Is FullStory HIPAA compliant in 2023? 

FullStory is a digital experience analytics platform that helps businesses understand how users interact with their websites and applications. FullStory is HIPAA compliant based on several ways they meet data security guidelines. 

What is FullStory? 

FullStory is a digital experience analytics platform that helps businesses understand how users interact with their websites and applications. It provides:

• Tools for session replay allow companies to see what users do on their sites.
• Heatmaps to visualize where users click and scroll most frequently.
• Conversion funnel analysis.
• Other analytics features.

The session replay feature is particularly notable. It captures a user's interactions during a website visit, allowing companies to see exactly what users saw, clicked, and experienced. This can be valuable for identifying usability issues, understanding customer behavior, and optimizing the user experience.

FullStory aims to provide comprehensive insights into user behavior to help businesses improve their digital products, troubleshoot issues, and ultimately enhance customer satisfaction.

Is FullStory HIPAA compliant?

FullStory demonstrates a strong commitment to data security through its access control and encryption measures, audit trail and monitoring, and compliance with GDPR, SOC 2, and SOC 3. Their ISO 27001 and ISO 27701 certifications further emphasize their willingness to protect the data shared with them. 

The business associate agreement that was put in place further reinforces their compliance with HIPAA standards. Based on these factors, FullStory is HIPAA compliant.

FullStory and business associate agreements (BAAs):

Under the Health Insurance Portability and Accountability Act (HIPAA), a business associate agreement (BAA) is a crucial document that outlines the responsibilities of third-party vendors when handling protected health information (PHI). Any software or service that stores, processes, or transmits PHI on behalf of a healthcare entity is considered a business associate and should sign a BAA.

Given FullStory's functionalities, such as product analytics, data capturing, and session insights, it would likely be considered a business associate when utilized in healthcare environments.

We reviewed their official documentation to ascertain FullStory's commitment to HIPAA compliance. Upon reviewing their privacy help center articles, they state that they provide their BAA to support their customer's respective HIPAA obligations when using our services.

Their privacy help sector BAA mentions that they "like to have BAAs in place with customers that consider themselves a covered entity under HIPAA."

Go deeper: How to know if you're a business associate

FullStory and data security

FullStory takes data security seriously and implements several measures to protect the information it collects. Here are some key aspects of FullStory's approach to data security:

• Encryption: FullStory encrypts data both in transit and at rest. Data is encrypted while transmitted over networks and stored on FullStory's servers.
• Access controls: FullStory allows fine-grained control over access to recorded data. Organizations can set permissions to restrict access to sensitive information, ensuring that only authorized individuals or teams can view specific data.
• Compliance and certifications: FullStory is designed to comply with various industry standards and regulations, including General Data Protection Regulation (GDPR) and SOC 2 Type II attestation, SOC 3, ISO 27001, and ISO 27701. These standards ensure that FullStory maintains appropriate security protocols and practices.
• Anonymization and PII masking: FullStory offers features to mask or exclude sensitive information from recordings, enhancing privacy protection.
• Data retention policies: FullStory allows customization of data retention policies. Organizations can configure how long data is stored within FullStory.
• Audit trails and monitoring: FullStory provides audit logs and monitoring capabilities, allowing organizations to track who accessed what data and when. 
• Continuous security evaluation: FullStory conducts regular security assessments, updates, and audits to identify and address potential vulnerabilities, ensuring a robust security posture.

Related: 

• What is data security?
• What is SOC 2 compliance? 
•  

Understanding HIPAA Compliance:

HIPAA compliance extends beyond just technical safeguards and software solutions. When evaluating a tool's or service's compliance, consider the following:

• Technical Safeguards: While tools like FullStory play a crucial role, other technical measures, such as HIPAA compliant email, are equally vital.
• Employee Training: Ensuring all staff members are well-versed in HIPAA regulations and best practices is paramount. Regular training sessions can help prevent unintentional breaches.
• Regular Audits: Periodic assessments of all systems and processes ensure that they remain compliant and adapt to any changes in regulations or technology.
• Data Access Controls: Implementing stringent controls on who can access protected health information and under what circumstances is a cornerstone of HIPAA compliance.