Talk to sales
Start for free

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. Covered entities and their business associates must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI).

We know the HIPAA industry is vast and that it is important to work well and communicate with patients while remaining HIPAA compliant.

SEE ALSO: HIPAA compliant email

This is especially true with the recent move toward remote working and the increase in cyberattacks against healthcare. Today, we will determine if Totango is HIPAA compliant or not.


About Totango


Totango is a customer success platform with an all-in-one system. With Totango, organizations can design, run, measure, and scale a customer’s SaaS (software-as-a-service) journey for customer retainment and growth.

SEE ALSO: What is customer experience management (CEM or CXM)?

As a customer intelligence tool, Totango allows for the active monitoring of customer health and engagement. The company can do this by partnering with other technology leaders (e.g., Salesforce) to extend the value of its customer success tools.


Totango and the business associate agreement


A major part of HIPAA compliance is ensuring a business associate will sign a business associate agreement (BAA). A business associate is a person or entity that performs certain functions or activities that involves the use or disclosure of PHI.

In this instance, Totango is a business associate of a healthcare organization if it works with any data that includes electronic PHI (ePHI), like a name or an email address.

Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA. There is no mention of a BAA or HIPAA on the Totango website.


Totango and data protection


Totango uses a security system it calls Totango Shield to protect customer data. According to the website, “Security and privacy are built into the foundation of [its] customer success platform and [its] company.”

In fact, Totango’s security practices are accessible online. Totango encrypts all data in transit and at rest. Furthermore, the company’s cybersecurity includes the following access controls:



Totango is hosted by Amazon Web Services infrastructure and therefore also uses its physical and environmental controls to keep data safe. At the same time, Totango’s Terms of Use declares that Totango may use, upload, display, copy, distribute, perform/display, process, store, and analyze customer information, as needed if connected to providing its service.

Moreover, the customer is solely responsible for its data if an issue occurs.


Is Totango HIPAA compliant?


The BAA is a key component of HIPAA compliance and Totango does not appear to sign a BAA. If a data breach or HIPAA violation occurs and any PHI is accessed, the covered entity is liable.

Conclusion Totango is not HIPAA compliant.


Try Paubox Email Suite for FREE today.

Start a 14-day free trial of Paubox Email Suite today