We've been seeing more vendors, customers, and prospects asking about HIPAA compliant services. Since Paubox is a Business Associate to thousands of customers, we’ve been wondering if they are able to use Drift in a HIPAA compliant manner.
We know the HIPAA industry is vast, so we can empathize with just how many people need to use cloud services in this sector. Today we will determine if Drift offers HIPAA compliant service or not.
Drift
Drift is a conversational marketing and sales technology solution. In layman's terms, they are primarily known for providing chat widgets on websites. The company was founded in 2015 and is based in Boston, Massachusetts.
See Also: Is SalesLoft a HIPAA Compliant Cloud Vendor?
What is a Business Associate?
A Business Associate is a person or company that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) for a Covered Entity. In a nutshell, the role of a Business Associate is to help Covered Entities comply with the HIPAA Privacy Rule
Read full article: What does it mean to be a Business Associate?
Business Associate Agreement provisions
If a Business Associate provides services to a Covered Entity, then a Business Associate Agreement (BAA) must be in place. A BAA is a written contract between a Covered Entity and a Business Associate and is required by law for HIPAA compliance. At a minimum, a Business Associate Agreement contains 10 provisions.
Read full article: Business Associate Agreement Provisions
Drift and the Business Associate Agreement
We checked Drift's site for mention of their ability to sign a Business Associate Agreement (BAA). We quickly found the answer we were looking for on the Drift Terms of Service page. First, we see HIPAA mentioned in their Definitions section:
g. "Sensitive Personal Information” means Personal Data subject to specialized security regimes, including without limitation the Health Insurance Portability and Accountability Act (“HIPAA”), and the standards promulgated by the PCI Security Standards Council (“PCI”).
Second, the Use and Limitations of Use section states:
No Sensitive Information. YOU AGREE NOT TO USE THE PLATFORM OR ANY SERVICES TO COLLECT, MANAGE OR PROCESS SENSITIVE PERSONAL INFORMATION. DRIFT WILL NOT BE RESPONSIBLE FOR ANY LIABILITY RESULTING FROM YOUR USE OF THE PLATFORM OR ANY SERVICES TO COLLECT OR PROCESS SENSITIVE PERSONAL INFORMATION.
We can clearly see then, that Drift is not able to provide HIPAA compliant service.
Does Drift offer HIPAA Compliant Service?
The Business Associate Agreement (BAA) is a key component to HIPAA compliance between a Covered Entity and a Business Associate. We were able to learn the following about Drift and its stance on HIPAA compliance:- Drift defines PHI under HIPAA as "Sensitive Personal Information"
- Drift does not allow "Sensitive Personal Information" to be collected, managed, or processed on its platform.
Conclusion: Drift is not in the business of providing HIPAA compliant service.
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.