HIPAA Compliant
SOC 2 Type II
BAA Available

HIPAA-Compliant
User Research
for Healthcare

The all-in-one research platform healthcare teams trust. Recruit patients and providers, run interviews, and analyze findings — all with enterprise-grade HIPAA compliance built in.
Request a demoView Trust Portal
Trusted by healthcare research teams at leading organizations
“We’re able to self-serve the entire research process, from pushing our data in and managing email outreach to conducting interviews and paying incentives.”
Tessa Pollard
Research Operations Manager
“We’ve been connected with Great Question for about four years… Seeing that vision come to life has built tremendous trust…”
A’verria Martin
Senior Director of Product Research, Intelligence and Strategy, ServiceNow

The cost of non-compliance is catastrophic

Healthcare organizations can't afford to take shortcuts with PHI. The stakes are too high.
$10.93M
Average cost of a healthcare data breach
IBM/Ponemon 2024
$2.13M
Maximum HIPAA penalty per violation
HHS Office for Civil Rights
#1
Healthcare is the most breached industry, 13 years running
IBM/Ponemon 2024

What's included in our HIPAA compliance

We invest in the technical controls, legal framework, and ongoing compliance processes so your team can focus on research.
Business Associate Agreement
Signed BAA with Great Question covering the PHI you store on the platform — a legally binding commitment to protect your data. Video recordings and transcripts are handled by third-party providers outside our BAA.
SOC 2 Type II Certified
Independent third-party audit of our security controls, availability, and confidentiality practices. Report available under NDA.
Independent Security Assessment
Annual HIPAA Security Risk Assessment conducted by an independent firm, with penetration testing scoped for PHI handling.
Field-Level Encryption
PHI is encrypted at the field level, beyond standard AES-256 at-rest encryption. Sensitive health data is isolated from PII.
Comprehensive Audit Trail
Every access, modification, and export of PHI is logged. Complete audit trail for compliance reviews and incident investigations.
Consent & Data Controls
Configurable data retention, deletion policies, anonymization capabilities, and consent tracking built into every study.

Built for healthcare research teams

Run every type of research with PHI — safely, compliantly, and without workarounds.
Patient Experience Research
Interview patients about their care journey, collect feedback on portals and apps, and analyze findings — all with proper consent tracking and PHI protection.
Provider Recruitment Panels
Build and manage a panel of healthcare professionals for ongoing research. Track consent, NDAs, and participation history in one compliant CRM.
Clinical Workflow Testing
Test EHR workflows, clinical decision support tools, and care coordination platforms with real providers. Record sessions and store findings compliantly.
Telehealth UX Research
Run moderated and unmoderated studies on telehealth platforms. Store highlights, participant information, and research findings containing PHI securely. (Session recordings and transcripts are processed by third-party providers and fall outside our BAA.)

How we compare

Not all HIPAA compliance is created equal. See how Great Question stacks up against alternatives.
Capability
Great Question
UserTesting
Dovetail
Maze
HIPAA Compliance
BAA Available

Excluding transcriptions & recordings
SOC 2 Type II
Independent HIPAA Assessment
~
Unclear
Research Capabilities with HIPAA
Participant Recruitment
Moderated Interviews
Unmoderated Testing
Research Repository
~
Limited
Video Downloads Allowed
Disable by default
Participant CRM
Full product without restrictions
Restricts sharing, forces SSO
vs. UserTesting
UserTesting charges $500K+ for 3-year healthcare deals. Great Question delivers the same HIPAA compliance at a fraction of the cost — with a dedicated participant CRM that doesn't recycle panelists.
vs. Dovetail
Dovetail requires Enterprise + a separate HIPAA add-on, then restricts video downloads and sharing. Great Question's HIPAA compliance doesn't cripple the product.
vs. Rally
Rally is CRM-only. Great Question gives you HIPAA-compliant CRM + interviews + repository + unmoderated testing in one platform.
vs. Maze
Maze doesn't support HIPAA at all. No BAA, no HIPAA assessment. If you're in healthcare, it's not an option.

Everything your compliance team needs

We make it easy for your legal and security teams to sign off — once, not per-study.
Signed BAA with Great Question
Covers all data processed on the platform
Independent HIPAA Security Risk Assessment
Conducted annually by third-party firm
SOC 2 Type II Certification
Available under NDA via Trust Portal
Comprehensive Audit Trail
Every PHI access and modification logged
Trust Portal
All security documentation in one place
Configurable Data Retention
Set retention and deletion policies per your requirements
Incident Response Plan
Breach notification procedures documented
HIPAA-Eligible Infrastructure
Enhanced monitoring, backup, and disaster recovery

Frequently asked questions

Is Great Question HIPAA certified?

There's no such thing as "HIPAA certified" — even the US Department of Health and Human Services doesn't offer a certification. HIPAA compliance is maintained through ongoing annual risk assessments, employee training, continuous monitoring, and policy updates. Great Question maintains all required HIPAA safeguards and undergoes annual independent security assessments.

Do you sign a Business Associate Agreement (BAA)?

Yes. We sign a BAA with every customer who needs HIPAA compliance, covering the PHI you store on the platform. Note that our video and transcription providers aren't covered under our BAA, so session recordings and transcripts are excluded and shouldn't contain PHI. Your legal team reviews our BAA once and you're covered for everything within its scope.

How is HIPAA compliance priced?

HIPAA compliance is available as a platform add-on on our Enterprise plan. It's priced separately because it represents real ongoing investment — annual audits, vendor BAA management, enhanced infrastructure, and dedicated engineering. We don't pass those costs to customers who don't need them. Contact sales for pricing.

Does HIPAA compliance restrict any features?

No. Unlike some competitors that disable video downloads, restrict sharing, or force SSO when HIPAA is enabled, Great Question gives you the full product experience. Our HIPAA compliance is built into the platform architecture, not bolted on as restrictions.

What types of PHI can I store on Great Question?

You can safely store highlights, participant information, and research findings that contain protected health information. All PHI is encrypted at the field level, with access controls and comprehensive audit logging. Important: session recordings and transcripts are processed by third-party video and transcription providers that aren't covered by our BAA, so they shouldn't contain PHI.

Can I see your security documentation?

Yes. Our Trust Portal contains all security documentation including our SOC 2 Type II report (available under NDA), security policies, and compliance details. Visit our Trust Portal to request access.

Ready to run compliant healthcare research?

Join healthcare research teams who trust Great Question to protect PHI while accelerating their research.
Try Ask AI free
Book a demo
Get great UX research reads & resources once a month.
Thank you! Please check your email to confirm your subscription.
Oops! Something went wrong while submitting the form.
© 2026 Great Question, Inc. All rights reserved.