HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards.
HIPAA compliance has become increasingly complicated as more healthcare providers work digital tools into their operations. One growing strategy is the use of analytics platforms to collect meaningful data about website visitors.
In addition to selecting a HIPAA compliant web host, covered entities should ensure that their analytics tool meets compliance obligations.
Let’s determine if FullStory is HIPAA compliant or not.
SEE ALSO: HIPAA compliant email
Designed to deliver quantitative and qualitative data in real time, FullStory is a web-based intelligence system that provides companies with a stronger understanding of how to optimize the digital experience.
With the help of rich analytics, session details, and collaboration tools, businesses are able to make smarter decisions, streamline operations, and boost customer retention.
FullStory and business associate agreements
Any third-party vendor that stores, accesses, or sends PHI is considered a business associate.
In order for a third-party vendor to be considered HIPAA compliant, a business associate agreement (BAA) must be signed by both parties. This is a written document that outlines the requirements of the business associate to keep PHI secure. Without a signed BAA, the vendor cannot be considered HIPAA compliant.
There is no mention of HIPAA or any willingness to sign a BAA on the FullStory website.
FullStory and data security
Looking beyond the BAA, data security is another important component of maintaining HIPAA compliance. Therefore, covered entities should also consider the measures that a vendor is taking to protect PHI.
FullStory’s website states that the company meets “rigorous international standards for security” by maintaining SOC 2 Type II, SOC 3, and ISO 27001 certifications. All production data is stored in state-of-the-art data centers with ongoing camera surveillance and a laser beam intrusion detection system in place.
FullStory also encrypts data in transit and at rest and uses a variety of techniques to ensure reliable uptime such as autoscaling and rolling deployments. However, the company “does not currently make point-in-time backups due to the very large amount of data stored.”
As FullStory emphasizes that “the most effective way to minimize security exposure is to avoid storing unnecessarily sensitive data in the first place,” customers can set limits on captured information through the product’s Excluded Elements feature.
Is FullStory HIPAA compliant?
No, a BAA is required for full HIPAA compliance and there is no indication that FullStory will sign one.
Boost protection with Paubox
Much like how many popular web hosts are not HIPAA compliant, advanced analytics tools aren’t automatically capable of meeting these requirements. Therefore, conducting your due diligence is crucial to steer clear of costly fines and other corrective action.
Choosing a HIPAA compliant analytics solution is an important first step, but healthcare providers should be taking additional measures to safeguard PHI with stronger email security.
Built to conveniently integrate with your existing email platform such as Google Workspace or Microsoft 365, Paubox Email Suite enables HIPAA compliant email by default and automatically encrypts every outbound message. This means you don’t have to spend time deciding which emails to encrypt and your patients are able to receive your messages right in their inbox without having to navigate any additional passwords or portals.
Paubox Email Suite’s Plus and Premium plan levels also include advanced inbound email security tools for more threat protection. Our patent-pending Zero Trust Email feature uses email AI to confirm that an email is authentic, while patented ExecProtect works quickly to intercept display name spoofing attempts.