HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. Covered entities and their business associates must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI).
We know the HIPAA industry is vast and that it is important to work well and communicate with patients while remaining HIPAA compliant.
This is especially true with the recent move toward remote working and the increase in cyberattacks against healthcare. Today, we will determine if Branch is HIPAA compliant or not.
Branch is a leading mobile linking and attribution platform with solutions that unify user experience as measured across different devices, platforms, and channels. It gives users a cross-channel, cross-platform view of everything that impacts a company’s marketing activities.
The platform accomplishes this by integrating with email providers, social platforms, data analytics tools, and ad networks.
Branch and the business associate agreement
A major part of HIPAA compliance is ensuring a business associate will sign a business associate agreement (BAA). A business associate is a person or entity that performs certain functions or activities that involves the use or disclosure of PHI.
In this instance, Branch is a business associate of a healthcare organization if it works with any data that includes electronic PHI (ePHI), like a name or an email address. Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA.
According to a Frequently Asked Question, “Branch does not intend uses of the Branch Services to create obligations under [HIPAA] and makes no representations that the Branch Services satisfy HIPAA requirements.” Moreover, it states that “Branch does not enter into Business Associate Addenda because Branch is not subject to HIPAA.”
Data protection and security
While the platform outright states that it is not HIPAA compliant and won’t sign a BAA, it does utilize strong cybersecurity features and is CSA (Cloud Security Alliance) Star certified. Features include:
- Physical security controls
- Virus and malware protection
- Security patch management
- Encrypt at rest and in transit
- Security monitoring
Importantly, the company further states that it does not rent or sell personal data. The company notes that it practices data minimization, collecting and storing only information needed to provide a service. Opt-out options on collected information are available though customers would have to know about them. Rather, the company includes a web page on how to avoid sending PII (personally identifiable information).
Is Branch HIPAA compliant?
The BAA is a key component of HIPAA compliance and Branch states that it won’t sign a BAA. If a data breach or HIPAA violation occurs and any PHI is accessed, the covered entity is liable.
Branch is not HIPAA compliant.