HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. Covered entities and their business associates must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI).
We know the HIPAA industry is vast and that it is important to work well and communicate with patients while remaining HIPAA compliant.
SEE ALSO: HIPAA compliant email
This is especially true with the recent move toward remote working and the increase in cyberattacks against healthcare. Today, we will determine if FlowMapp is HIPAA compliant or not.
FlowMapp is a user experience tool used to visualize a customer’s experience with an organization. With this and similar products, organizations can centralize and standardize customer information to improve and enrich encounters.
RELATED: What is a customer journey map?
FlowMapp helps organizations design websites, apps, and related products to ensure strong customer relations. Organizations use FlowMapp to create customer stories and capture key moments with a customer to enhance communication.
A major part of HIPAA compliance is ensuring a business associate will sign a business associate agreement (BAA). A business associate is a person or entity that performs certain functions or activities that involves the use or disclosure of PHI. In this instance,
FlowMapp is a business associate of a healthcare organization if it works with any data that includes electronic PHI (ePHI), like a name or an email address.
Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA.
There is no mention of healthcare, HIPAA, or a BAA anywhere on the FlowMapp website.
FlowMapp’s Security web page states, “Keeping our customers’ data secure is the most important thing that FlowMapp does. We go to considerable lengths to ensure that all data sent to FlowMapp is handled securely.” The web page then lists its security features:
Data in transit is secured with Secure Sockets Layer (SSL) and AES 256-bit encryption.
RELATED: What is transport layer security (TLS)?
At the same time, its Privacy Policy emphasizes, “While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.” In fact, FlowMapp includes a section about using the remarketing services of Google Ads and Facebook Ads.
SEE ALSO: Are retargeting ads HIPAA compliant?
Moreover, the company also affirms that it collects customers’ personally identifiable information (PII) as well as usage data (e.g., IP address).
The BAA is a key component of HIPAA compliance and FlowMapp does not appear to sign a BAA nor offer any security specifically for healthcare organizations. Furthermore, FlowMapp states that data on its site is not guaranteed secure.
If a data breach or HIPAA violation occurs and any PHI is breached, the covered entity is liable.
Conclusion: FlowMapp is not HIPAA compliant.