Is Hotjar HIPAA compliant?

Featured image

Share this article

Is Hotjar HIPAA Compliant? - Amanda Mason

We’ve been seeing more vendors, customers, and prospects asking about HIPAA compliant services.

Since Paubox is a Business Associate to thousands of customers, we’ve been wondering if our customers are able to use Hotjar in a HIPAA compliant manner.

Here’s what we’ll be covering in this post:


We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud services in this sector.

Today, we will determine if Hotjar offers HIPAA compliant service or not.

Hotjar

Hotjar is a user feedback and behavior analytics tool that helps customers understand the behavior of their website users. It also collects user feedback through heatmaps, session recordings, and surveys.

What is a Business Associate?

A Business Associate is a person or company that performs certain functions or activities that involve the use or disclosure of protected health information for a Covered Entity.

In a nutshell, the role of a Business Associate is to help Covered Entities comply with the HIPAA Privacy Rule.

If Hotjar is storing or transmitting protected health information (PHI) on behalf of a Covered Entity, they are definitely considered a Business Associate.

Read full article: What does it mean to be a Business Associate?

Business Associate Agreement provisions

If a Business Associate provides services to a Covered Entity, then a Business Associate Agreement must be in place.

A Business Associate Agreement is a written contract between a Covered Entity and a Business Associate and is required by law for HIPAA compliance.

At a minimum, a Business Associate Agreement contains 10 provisions.

Read full article: Business Associate Agreement Provisions

Hotjar and the Business Associate Agreement

We checked the Hotjar site for mention of their ability to sign a Business Associate Agreement.

The only meaningful information we could find was on the Hotjar Terms of Service page.

In Section 10.2, they state:


“10.2. You represent and warrant that You will comply with all applicable laws and regulations applicable to You when using Our Service. You agree to provide and maintain a legally adequate privacy policy that accurately discloses Your practices with respect to the collection, use, and disclosure of Personal Data, including Personal Data collected through your use of Our Service. You are responsible for determining whether You are subject to any sector-specific privacy laws or regulations, including but not limited to the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach Bliley Act (GLBA), the Children’s Online Privacy Protection Act (COPPA), the Family Education Rights and Privacy Act (FERPA) or any law concerning the privacy of any collected personal information or other laws as may be applicable to You, and for determining whether Our Service is suitable for You to use in light of the application or potential application of any such laws or regulations. If You are subject to specific laws or regulations, You represent and warrant that your use of Our Service will be in accordance with such laws or regulations. Hotjar will not be held liable for Your failure to provide a legally adequate privacy policy or if Our Service does not meet the requirements imposed by any privacy laws or regulations to which you are subject.”


In other words, we took this language to mean that Hotjar is not willing to sign Business Associate Agreements (BAAs) with their customers.

Does Hotjar offer HIPAA Compliant Service?

The Business Associate Agreement (BAA) is a key component to HIPAA compliance between a Covered Entity and a Business Associate.

We were able to learn the following about Hotjar and their stance on HIPAA compliance:

  • Hotjar offloads responsibility to the customer as far as definitions of PHI and HIPAA are concerned.
  • They also make no mention of their ability to sign a BAA.
  • In our opinion, these are red flags.


Conclusion: Hotjar makes no mention of their ability to sign a Business Associate Agreement. We therefore conclude they should not be used as a HIPAA compliant service.

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Hoala Greevy

Founder of Paubox. Kayak fishing when I can. Native Hawaiian CEO.

Read more by Hoala Greevy

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022