HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards.
HIPAA compliance has become increasingly complex as more healthcare professionals leverage digital tools to improve their business strategies. This includes the use of analytics platforms to gather valuable insights about website visitors.
Along with selecting a HIPAA compliant web host, it is important for covered entities to make sure that their analytics tool meets compliance requirements.
Let’s determine if Contentsquare is HIPAA compliant or not.
SEE ALSO: HIPAA compliant email
Designed to support the full cycle of digital improvement, Contentsquare is a leading analytics platform that tracks billions of user interactions to help create a stronger understanding of customer behavior.
With seamless access to easy-to-understand metrics, visualizations, and recommendations, businesses are able to drive innovation, boost revenue, and deliver more successful digital experiences.
Contentsquare and business associate agreements
Any third-party vendor that stores, accesses, or sends PHI is considered a business associate.
In order for a third-party vendor to be considered HIPAA compliant, a business associate agreement (BAA) must be signed by both parties. This is a written document that outlines the obligations of the business associate to keep PHI secure. Without a signed BAA, the vendor cannot be considered HIPAA compliant.
There is no mention of HIPAA or any willingness to sign a BAA on Contentsquare’s website.
Contentsquare and data security
Along with the BAA, data security is another key piece of maintaining HIPAA compliance. This means that covered entities should also pay attention to the safeguards that a vendor has in place to protect PHI.
Contentsquare’s website notes that the company takes an “industry-first approach to privacy and security” by maintaining a number of certifications including ISO 27001, ISO 27701, and SOC 2 Type 2.
Operational security protocols include customer data segregation, ongoing backups, and the encryption of data in transit and at rest. Contentsquare also proactively defends against potential threats by conducting monthly vulnerability scans, monitoring networks through an intrusion detection system, and using a web application firewall.
To prevent the collection of personal data such as names and emails, Contentsquare automatically blocks the capture of text and keyboard inputs from the website. For further protection, customers are given the ability to purge data, opt out of data collection, or turn off cookies.
Contentsquare also enforces a strong password policy for extra security. However, the company’s terms and conditions affirms that it is the customer’s “full responsibility to protect the password from theft or unauthorized disclosure” and Contentsquare is “not liable for any loss or damage.”
Is Contentsquare HIPAA compliant?
No, a BAA is required for full HIPAA compliance and there is no indication that Contentsquare will sign one.
Strengthen security with Paubox
Just like how many well-known web hosts are not HIPAA compliant, innovative analytics platforms aren’t always built to meet these requirements. Therefore, conducting your due diligence is crucial to steer clear of costly fines and other corrective action.
Choosing a HIPAA compliant analytics solution is an important first step, but healthcare providers should be taking additional measures to safeguard PHI with stronger email security.
Built to seamlessly integrate with your current email platform such as Google Workspace or Microsoft 365, Paubox Email Suite enables HIPAA compliant email by default and automatically encrypts every outbound message. This means you don’t have to spend time deciding which emails to encrypt and your patients are able to receive your messages right in their inbox without having to navigate any additional passwords or portals.
Paubox Email Suite’s Plus and Premium plan levels are also equipped with advanced inbound email security tools for more protection from potential threats. Our patent-pending Zero Trust Email feature uses email AI to confirm that an email is authentic, while patented ExecProtect works quickly to intercept display name spoofing attempts.