HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. Covered entities and their business associates must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI).
We know the HIPAA industry is vast and that it is important to work well and communicate with patients while remaining HIPAA compliant.
SEE ALSO: HIPAA compliant email
This is especially true with the recent move toward remote working and the increase in cyberattacks against healthcare. Today, we will determine if Autopilot is HIPAA compliant or not.
About Autopilot
Autopilot is a user experience tool that visualizes a customer’s experience with an organization. With this and similar products, organizations can centralize and standardize customer information to improve and enrich encounters.
It includes various solutions and features, such as customer data, audiences, marketing channels, and analytics, to make customer retention and communication simpler.
Moreover, autopilot offers multi-channel marketing capabilities, such as online, email, in-app, text, and traditional mail.
RELATED: Social media and email marketing for healthcare: A virtuous circle
The app can integrate with other options such as Stripe, Facebook, Slack, or MailChimp.
Autopilot and the business associate agreement
A major part of HIPAA compliance is ensuring a business associate will sign a business associate agreement (BAA). A business associate is a person or entity that performs certain functions or activities that involves the use or disclosure of PHI.
In this instance, Autopilot is a business associate of a healthcare organization if it works with any data that includes electronic PHI (ePHI), like a name or an email address.
Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA. There is no mention of HIPAA or a BAA on the Autopilot website.
Autopilot and cybersecurity
According to Autopilot, “Customer data is one of the most valuable assets a company has,” which is why cybersecurity is “our top priority.” Listed cybersecurity measures include physical controls such as offsite backup with 24-hour security. The software itself is cloud-based.
RELATED: CSA offers guidance on preventing ransomware in the healthcare cloud
Data in transit is secured with Secure Sockets Layer (SSL) while email encryption is supported by Transport Layer Security (TLS). Autopilot ensures that all of its software goes through regular audits and updates. Technological access controls for its users include two-factor authentication (2FA) and hash-encrypted passwords.
RELATED: What’s the difference between 2FA and MFA?
Customer databases sit behind a firewall. Autopilot further states that the company uses cookies, web beacons, and third-server parties to track user information. Accordingly, Autopilot only uses that information to improve the app. While the company collects the data of its users’ customers, it only does so “on behalf of [their] Customers.”
Is Autopilot HIPAA compliant?
The BAA is a key component of HIPAA compliance and Autopilot does not appear to sign a BAA. If a data breach or HIPAA violation occurs and any PHI is accessed, the covered entity is liable.
Conclusion Autopilot is not HIPAA compliant.