HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. Covered entities and their business associates must be HIPAA compliant to protect the rights and privacy of patients and their protected health information.
HIPAA compliance has become increasingly complex, and this is especially true as more healthcare providers lean on digital tools to improve their operations. One popular approach is the use of analytics platforms to evaluate online engagement. While these solutions may lead to smarter business decisions, they can also create a new avenue for potential HIPAA violations.
In addition to choosing a HIPAA compliant web host, it’s important for covered entities to determine whether their analytics tool meets compliance obligations.
Let’s find out if Mouseflow is HIPAA compliant or not.
SEE ALSO: HIPAA compliant email
About MouseflowDesigned to track clicks, movement, and scrolls from page-to-page, Mouseflow is a behavior analytics platform that helps improve website conversions by providing a full picture of the visitor experience. With access to more detailed insight on key journeys and processes, businesses are able to seamlessly visualize trends, identify pain points, and drive better outcomes.
Mouseflow and business associate agreements
Any third-party vendor that stores, accesses, or sends PHI is considered a business associate. In order for a third-party vendor to be considered HIPAA compliant, a business associate agreement (BAA) must be signed by both parties. This is a written document that outlines the responsibilities of the business associate to keep PHI secure. Without a signed BAA, the vendor cannot be considered HIPAA compliant.
In this particular case, Mouseflow is considered a business associate for a healthcare organization if it manages PHI within its platform.
Mouseflow’s website does not mention HIPAA or any willingness to sign a BAA.
Mouseflow and data security
Beyond the BAA, data security is another critical component of maintaining HIPAA compliance. Therefore, covered entities should consider the specific measures that a vendor has in place to protect PHI. According to Mouseflow’s security page, the company’s data centers maintain ISO27001, SOC 1 Type II, and PCI compliance. All customer data is also isolated, hosted in dedicated servers, and encrypted via HTTPS.
Mouseflow proactively assesses the confidentiality of the platform through regular vulnerability scans and employs a number of physical protocols to minimize risks such as intrusion detection systems, access lists, and 24/7 monitoring of security systems and alarms. Customers can take further steps to protect sensitive information by configuring additional controls and privacy settings.
These include disabling keystroke tracking for specific form fields, excluding or replacing visible HTML content, anonymizing visitor IP addresses, and utilizing two-factor authentication.