by Hoala Greevy Founder CEO of Paubox
Article filed in

Is Hotjar HIPAA Compliant?

by Hoala Greevy Founder CEO of Paubox

Is Hotjar HIPAA Compliant? - Amanda Mason

We’ve been seeing more vendors, customers, and prospects asking about HIPAA compliant services.

Since Paubox is a Business Associate to thousands of customers, we’ve been wondering if our customers are able to use Hotjar in a HIPAA compliant manner.

Here’s what we’ll be covering in this post:


We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud services in this sector.

Today, we will determine if Hotjar offers HIPAA compliant service or not.

Hotjar

Hotjar is a user feedback and behavior analytics tool that helps customers understand the behavior of their website users. It also collects user feedback through heatmaps, session recordings, and surveys.

What is a Business Associate?

A Business Associate is a person or company that performs certain functions or activities that involve the use or disclosure of protected health information for a Covered Entity.

In a nutshell, the role of a Business Associate is to help Covered Entities comply with the HIPAA Privacy Rule.

If Hotjar is storing or transmitting protected health information (PHI) on behalf of a Covered Entity, they are definitely considered a Business Associate.

Read full article: What does it mean to be a Business Associate?

Business Associate Agreement provisions

If a Business Associate provides services to a Covered Entity, then a Business Associate Agreement must be in place.

A Business Associate Agreement is a written contract between a Covered Entity and a Business Associate and is required by law for HIPAA compliance.

At a minimum, a Business Associate Agreement contains 10 provisions.

Read full article: Business Associate Agreement Provisions

Hotjar and the Business Associate Agreement

We checked the Hotjar site for mention of their ability to sign a Business Associate Agreement.

The only meaningful information we could find was on the Hotjar Terms of Service page.

In Section 10.2, they state:


“10.2. You represent and warrant that You will comply with all applicable laws and regulations applicable to You when using Our Service. You agree to provide and maintain a legally adequate privacy policy that accurately discloses Your practices with respect to the collection, use, and disclosure of Personal Data, including Personal Data collected through your use of Our Service. You are responsible for determining whether You are subject to any sector-specific privacy laws or regulations, including but not limited to the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach Bliley Act (GLBA), the Children’s Online Privacy Protection Act (COPPA), the Family Education Rights and Privacy Act (FERPA) or any law concerning the privacy of any collected personal information or other laws as may be applicable to You, and for determining whether Our Service is suitable for You to use in light of the application or potential application of any such laws or regulations. If You are subject to specific laws or regulations, You represent and warrant that your use of Our Service will be in accordance with such laws or regulations. Hotjar will not be held liable for Your failure to provide a legally adequate privacy policy or if Our Service does not meet the requirements imposed by any privacy laws or regulations to which you are subject.”


In other words, we took this language to mean that Hotjar is not willing to sign Business Associate Agreements (BAAs) with their customers.

Does Hotjar offer HIPAA Compliant Service?

The Business Associate Agreement (BAA) is a key component to HIPAA compliance between a Covered Entity and a Business Associate.

We were able to learn the following about Hotjar and their stance on HIPAA compliance:

  • Hotjar offloads responsibility to the customer as far as definitions of PHI and HIPAA are concerned.
  • They also make no mention of their ability to sign a BAA.
  • In our opinion, these are red flags.


Conclusion: Hotjar makes no mention of their ability to sign a Business Associate Agreement. We therefore conclude they should not be used as a HIPAA compliant service.

Not sure what to do next? Try Paubox for FREE and make your email HIPAA compliant today.
Copy link
Powered by Social Snap