HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. Covered entities and their business associates must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI).
HIPAA compliance has become increasingly complex as more healthcare providers embrace the use of digital tools as part of their business strategy. This includes leveraging analytics platforms to gather valuable information about website visitors.
While these solutions may help boost patient engagement, they can also create new risks for potential HIPAA violations. Along with choosing a HIPAA compliant web host, covered entities should make sure that their analytics tool meets compliance requirements. Let’s determine if Heap is HIPAA compliant or not.
SEE ALSO: HIPAA compliant email
Designed to display every single user interaction, Heap is an innovative analytics platform that reveals hidden opportunities in the customer journey to help companies build a better digital experience. With access to a comprehensive set of behavioral data, companies can gain a stronger understanding of customers and make improvements with the biggest impact.
Any third-party vendor that stores, accesses, or sends PHI is considered a business associate. In order for a third-party vendor to be considered HIPAA compliant, a business associate agreement (BAA) must be signed by both parties.
This is a written document that outlines the obligations of the business associate to keep PHI secure. Without a signed BAA, the vendor cannot be considered HIPAA compliant.
Heap’s privacy policy affirms that the company complies with HIPAA, noting that “the processing of PHI collected through the service is governed by the applicable BAA between Heap and the covered entity and/or business associate.”
Covered entities can contact Heap for more information on how PHI is managed and protected.
Beyond the BAA, data security is another key piece of maintaining HIPAA compliance. Therefore, covered entities should consider the safeguards that a vendor has in place to protect PHI.
According to the company’s security page, Heap is hosted in a SOC 2 facility with strict access controls, professional security, and intrusion detection systems. Employees also undergo security training with ongoing education on industry best practices and third-party audits. All data entering and exiting the infrastructure is encrypted with TLS or HTTPS.
Customers can take further measures to safeguard data through a set of custom controls. These include setting rules for managing and redacting sensitive information and enforcing secondary protections with advanced cookie security.
Heap also provides tools that support compliance with GDPR, CCPA, HIPAA, and other data privacy regulations. Users have the opportunity to disable the capture of IP addresses and geolocations or opt-out of data collection altogether.
Yes, Heap can be made HIPAA compliant with a signed BAA. However, it is the covered entity’s responsibility to ensure that all necessary configurations are made to minimize risks and maintain security standards.
Selecting a HIPAA compliant analytics tool is one piece of the puzzle, but healthcare providers should be taking extra steps to safeguard PHI from every angle with better email security. Built to seamlessly integrate with your current email platform such as Google Workspace or Microsoft 365, Paubox Email Suite enables HIPAA compliant email by default and automatically encrypts every outbound message.
This means you don’t have to spend time deciding which emails to encrypt and your patients are able to receive your messages right in their inbox without having to navigate any additional passwords or portals.
Paubox Email Suite’s Plus and Premium plan levels also include advanced inbound email security tools for more threat protection. Our patent-pending Zero Trust Email feature uses email AI to confirm that an email is authentic, while patented ExecProtect works fast to intercept display name spoofing attempts.