HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. Covered entities and their business associates must be HIPAA compliant to protect the rights and privacy of patients and their protected health information.
HIPAA compliance has become increasingly complex, and this is especially true as more healthcare providers lean on digital tools to improve their operations. One popular approach is the use of analytics platforms to evaluate online engagement. While these solutions may lead to smarter business decisions, they can also create a new avenue for potential HIPAA violations.
In addition to choosing a HIPAA compliant web host, it’s important for covered entities to determine whether their analytics tool meets compliance obligations.
Let’s find out if Mouseflow is HIPAA compliant or not.
SEE ALSO: HIPAA compliant email
Any third-party vendor that stores, accesses, or sends PHI is considered a business associate. In order for a third-party vendor to be considered HIPAA compliant, a business associate agreement (BAA) must be signed by both parties. This is a written document that outlines the responsibilities of the business associate to keep PHI secure. Without a signed BAA, the vendor cannot be considered HIPAA compliant.
In this particular case, Mouseflow is considered a business associate for a healthcare organization if it manages PHI within its platform.
Mouseflow’s website does not mention HIPAA or any willingness to sign a BAA.
Beyond the BAA, data security is another critical component of maintaining HIPAA compliance. Therefore, covered entities should consider the specific measures that a vendor has in place to protect PHI. According to Mouseflow’s security page, the company’s data centers maintain ISO27001, SOC 1 Type II, and PCI compliance. All customer data is also isolated, hosted in dedicated servers, and encrypted via HTTPS.
Mouseflow proactively assesses the confidentiality of the platform through regular vulnerability scans and employs a number of physical protocols to minimize risks such as intrusion detection systems, access lists, and 24/7 monitoring of security systems and alarms. Customers can take further steps to protect sensitive information by configuring additional controls and privacy settings.
These include disabling keystroke tracking for specific form fields, excluding or replacing visible HTML content, anonymizing visitor IP addresses, and utilizing two-factor authentication.