HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. Covered entities and their business associates must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI). We know the HIPAA industry is vast and that it is important to properly access, communicate, and store patients’ PHI while remaining HIPAA compliant. This is especially true with the recent digital transformation in healthcare and the current need to thrive electronically and remotely. Today, we will determine if UiPath is HIPAA compliant or not.
UiPath, founded in Romania in 2005 but headquartered in New York City, is a robotic process automation (RPA) platform that offers automatic repetitive tasks to ease office workload. RPA allows enables software robots to emulate human actions when interacting with digital systems and software. Examples of processes organizations could automate include:
- Moving files and folders
- Extracting, copying, and inserting data
- Filling in forms
- Completing routine analyses and reports
Advanced software robots can also interpret text, engage in chats, and make complex decisions. The idea is to use automation to speed up repetitive office tasks while removing human behavior and error.
UiPath and the business associate agreement
A major part of HIPAA compliance is for healthcare providers to sign a business associate agreement (BAA) with all business associates. A business associate is a person or entity that performs functions or activities for a covered entity that involves the use or disclosure of PHI. RELATED: Is a name PHI? UiPath would be a business associate because its software robots would need access to electronic health records and PHI for automated tasks. Generally, the HIPAA Privacy Rule allows covered entities to disclose PHI to a business associate if they receive assurance that the information is protected through a signed BAA. There is no information online about UiPath signing a BAA. Moreover, the company’s compliance web page does not mention HIPAA or a BAA.
UiPath and data security
Because of the nature of UiPath’s technology, cybersecurity is important and built directly into its systems. The company guarantees TLS 1.2 encryption on all data in transit and at rest. This includes data stored on its Cloud. RELATED: What is Transport Layer Security (TLS)? UiPath employs technical and physical access controls, and it does not disclose data to any third party. Furthermore, all passwords are cryptographically hashed and encrypted. RELATED: Increase online security with a robust password policy And finally, UiPath has policies in place to mitigate risks associated with improper data disposal and destruction. At the same time, UiPath’s Legal Terms states that customers (not the company) are fully liable and responsible for securing all information. The terms add:
Please mind that you are responsible for assessing compliance with your applicable privacy laws when using UiPath’s Software or Services.
Is UiPath HIPAA compliant?
According to a healthcare provider’s customer story, UiPath’s RPA technology “could give [them] a better way to extract members’ clinical documents, and do it in a HIPAA-compliant manner with little to no involvement from [their] clients’ technical resources.” A blog post (probably written by a UiPath representative) takes this idea further, stating that UiPath is HIPAA compliant because it does not store patient or customer information (i.e., PHI) on any of its servers. HIPAA compliance, however, is nuanced; safeguarding PHI goes further than securing data storage. Additionally, UiPath puts all data responsibility on its customers. And finally, there is no clear BAA available for a healthcare provider to sign. If PHI is exposed or stolen, a healthcare provider would be liable.
Conclusion: UiPath is not HIPAA compliant