3 min read

Is Auryc HIPAA compliant? (Update 2024)

Kapua Iao February 10, 2022

HIPAA Compliance HIPAA compliant software

Auryc is a customer journey analytics platform that provides organizations with real-time insights. Healthcare organizations might want to use such a platform to better connect and communicate with patients and other healthcare providers. To do so, however, those within the healthcare industry need to work with platforms that are HIPAA compliant.

In the healthcare industry, sensitive protected health information (PHI) must be safeguarded under HIPAA. A major part of this compliance is working with vendors who will sign a business associate agreement (BAA) and ensure the security of PHI. Auryc still does not mention a BAA on its website though there is a note about HIPAA compliance elsewhere. Moreover, Auryc was recently acquired by Heap who does offer a BAA for healthcare clients.

What is Auryc?

Auryc provides customer experience management (CXM) by optimizing customer experiences across the web and mobile environment. It was acquired by Heap.io in 2022 to offer its customers a new type of analytics platform that included Auryc’s Session Replay and Voice of the Customer capabilities. Heap’s products help organizations reach their full customer potential. With Heap and Auryc, organizations get a complete dataset, data science, and qualitative insights.

Features of the new platform include user behavior analysis, 1-click views of user sessions, and feedback collection. This includes every click, swipe, and form submission on an organization’s website. Organizations centralize and standardize customer information to improve and enrich a customer’s journey.

Is Auryc considered a business associate?

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates (i.e., vendors) of these covered entities. These are entities that perform certain functions or activities on behalf of a covered entity.

A BAA is a written contract between a covered entity and a business associate. It outlines the responsibilities and obligations of each party regarding the handling of PHI. Typical provisions within a BAA include:

Permitted uses and disclosures of PHI
Safeguards for protecting PHI
Reporting and mitigation of security incidents
Compliance with HIPAA regulations
Dispute resolution and termination clauses

The agreement is required by law for HIPAA compliance and is considered the primary item to consider when it comes to Auryc and its ability to be HIPAA compliant. Auryc is a business associate of a healthcare organization if it accesses any PHI within its dataset, like a name.

Auryc and the BAA

Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA. In 2022, before Auryc was acquired by Heap, we could find no mention of a BAA on Auryc’s website. At that time, a web page for Session Replay stated that Auryc was HIPAA compliant, but there was no information about how it achieved that compliance.

That same year, we confirmed that Heap would sign a BAA. According to Heap’s current privacy policy, the company complies with HIPAA. The policy notes that the “processing of [PHI] collected through the use of our Service is done at the direction of our customer who is the ‘covered entity’ or a business associate (as that term is defined by HIPAA), and is governed by the applicable [BAA] between Heap and the covered entity and/or the business associate.”

There is still no mention of a BAA in relation to Auryc. Heap’s BAA is not accessible on its website, so it is unknown if the agreement includes Auryc. Currently, the BAA is only offered for Heap’s Pro and Premier plans and not on its Free and Growth plans.

Auryc (Heap) and data security

Covered entities must consider the administrative, physical, and technical safeguards that a vendor utilizes to protect PHI. To accurately provide customer analytics, management platforms must have access to personal information to facilitate communication. With the increasing importance of data privacy and security, all healthcare business associates who collect, store, or process PHI are subject to HIPAA regulations. Many customer journey platforms are available, but not all meet HIPAA requirements for encryption, data backup, and access controls.

Heap is hosted in a SOC 2 facility with access controls and intrusion detection systems. Within its security web page, the company also mentions employee training and regular third-party audits. Specific cybersecurity features are not listed.

The privacy policy says, “Heap is committed to ensuring all data it receives remains confidential and protected, and that it complies with applicable privacy and security regulations including [HIPAA].” For more information about its safeguards, customers are supposed to contact the company.