3 min read
Auryc is a customer journey analytics platform that provides organizations with real-time insights. Healthcare organizations might want to use such a platform to better connect and communicate with patients and other healthcare providers. To do so, however, those within the healthcare industry need to work with platforms that are HIPAA compliant.
In the healthcare industry, sensitive protected health information (PHI) must be safeguarded under HIPAA. A major part of this compliance is working with vendors who will sign a business associate agreement (BAA) and ensure the security of PHI. Auryc still does not mention a BAA on its website though there is a note about HIPAA compliance elsewhere. Moreover, Auryc was recently acquired by Heap who does offer a BAA for healthcare clients.
What is Auryc?
Auryc provides customer experience management (CXM) by optimizing customer experiences across the web and mobile environment. It was acquired by Heap.io in 2022 to offer its customers a new type of analytics platform that included Auryc’s Session Replay and Voice of the Customer capabilities. Heap’s products help organizations reach their full customer potential. With Heap and Auryc, organizations get a complete dataset, data science, and qualitative insights.
Features of the new platform include user behavior analysis, 1-click views of user sessions, and feedback collection. This includes every click, swipe, and form submission on an organization’s website. Organizations centralize and standardize customer information to improve and enrich a customer’s journey.
SEE ALSO: Understanding the patient journey
Is Auryc considered a business associate?
HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates (i.e., vendors) of these covered entities. These are entities that perform certain functions or activities on behalf of a covered entity.
A BAA is a written contract between a covered entity and a business associate. It outlines the responsibilities and obligations of each party regarding the handling of PHI. Typical provisions within a BAA include:
- Permitted uses and disclosures of PHI
- Safeguards for protecting PHI
- Reporting and mitigation of security incidents
- Compliance with HIPAA regulations
- Dispute resolution and termination clauses
The agreement is required by law for HIPAA compliance and is considered the primary item to consider when it comes to Auryc and its ability to be HIPAA compliant. Auryc is a business associate of a healthcare organization if it accesses any PHI within its dataset, like a name.
RELATED: How to know if you're a business associate
Auryc and the BAA
Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA. In 2022, before Auryc was acquired by Heap, we could find no mention of a BAA on Auryc’s website. At that time, a web page for Session Replay stated that Auryc was HIPAA compliant, but there was no information about how it achieved that compliance.
That same year, we confirmed that Heap would sign a BAA. According to Heap’s current privacy policy, the company complies with HIPAA. The policy notes that the “processing of [PHI] collected through the use of our Service is done at the direction of our customer who is the ‘covered entity’ or a business associate (as that term is defined by HIPAA), and is governed by the applicable [BAA] between Heap and the covered entity and/or the business associate.”
There is still no mention of a BAA in relation to Auryc. Heap’s BAA is not accessible on its website, so it is unknown if the agreement includes Auryc. Currently, the BAA is only offered for Heap’s Pro and Premier plans and not on its Free and Growth plans.
Auryc (Heap) and data security
Covered entities must consider the administrative, physical, and technical safeguards that a vendor utilizes to protect PHI. To accurately provide customer analytics, management platforms must have access to personal information to facilitate communication. With the increasing importance of data privacy and security, all healthcare business associates who collect, store, or process PHI are subject to HIPAA regulations. Many customer journey platforms are available, but not all meet HIPAA requirements for encryption, data backup, and access controls.
Heap is hosted in a SOC 2 facility with access controls and intrusion detection systems. Within its security web page, the company also mentions employee training and regular third-party audits. Specific cybersecurity features are not listed.
The privacy policy says, “Heap is committed to ensuring all data it receives remains confidential and protected, and that it complies with applicable privacy and security regulations including [HIPAA].” For more information about its safeguards, customers are supposed to contact the company.
Is Auryc HIPAA compliant?
The BAA is a necessary component of HIPAA compliance. Auryc does not mention a BAA on its own though its parent company offers a BAA for its upper-tier customers. To learn more, healthcare organizations need to contact Heap directly. Conclusion: Auryc may be HIPAA compliant.
Understanding HIPAA compliance
Healthcare providers know that clear and efficient communication with patients is necessary to run a successful practice. When evaluating a platform’s HIPAA compliance, especially on the cloud, consider the following security needs beyond a BAA:
- Technical safeguards: Mitigate risks associated with cyber threats, hacking, malware, and other security incidents with strong technical safeguards. Such tools as perimeter defenses (e.g., firewalls) and HIPAA compliant email are equally vital for extra protection.
- Employee training: Ensure all staff members have up-to-date knowledge of HIPAA regulations and best practices. Regular training sessions can help prevent unintentional, employee-related breaches.
- Regular audits: Perform periodic assessments of all systems and processes to ensure that they remain compliant. Adapt to any changes in regulations or technology.
- Data access controls: Implement stringent controls, such as multifactor authentication, on who can access PHI and under what circumstances.
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.