Is Segment HIPAA compliant?

Segment is a popular customer data platform that simplifies managing and utilizing customer data, enabling businesses to make data-driven decisions and deliver more personalized customer experiences.

What is Segment?

Segment offers users a unified view of customer data by providing a central hub for collecting customer data from various touchpoints, such as websites, mobile apps, and other systems. Any data collected by the software data is centralized in Segment and can be accessed and utilized by other marketing and analytics tools. 

The key features of Segment are:

• Data integration and transformation
• Customer segmentation
• Real-time data streaming
• Provision of analytics and insight in real-time
• Data warehousing
• Privacy and compliance measures

Segment and HIPAA compliance 

Business associates agreement

On its website, Segment states it is a "HIPAA eligible platform, and meets the data privacy and security requirements of healthcare customers and their stakeholders.". Segment is under the ownership of Twilio, a provider of communication tools. Users must verify the HIPAA compliance of any third-party services, such as analytic tools, they intend to integrate with Segment through the list of Twilios HIPAA Eligible Products and Services.

To ensure HIPAA eligibility of their workflows, users must sign the Business Associate Addendum. This legally binding agreement outlines the responsibilities and obligations of both the user and Segment regarding handling protected health information (PHI). By signing the BAA, users establish a HIPAA compliant business relationship with Segment, enabling the secure handling of PHI within their workflows.

Security policies 

Segment implements a host of policies and procedures to protect data. These include. 

1. Data encryption: Data is encrypted at rest and protected by TLS during transit. Passwords are hashed using bcrypt, and production secrets are managed with AWS tools.
2. Rigorous product design and security testing: Projects undergo security-design reviews, threat models, and regular penetration tests. A public bug bounty program is also employed for continuous assessment.
3. Time-bound access: Internal access to critical tools and resources is limited through time-based access.
4. Manage access to your account: Centrally manage access policies with Single Sign-On (SSO) on the Business plan.
5. Control visibility with user access levels: Fine-grained permissions control access to Sources and Workspaces, managing user interactions with data.
6. System for Cross-domain Identity Management (SCIM): SCIM enables your Identity Provider (IdP) to manage users and group membership within the Segment application.
7. Password guidance: Visual guidance helps users select strong passwords not exposed in security breaches on other websites.
8. Multi-factor authentication (MFA): Provides an additional layer of security, requiring a code from a mobile phone along with the username and password when logging into Segment.

Limitations to using Segment

While Segment does allow for HIPAA compliance, particular limitations to its use should be highlighted. 

1. Data ownership and control: Segment processes and stores data within its own infrastructure. Organizations must establish data ownership and control agreements with Segment to safeguard their rights and comply with regulatory requirements.
2. Third-party access: Segment does allow for third parties services and platforms to access data. This data could include PHI. 

Conclusion: Segment is HIPAA compliant, but consider the use of third-party services and platforms carefully when using it.