HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards.
HIPAA compliance has become increasingly complicated as more healthcare professionals embrace digital transformation. One growing approach is the use of analytics platforms to collect insights on website visitors and guide future business decisions.
While these solutions may offer a valuable way to enhance the patient experience, they can also create a new opening for potential HIPAA violations.
In addition to choosing a HIPAA compliant web host, it is critical for covered entities to ensure that their analytics tool meets compliance obligations.
Let’s find out if Semrush is HIPAA compliant or not.
SEE ALSO: HIPAA compliant email
Equipped with a wide range of SEO, content strategy, and market research features, Semrush is an all-in-one online visibility solution that helps companies run smarter digital campaigns and optimize their websites.
With access to deeper data-driven insights, businesses are able to keep an eye on key competitors, achieve a higher search ranking, and generate more organic site traffic.
Semrush and business associate agreements
Any third-party vendor that stores, accesses, or sends PHI is considered a business associate.
In order for a third-party vendor to be considered HIPAA compliant, a business associate agreement (BAA) must be signed by both parties. This is a written document that outlines the responsibilities of the business associate to keep PHI secure. With no signed BAA, the vendor cannot be considered HIPAA compliant.
There is no mention of HIPAA or any willingness to sign a BAA on Semrush’s website.
Semrush and data security
Along with the BAA, data security is another important component of maintaining HIPAA compliance. Therefore, covered entities should consider the specific measures that a vendor is taking to protect PHI.
Semrush’s website states that all service data is stored in physically secure data centers, with strict limitations of personnel access and electronic intrusion detection systems in place. The company also keeps user data in geographically separate locations and “makes reasonable efforts to create frequent back-up copies of this information.”
Operational security features include TLS encryption to protect data in transit, AES-256 encryption for data at rest, and network access controls that work to prevent unauthorized individuals from reaching the infrastructure. To proactively identify and manage external threats, Semrush has implemented a Web Application Firewall (WAF) solution and configured its internal systems to aggregate log data and issue alerts of any malicious activity.
In addition, Semrush affirms that personal information is “protected by an appropriate level of security designed to make it difficult or impossible for unauthorized persons to access such data.” For further account security, customers can choose to enable single sign-on (SSO) and two-factor authentication.
Is Semrush HIPAA compliant?
No, a BAA is required for full HIPAA compliance and there is no indication that Semrush will sign one.
Boost security with Paubox
Similar to how many popular web hosts are not HIPAA compliant, many well-known digital platforms aren’t always designed to meet these obligations. Therefore, conducting your due diligence is crucial to avoid costly fines and other corrective action.
While selecting a HIPAA compliant analytics solution is one piece of the puzzle, healthcare providers should be taking additional steps to safeguard PHI with better email security.
Built to seamlessly integrate with your current email platform such as Google Workspace or Microsoft 365, Paubox Email Suite enables HIPAA compliant email by default and automatically encrypts every outbound message. This means you don’t have to spend time deciding which emails to encrypt and your patients are able to receive your messages right in their inbox without having to navigate any additional passwords or portals.
Paubox Email Suite’s Plus and Premium plan levels are also equipped with advanced inbound email security tools for more protection from potential threats. Our patent-pending Zero Trust Email feature uses email AI to confirm that an email is legitimate, while patented ExecProtect works quickly to intercept display name spoofing attempts.