Is Heap HIPAA compliant?

Featured image

Share this article

Heap logo

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards.

Covered entities and their business associates must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI).

HIPAA compliance has become increasingly complex as more healthcare providers embrace the use of digital tools as part of their business strategy. This includes leveraging analytics platforms to gather valuable information about website visitors.

While these solutions may help boost patient engagement, they can also create new risks for potential HIPAA violations.

Along with choosing a HIPAA compliant web host, covered entities should make sure that their analytics tool meets compliance requirements.

Let’s determine if Heap is HIPAA compliant or not.

SEE ALSO: HIPAA compliant email

About Heap 

Designed to display every single user interaction, Heap is an innovative analytics platform that reveals hidden opportunities in the customer journey to help companies build a better digital experience.

With access to a comprehensive set of behavioral data, companies can gain a stronger understanding of customers and make improvements with the biggest impact.

Heap and business associate agreements

Any third-party vendor that stores, accesses, or sends PHI is considered a business associate.

In order for a third-party vendor to be considered HIPAA compliant, a business associate agreement (BAA) must be signed by both parties. This is a written document that outlines the obligations of the business associate to keep PHI secure. Without a signed BAA, the vendor cannot be considered HIPAA compliant.

Heap’s privacy policy affirms that the company complies with HIPAA, noting that “the processing of PHI collected through the service is governed by the applicable BAA between Heap and the covered entity and/or business associate.” Covered entities can contact Heap for more information on how PHI is managed and protected.

Heap and data security

Beyond the BAA, data security is another key piece of maintaining HIPAA compliance. Therefore, covered entities should consider the safeguards that a vendor has in place to protect PHI.

According to the company’s security page, Heap is hosted in a SOC 2 facility with strict access controls, professional security, and intrusion detection systems. Employees also undergo security training with ongoing education on industry best practices and third-party audits.

All data entering and exiting the infrastructure is encrypted with TLS or HTTPS. Customers can take further measures to safeguard data through a set of custom controls. These include setting rules for managing and redacting sensitive information and enforcing secondary protections with advanced cookie security.

Heap also provides tools that support compliance with GDPR, CCPA, HIPAA, and other data privacy regulations. Users have the opportunity to disable the capture of IP addresses and geolocations or opt-out of data collection altogether.

Is Heap HIPAA compliant?

Yes, Heap can be made HIPAA compliant with a signed BAA. However, it is the covered entity’s responsibility to ensure that all necessary configurations are made to minimize risks and maintain security standards.

Strengthen security with Paubox 

Selecting a HIPAA compliant analytics tool is one piece of the puzzle, but healthcare providers should be taking extra steps to safeguard PHI from every angle with better email security.

Built to seamlessly integrate with your current email platform such as Google Workspace or Microsoft 365, Paubox Email Suite enables HIPAA compliant email by default and automatically encrypts every outbound message. This means you don’t have to spend time deciding which emails to encrypt and your patients are able to receive your messages right in their inbox without having to navigate any additional passwords or portals.

Paubox Email Suite’s Plus and Premium plan levels also include advanced inbound email security tools for more threat protection. Our patent-pending Zero Trust Email feature uses email AI to confirm that an email is authentic, while patented ExecProtect works fast to intercept display name spoofing attempts.

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Sara Uzer

Read more by Sara Uzer

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022