Today we’ll research whether Iterable provides HIPAA compliant service or not.
WHY IT MATTERS
Organizations that fall under HIPAA regulations face hefty fines for using cloud software that isn't HIPAA compliant.
THE BIG PICTURE
According to its website, Iterable is a cross-channel marketing platform that powers unified customer experiences and empowers people to create, optimize and measure every interaction across the entire customer journey.
Iterable and the business associate agreement
There’s a primary item to consider when it comes to Iterable and its ability to provide a HIPAA compliant service.
First, let’s start with a quick recap of terms. The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy of individuals’ personal health information, otherwise known as protected health information (PHI).
As we’ve previously discussed, HIPAA applies to covered entities, which includes healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
A business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance. In the case of Iterable, the service would certainly fall into the category of business associate if it’s servicing customers that would store, process, or transmit PHI on its email platform.
We checked the Iterable site and found:
In a nutshell:
- Iterable does mention it will sign a BAA: "For more information regarding Iterable’s HIPAA compliance and how to sign a Business Associate Agreement (BAA), please reach out to a member of the Iterable team"
Are we sure Iterable is HIPAA compliant?
The BAA is a key component to HIPAA compliance between a covered entity and a business associate.
Iterable does mention it will sign a BAA with customers. We could not find the actual BAA on their site, however.
Conclusion: Iterable states it's HIPAA compliant. To learn what's considered in scope, we recommend reaching out to them to obtain a copy of their BAA.