We first encountered Braze during SaaStr 2018 in San Francisco. We blogged about their presentation, Wildly profitable events.
Fast forward to 2023, we'll answer the question: Can I use Braze and be HIPAA compliant?
About Braze
Braze is a customer engagement platform that enables companies to create and deliver personalized messaging and experiences to their customers across a range of channels, including email, mobile push notifications, SMS, and in-app messaging.
Braze allows companies to orchestrate and automate customer interactions, while also providing insights and analytics to help them understand and optimize their customer engagement strategies.
Braze was founded in 2011 and is headquartered in New York City. It serves a wide range of industries, including e-commerce, travel, media, and financial services.
Braze and the business associate agreement
There’s a primary item to consider when it comes to Braze and its ability to provide a HIPAA compliant service.
First, let’s start with a quick recap of terms. The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy of individuals’ personal health information, otherwise known as protected health information (PHI).
As we’ve previously discussed, HIPAA applies to covered entities, which includes healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
A business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance. In the case of Braze, the service would certainly fall into the category of business associate if it’s servicing customers that would store, process, or transmit PHI on its platform.
We checked Braze's site and essentially found what we were looking for here:
- Security qualifications
- The HIPAA Difference: How Braze Supports Thoughtful Engagement While Safeguarding Protected Health Information
A couple things to note here. Braze says they've done the hard work to become HIPAA compliant:
"Braze’s HIPAA (Health Insurance Portability and Accountability Act of 1996) cluster complies with the Security and Privacy rules of HIPAA , as applicable. When creating this cluster, Braze worked with a lawyer who advised on HIPAA laws and worked through the compliance needs for HIPAA with respect to the Security and Privacy rules. This included a risk analysis for the environment, as well as going through each safeguard and ensuring compliance as required."
It should be noted however, we could not find any mention of Braze being willing to sign a BAA with its customers.
Does Braze offer HIPAA compliant service?
The Business Associate Agreement (BAA) is a key component to HIPAA compliance between a covered entity and a business associate.
In regards to being considered a HIPAA compliant solution, we were able to learn the following about Braze:
- Braze states its achieved ISO 27001, Type 2 SOC 2, and HIPAA compliance.
- We could not however, find any mention of their ability to sign a BAA with customers.
Conclusion: We recommend reaching out to Braze directly to inquire about entering into a business associate agreement with them.