HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. Covered entities and their business associates must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI).
We know the HIPAA industry is vast and that it is important to work well and communicate with patients while remaining HIPAA compliant.
SEE ALSO: HIPAA compliant email
This is especially true with the recent move toward remote working and the increase in cyberattacks against healthcare. Today, we will determine if Indicative is HIPAA compliant or not.
Indicative is a product analytics platform that provides a unified view of a customer journey across all marketing channels. It is the only product analytics platform that connects directly to an organization’s data warehouse. This connection gives organizations a complete view of their customers. The idea is to visualize customer journeys and optimize their experiences.
SEE ALSO: What is customer experience management (CEM or CXM)?
Organizations consolidate and standardize customer information to improve and enrich a customer’s journey.
Indicative and the business associate agreement
A major part of HIPAA compliance is ensuring a business associate will sign a business associate agreement (BAA). A business associate is a person or entity that performs certain functions or activities that involves the use or disclosure of PHI.
In this instance, Indicative is a business associate of a healthcare organization if it works with any data that includes electronic PHI (ePHI), like a name or an email address. Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA.
Indicative's documentation does not mention a BAA. The Terms of Service‘s Restrictions section, however, includes a statement about not storing, transmitting, or disclosing PHI to Indicative.
Indicative and cybersecurity
Indicative begins its Privacy statement pronouncing that it “takes the confidentiality and security of Your data and Your Customer’s Data very seriously.” This is probably why Indicative uses this statement to echo the Terms of Service when it comes to PHI:
You further agree that to comply with all applicable privacy and data protection regulations, you will not use our service to send us sensitive information,” for example, “PCI [Payment Card Industry], HIPAA, and state and federal data security laws.
And as for cybersecurity, Indicative says that it “uses best practices,” listing:
- Physical access controls
- Password policies
- Public/private keys
- Data encryption (such as TLS encryption)
At the same time, everything that happens to a customer’s account and platform is the responsibility of that customer. Even if there is an unauthorized data breach.
Is Indicative HIPAA compliant?
The BAA is a key component of HIPAA compliance and Indicative does not appear to sign a BAA. Moreover, Indicative firmly states that its customers should not store, transmit, or disclose PHI. If a breach or HIPAA violation occurs and any PHI is accessed, the covered entity may be liable.
Conclusion Indicative is not HIPAA compliant.