Is Semrush HIPAA compliant?

Featured image

Share this article

Semrush logo

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards.

Covered entities and their business associates must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI).

HIPAA compliance has become increasingly complicated as more healthcare professionals embrace digital transformation. One growing approach is the use of analytics platforms to collect insights on website visitors and guide future business decisions.

While these solutions may offer a valuable way to enhance the patient experience, they can also create a new opening for potential HIPAA violations.

In addition to choosing a HIPAA compliant web host, it is critical for covered entities to ensure that their analytics tool meets compliance obligations.

Let’s find out if Semrush is HIPAA compliant or not.

SEE ALSO: HIPAA compliant email

About Semrush 

Equipped with a wide range of SEO, content strategy, and market research features, Semrush is an all-in-one online visibility solution that helps companies run smarter digital campaigns and optimize their websites.

With access to deeper data-driven insights, businesses are able to keep an eye on key competitors, achieve a higher search ranking, and generate more organic site traffic.

Semrush and business associate agreements

Any third-party vendor that stores, accesses, or sends PHI is considered a business associate.

In order for a third-party vendor to be considered HIPAA compliant, a business associate agreement (BAA) must be signed by both parties. This is a written document that outlines the responsibilities of the business associate to keep PHI secure. With no signed BAA, the vendor cannot be considered HIPAA compliant.

There is no mention of HIPAA or any willingness to sign a BAA on Semrush’s website.

Semrush and data security

Along with the BAA, data security is another important component of maintaining HIPAA compliance. Therefore, covered entities should consider the specific measures that a vendor is taking to protect PHI.

Semrush’s website states that all service data is stored in physically secure data centers, with strict limitations of personnel access and electronic intrusion detection systems in place. The company also keeps user data in geographically separate locations and “makes reasonable efforts to create frequent back-up copies of this information.”

Operational security features include TLS encryption to protect data in transit, AES-256 encryption for data at rest, and network access controls that work to prevent unauthorized individuals from reaching the infrastructure. To proactively identify and manage external threats, Semrush has implemented a Web Application Firewall (WAF) solution and configured its internal systems to aggregate log data and issue alerts of any malicious activity.

In addition, Semrush affirms that personal information is “protected by an appropriate level of security designed to make it difficult or impossible for unauthorized persons to access such data.” For further account security, customers can choose to enable single sign-on (SSO) and two-factor authentication.

Is Semrush HIPAA compliant?

No, a BAA is required for full HIPAA compliance and there is no indication that Semrush will sign one.

Boost security with Paubox 

Similar to how many popular web hosts are not HIPAA compliant, many well-known digital platforms aren’t always designed to meet these obligations. Therefore, conducting your due diligence is crucial to avoid costly fines and other corrective action.

While selecting a HIPAA compliant analytics solution is one piece of the puzzle, healthcare providers should be taking additional steps to safeguard PHI with better email security.

Built to seamlessly integrate with your current email platform such as Google Workspace or Microsoft 365, Paubox Email Suite enables HIPAA compliant email by default and automatically encrypts every outbound message. This means you don’t have to spend time deciding which emails to encrypt and your patients are able to receive your messages right in their inbox without having to navigate any additional passwords or portals.

Paubox Email Suite’s Plus and Premium plan levels are also equipped with advanced inbound email security tools for more protection from potential threats. Our patent-pending Zero Trust Email feature uses email AI to confirm that an email is legitimate, while patented ExecProtect works quickly to intercept display name spoofing attempts.

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Sara Uzer

Read more by Sara Uzer

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022