HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. Covered entities and their business associates must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI).
HIPAA compliance is complex, and this is particularly true as more healthcare providers weave digital tools into their day-to-day operations.
One growing strategy is the use of analytics platforms to gather valuable information about website visitors. While these solutions may help increase patient engagement, they can also bring new risks for potential HIPAA violations.
Along with selecting a HIPAA compliant web host, covered entities also need to consider whether their analytics tool meets compliance requirements.
Let’s determine if Amplitude Analytics is HIPAA compliant or not.
SEE ALSO: HIPAA compliant email
About Amplitude Analytics
Designed to deliver quick and intelligent behavioral insights that go beyond surface-level data, Amplitude Analytics is an innovative platform that creates a 360-degree view of the customer journey.
With access to detailed reports on user engagement, businesses are able to seamlessly pinpoint top conversion drivers, optimize outcomes, and remove the right barriers to accelerate innovation.
Amplitude Analytics and business associate agreements
Any third-party vendor that stores, accesses, or sends PHI is considered a business associate. In order for a third-party vendor to be considered HIPAA compliant, a business associate agreement (BAA) must be signed by both parties. This is a written document that covers the responsibilities of the business associate to keep PHI secure. Without a signed BAA, the vendor cannot be considered HIPAA compliant.
There is no mention of HIPAA or any willingness to sign a BAA on Amplitude’s website.
Amplitude Analytics and data security
Looking beyond the BAA, data security is another important piece of maintaining HIPAA compliance. This means that covered entities should review the specific safeguards that a vendor has in place to protect PHI.
Amplitude works to keep customers’ data safe by building its information security system in alignment with ISO 27001 standards. The company also maintains a high level of data protection and privacy through ISO 27018:2019 certification and ensures that internal practices are secure by undergoing an annual SOC 2 Type 2 review.
Amplitude’s virtual environment offers additional security features including system hardening, strong encryption tools, ongoing vulnerability testing, centralized configuration management, and enforced multi-factor authentication for all internal access.
Furthermore, the company provides “the flexibility to limit what data is collected, processed, and stored” in the Amplitude Analytics platform. Customers can choose to utilize access controls, data management, and other tools to meet specific security needs.
Is Amplitude Analytics HIPAA compliant?
Unlikely. A BAA is required for full HIPAA compliance and there is no indication that Amplitude will sign one for its analytics solution.
