Monsido is an intuitive platform that audits websites and provides recommendations to help users improve their online presence. Healthcare organizations might want to use such a platform to better connect and communicate with employees, patients, and other healthcare providers. However, they need to work with HIPAA compliant platforms to do so.
Sensitive protected health information (PHI) must be safeguarded under HIPAA in the healthcare industry. A major part of this compliance is working with vendors who will sign a business associate agreement (BAA) and ensure the security of PHI. Monsido does not mention a BAA on its website and may not be HIPAA compliant.
What is Monsido?
In 2024, Monsido was acquired by Acquia, a software-as-a-service or SaaS company that provides products and services for building, delivering, and optimizing digital experiences. Monsido, as a SaaS platform, looks at every word, link, tag, and line of code of a website to point out potential issues. The entire process is automated for ease of use.
Organizations use Monsido as an auditing tool to provide more accurate, more insightful information about a website. By using such a platform as Monsido, organizations can better address issues and discover opportunities to enhance the user experience. Moreover, it can help an organization ensure legal compliance, where needed.
LEARN ABOUT: Is Acquia HIPAA compliant [2021]?
Is Monsido considered a business associate?
HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates (i.e., vendors) of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
A BAA is a written contract between a covered entity and a business associate. It outlines the responsibilities and obligations of each party regarding the handling of PHI. Typical provisions within a BAA include:
- Permitted uses and disclosures of PHI
- Safeguards for protecting PHI
- Reporting and mitigation of security incidents
- Compliance with HIPAA regulations
- Dispute resolution and termination clauses
The agreement is required by law for HIPAA compliance and is considered the primary item to consider when it comes to Monsido and its ability to be HIPAA compliant. Monsido (Acquia) is a business associate of a healthcare organization if it accesses any PHI, like a name or diagnosis.
RELATED: How to know if you're a business associate
Monsido and the BAA
Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA. In a 2022 blog post, we found that there was no mention of a BAA or HIPAA on Monsido’s website. As of January 2024, there is still no mention of HIPAA or a BAA except in Monsido’s glossary of terms. The glossary provides definitions of both terms but there is no mention of either in relation to the company.
Moreover, Monsido has a web page dedicated to healthcare. While cybersecurity features and benefits are included on the page, information about a BAA is not. Nowhere does Monsido state that it will sign an associate agreement.
Currently, Acquia offers a BAA for its healthcare Cloud Platform Enterprise and Site Factory customers though there is no mention of Monsido being included.
Monsido and data security
Covered entities must consider the administrative, physical, and technical safeguards that a vendor utilizes to protect PHI. Healthcare websites function as a source of information, providing services and facilitating communication between patients and healthcare providers. With the increasing importance of data privacy and security, healthcare websites that collect, store, or process PHI are subject to HIPAA regulations.
According to Monsido, it uses strong cybersecurity elements to maintain any personal data it collects. In fact, the company maintains that it utilizes the Google Cloud Platform along with Google’s security features.
Monsido’s privacy policy, however, includes a long list of personal information it accesses and uses such as a name. While Monsido states that it does not collect sensitive information such as “health data,” it doesn’t state how it avoids it or keeps it safe.
Is Monsido HIPAA compliant?
The BAA is a necessary component of HIPAA compliance and Monsido still does not mention a BAA on its website. It may be covered on Acquia’s BAA for its Cloud Platform Enterprise and Site Factory customers. This information, however, is not explicit on Acquia’s website.
Conclusion: Monsido may not be HIPAA compliant
Understanding HIPAA compliance
Healthcare providers know that clear and efficient communication with patients is necessary to run a successful practice. When evaluating a platform’s HIPAA compliance, especially on the cloud, consider the following security needs beyond a BAA:
- Technical safeguards: Mitigate risks associated with cyber threats, hacking, malware, and other security incidents with strong technical safeguards. Such tools as perimeter defenses (e.g., firewalls) and HIPAA compliant email are equally vital for extra protection.
- Employee training: Ensure all staff members have up-to-date knowledge of HIPAA regulations and best practices. Regular training sessions can help prevent unintentional, employee-related breaches.
- Regular audits: Perform periodic assessments of all systems and processes to ensure that they remain compliant. Adapt to any changes in regulations or technology.
- Data access controls: Implement stringent controls, such as multifactor authentication, on who can access PHI and under what circumstances.
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.