Is Integrate.io HIPAA compliant?

ETL platforms, such as Integrate.io, enable organizations to extract data from various sources, transform it into a suitable format, and load it into a centralized location for analysis and reporting. Any platforms that handle healthcare data, such as those used in healthcare analytics, must be HIPAA compliant to ensure the privacy, security, and integrity of the protected health information (PHI) being processed. 

Integrate.io is willing to sign a business associate agreement and appears to be HIPAA compliant.

What is Integrate.io?

Integrate.io is a data pipeline platform that simplifies the Extract, Transform, Load (ETL) process. The platform enables users to extract data from sources like databases, SaaS tools, CRMs, and ERPs. It then transforms the data to comply with data warehouse standards and data governance frameworks. Finally, the transformed data is loaded into a centralized repository for analytics.

It aims to provide a coding and jargon-free environment, enabling businesses to leverage big data opportunities without needing hardware, software, or specialized personnel. Integrate.io offers connectivity to various data stores and provides a set of pre-built data transformation components to facilitate data analysis and preparation. 

Integrate.io and business associate agreement (BAA)

A BAA is a contract between a covered entity (such as a healthcare provider) and a business associate (such as Integrate.io) that defines the responsibilities and safeguards for handling PHI.

On its website, Integrate.io states that it "adheres to the Business Associate's standards and complies with HIPAA in protecting personal health information (PHI). Please contact your Integrate.io representative if you need a Business Associate Agreement (BAA) signed." This representative will provide users with the necessary documentation and guide them through the process.

Related: Best practices to de-identify PHI

Security measures

1. Data encryption: SSL/TLS encryption is used on all its websites and microservices to maintain high-security standards and protect data in transit. Sensitive data, such as connection credentials, is encrypted when "at rest" using industry-standard encryption algorithms.
2. Physical security: Integrate.io's infrastructure is hosted and managed within Amazon Web Services (AWS) data centers. AWS data center operations have certifications and accreditations such as ISO 27001, SOC 1, and SOC 2/SSAE 16/ISAE 3402.
3. Cloud providers: It leverages virtual machines (VMs) hosted in data centers of cloud providers like Amazon Web Services (AWS) and Google Cloud Platform (GCP). These cloud providers have comprehensive security measures and protocols to protect the infrastructure.
4. Network security: Firewalls restrict access to systems from external networks and between internal systems. Default access is denied, and only authorized ports and protocols based on business requirements are allowed. Security groups are used to assign specific firewall rules to systems based on their functions, ensuring appropriate access controls.
5. System security: Operating system access is limited to Integrate.io staff and requires username and key authentication. Password authentication is disabled to prevent password-related security risks. Regular security updates and patch management practices are implemented to protect against vulnerabilities.
6. SOC 2 audit & security penetration test: Integrate.io undergoes an annual SOC 2 audit performed by a third-party security firm. This includes security penetration testing using the latest tools and methodologies. The reports from these audits are available to customers upon request under a signed NDA (Non-Disclosure Agreement).
7. Credit card safety: It does not store credit card information on its servers. Instead, they rely on third-party payment processors like Stripe, which have their own security infrastructure and PCI compliance measures.

Google API services

Integrate.io may use the Google Cloud Storage API to interact with Google Cloud Storage, a scalable and secure object storage service provided by Google. This API allows Integrate.io to store and retrieve data from Google Cloud Storage, which can be helpful in data processing and integration workflows. 

Related: Is the Google Workspace (G Suite) API HIPAA compliant?

Is Integrate.io HIPAA compliant?

Integrate offers on its website: "At Integrate.io, our ETL tool focuses on keeping sensitive information secure while providing all the functionality you need to integrate data." This statement, accompanied by the ability to sign a BAA, leaves the conclusion: 

Conclusion: Yes, Integrate.io is a HIPAA compliant ETL platform.