Stanford Center for
Clinical Informatics

Privacy Recommendations on Email-enabled Patient Surveys

With the increased use of research participant surveys in support of clinical research projects there is heightened risk that inappropriate configuration and administration of these surveys will lead to a privacy breach. This document describes the best practices that all electronically administered patient surveys should adhere to in order to minimize this risk.

  1. Initial contact with prospective research participants should not be over email
    Initial contact should be made during a clinic visit or over the telephone, inviting the individual to participate in the survey and expect a survey email.
  2. Do not personalize the email
    The title and body of the email can state the name of the clinic and the purpose of the survey but neither of them should name the patient as this could potentially lead to a privacy breach. To illustrate, if the email address was incorrect and the email was erroneously delivered, for example, to rather than the intended recipient, it would be a privacy breach if the body of the email named the research participant and either the clinic or the purpose of the survey. To avoid this potential risk you should word the body of your email as a generic form letter.
  3. Include a 'this was not for me' link in the email
    In case you mistakenly use an incorrect email address, the body of your email should contain a contact email address so that the recipient can notify the study coordinator of the mistake. The reply-to email header should be set appropriately in the outbound email, and the body of the email should also contain instructions to the recipient stating that if the message is mis-delivered to please reply indicating that the survey was mis-delivered.
  4. Do not personalize the survey
    If the survey link contains a token that identifies the intended research participant in any way, this identifying information should not be displayed in the body of the survey, for the same reason that the initial email must not contain the research participant's name.
  5. Bcc multiple recipients
    If you plan to send a form letter email to more than one recipient you must blind-carbon-copy (bcc) the recipients. In fact this is probably a good practice even when sending to just one recipient as illustrated in points 2 and 3 above. Note that you can and probably should specify the study research coordinator's email address in the 'To:' field of the email to avoid the appearance of spam.

If you follow these 5 simple guidelines when setting up your survey you will have greatly reduced the risk of privacy breach when administering clinical research surveys to your research participants.

Even when the best precautions are taken, mistakes happen. In the event you feel that a privacy breach has occurred, please contact the School of Medicine's Privacy Office immediately at or call 650-725-1828.

Stanford Medicine Resources:

Footer Links: