Data analytics and visualization tools enable healthcare providers, administrators, and researchers to analyze large volumes of data, identify patterns, trends, and correlations, and generate meaningful insights to improve patient care, operational efficiency, and strategic plan. When these tools access patient data, HIPAA compliance is required.
Alteryx has several healthcare clients and use cases and may be used within HIPAA guidelines if run within a healthcare organization's security framework.
What is Alteryx?
Alteryx is a data analytics and automation platform that allows organizations to prepare, blend, and analyze data from various sources. It provides an interface that enables users, even those without coding skills, to perform complex data transformations, analytics, and reporting tasks. Alteryx also automates repetitive data tasks, allowing users to create workflows that can be scheduled or triggered based on events.
This automation capability helps to streamline data processing and analysis, saving time and effort for organizations. Alteryx also integrates with other popular data tools and platforms, allowing users to leverage existing technologies and systems within their data workflows. It supports integration with cloud services, databases, and business intelligence tools.
Related: Is Google Tag Manager HIPAA compliant?
Alteryx and the business associate agreement
A business associate agreement (BAA) is a legal contract between a covered entity and a business associate that establishes the responsibilities and requirements for safeguarding protected health information (PHI) when a covered entity engages a business associate to perform certain functions or services on its behalf. This specifically relates to healthcare and the requirements set in place by HIPAA's Privacy Rule.
Alteryxc has a Data Processing Agreement (DPA) that governs the processing of customer data and applies to their services. The DPA makes mention of various data protection and privacy laws to which it adheres, such as the California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA), and the Virginia Consumer Data Protection Act (VCDPA). A DPA is an agreement that regulates the processing of personal data by a data controller and a data processor. A DPA is not a BAA, and as far as applicable, we can find no explicit mention of a BAA.
Related: HIPAA Compliant Email: The Definitive Guide
Alteryx and HIPAA compliance
Alteryx states on its website: "One of the biggest advantages that Alteryx can offer to companies working with PHI, is its ease of deployment both on prem or in the cloud, all while working within the organization's security framework." They also list healthcare clients and use cases.
It appears that as long as Alteryx is used locally within a healthcare organization's compliant framework and no PHI is shared outside the organization with Alteryx, it's possible to use Alteryx within HIPAA requirements.
However, it cannot be definitively determined that Alteryx is HIPAA compliant. When sharing data with a 3rd-party service, HIPAA requires an organization to sign a business associate agreement, and we could not confirm that Alteryx offers a BAA.
Conclusion: Alteryx may be HIPAA compliant if run on HIPAA compliant servers.
Kirsten Peremore
