Is FullStory HIPAA compliant?

Featured image

Share this article

Fullstory logo

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards.

Covered entities and their business associates must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI).

HIPAA compliance has become increasingly complicated as more healthcare providers work digital tools into their operations. One growing strategy is the use of analytics platforms to collect meaningful data about website visitors.

While these solutions might help increase patient engagement, they can also create new vulnerabilities for potential HIPAA violations.

In addition to selecting a HIPAA compliant web host, covered entities should ensure that their analytics tool meets compliance obligations.

Let’s determine if FullStory is HIPAA compliant or not.

SEE ALSO: HIPAA compliant email

About FullStory 

Designed to deliver quantitative and qualitative data in real time, FullStory is a web-based intelligence system that provides companies with a stronger understanding of how to optimize the digital experience.

With the help of rich analytics, session details, and collaboration tools, businesses are able to make smarter decisions, streamline operations, and boost customer retention.

FullStory and business associate agreements

Any third-party vendor that stores, accesses, or sends PHI is considered a business associate.

In order for a third-party vendor to be considered HIPAA compliant, a business associate agreement (BAA) must be signed by both parties. This is a written document that outlines the requirements of the business associate to keep PHI secure. Without a signed BAA, the vendor cannot be considered HIPAA compliant.

There is no mention of HIPAA or any willingness to sign a BAA on the FullStory website.

FullStory and data security

Looking beyond the BAA, data security is another important component of maintaining HIPAA compliance. Therefore, covered entities should also consider the measures that a vendor is taking to protect PHI.

FullStory’s website states that the company meets “rigorous international standards for security” by maintaining SOC 2 Type II, SOC 3, and ISO 27001 certifications. All production data is stored in state-of-the-art data centers with ongoing camera surveillance and a laser beam intrusion detection system in place.

FullStory also encrypts data in transit and at rest and uses a variety of techniques to ensure reliable uptime such as autoscaling and rolling deployments. However, the company “does not currently make point-in-time backups due to the very large amount of data stored.”

As FullStory emphasizes that “the most effective way to minimize security exposure is to avoid storing unnecessarily sensitive data in the first place,” customers can set limits on captured information through the product’s Excluded Elements feature.

Is FullStory HIPAA compliant?

No, a BAA is required for full HIPAA compliance and there is no indication that FullStory will sign one.

Boost protection with Paubox 

Much like how many popular web hosts are not HIPAA compliant, advanced analytics tools aren’t automatically capable of meeting these requirements. Therefore, conducting your due diligence is crucial to steer clear of costly fines and other corrective action.

Choosing a HIPAA compliant analytics solution is an important first step, but healthcare providers should be taking additional measures to safeguard PHI with stronger email security.

Built to conveniently integrate with your existing email platform such as Google Workspace or Microsoft 365, Paubox Email Suite enables HIPAA compliant email by default and automatically encrypts every outbound message. This means you don’t have to spend time deciding which emails to encrypt and your patients are able to receive your messages right in their inbox without having to navigate any additional passwords or portals.

Paubox Email Suite’s Plus and Premium plan levels also include advanced inbound email security tools for more threat protection. Our patent-pending Zero Trust Email feature uses email AI to confirm that an email is authentic, while patented ExecProtect works quickly to intercept display name spoofing attempts.

Try Paubox Email Suite Plus for FREE today.
Author Photo

About the author

Sara Uzer

Read more by Sara Uzer

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022