA’s website, but some requirements that apply include:

  • Obtaining all necessary data-sharing agreements and Business Associate Agreements for using and disclosing PHI.
  • Obtaining all required authorizations for using and disclosing PHI.
  • Using and disclosing only the minimum necessary PHI for the intended purpose.
  • Ensuring that PHI is seen only by those who are authorized to see it.
  • Delete, de-identify, or anonymize all PHI data when it is no longer needed.
  • Following any additional steps required by your department to comply with HIPAA.